CNIL enforcement looms over the adtech sector in France
Locations
The ad tech sector under pressure
The CNIL opened a formal investigation against Criteo in January 2020. This investigation follows a complaint against three adtech companies (including Criteo) filed in 2018 by the NGO Privacy International submitted to the French, British and Irish data protection authorities. Criteo is an adtech intermediary operating between website and app publishers and advertisers. The CNIL has not made any official statement about this ongoing investigation.
In essence, the complaint brought by Privacy International claims that the processing of personal data carried out by Criteo allegedly violates several of the principles enshrined in GDPR, including the principles of transparency, the lawfulness of the processing and purpose limitation (art. 5). The complaint asks the data protection authorities of France, Ireland and the UK to carry out further investigation as to compliance with the GDPR provisions relating to individuals' rights, data protection by design and by default and Data Protection Impact Assessments.
Without any official communication of the CNIL, it remains to be seen what measures the CNIL will pronounce against Criteo, in particular whether it decides to issue a formal notice – which may be public – or to order Criteo to put in place corrective measures.
In 2018, the CNIL issued a formal notice against four adtech intermediaries that were collecting geolocation data for advertising purposes through mobile applications (see our previous blog post). In January 2019, the CNIL also pronounced a record fine of €50 million against Google for lack of transparency and valid legal basis for processing personal data (see our blog post).
Three additional complaints were filed by the NGO NOYB in December 2019 against the adtech sector. Each complaint targets a publisher together with a third-party provider setting cookies on that publisher's website. Most of the alleged violations relate to the national transposition of the ePrivacy Directive and the CNIL's interpretation of it. The mandated NGO claims that the refusal of cookies – through a positive action of the user – still lead to advertising cookies being dropped.
CNIL issues new guidelines for cookie compliance
These enforcement measures follow the adoption by CNIL of new cookie compliance guidelines and practical recommendations on consent for cookies (see our analysis here). The CNIL is expected to adopt a final version of its guidelines in the coming weeks, following the end of a public consultation. The CNIL initially announced a six-month grace period before starting to enforce on the grounds of these guidelines. The above-mentioned enforcement measures pre-date the adoption of the CNIL's new cookie guidelines.
Enforcement priority for the CNIL in 2020
Lastly, the CNIL's Enforcement Strategy has identified compliance with the rules applicable to cookies and online trackers as a top priority in 2020. The CNIL's enforcement strategy makes up for approximately 20% of the CNIL's enforcement actions. Investigations will begin in the Fall of 2020 and may continue up until early 2021.