.svg)
My name is Thomas Adhumeau, and I'm the Chief Privacy Officer at Didomi. Through my work, I have the opportunity to interact with a wide range of players in the AdTech industry and identify trends firsthand.
When the CNIL’s decision on Criteo happened last year, I had already identified it could become a precedent with a potential snowball effect in the AdTech industry. This has since been confirmed, with similar cases popping up in Europe, a trend I expect will continue growing in 2025.
In this article, I take another look at the Criteo case against the CNIL after over a year, dig into its implications, and issue my recommendations for AdTech solutions providers.
Looking back at the Criteo decision
On June 15th, 2023, following a complaint filed by Privacy International and None of Your Business (noyb) in 2018, the French DPA (CNIL) fined Criteo, a major AdTech company specializing in retargeting, €40 million for failing to ensure that its publisher partners obtained user consent for the use of its retargeting cookie. Criteo has since appealed the decision.
The validity of consent is at the heart of the issue raised by the CNIL. Although Criteo vendors are likely required contractually to collect consent from users before dropping identifiers (like cookies), the CNIL considered that it is the responsibility of the AdTech giant to ensure that consent is in line with GDPR principles.
However, Criteo and other AdTech companies have little to no control over consent collection practices from vendors beyond a contractual safeguard which, it turns out, is not sufficient.
With no insurance to guarantee that third-party vendors are collecting consent in compliance with applicable regulations, how can these companies avoid a similar situation as the one faced by Criteo?
What steps can AdTech solutions providers take today?
Based on the Criteo decision, the expectation from the CNIL and other DPAs is that AdTech companies find ways to guarantee that consent has been collected adequately by all third-party publishers or advertisers.
“In addition, the company had not undertaken any audit campaign of its partners prior to the initiation of the procedure by the CNIL.”
- Commission Nationale de l’Informatique et des Libertés (CNIL) (Source: Personalised advertising: CRITEO fined EUR 40 million, 22 June 2023)
To achieve this seemingly impossible feat, I advanced two hypotheses last year:
- Implementing automated compliance monitoring
- Creating a consent protocol for advertisers, similar to the Transparency and Consent Framework (TCF)
The latter is a tall order, and while a promising prospect, it would require a lot of synchronization and collaboration within the industry. Hoping for such a framework to happen is not a realistic plan of action for AdTech companies subject to potential fines for non-compliance today.
The first option, however, already exists and has been adopted by several AdTech companies. I should know because we’re providing it at Didomi: Our Advanced Compliance Monitoring (ACM) solution.
We created this solution precisely to empower AdTech companies to manage their compliance and monitor the commitment of their vendors to respect users' privacy choices.
Our Advanced Compliance Monitoring solution helps organizations answer the type of questions that AdTech companies, following the Criteo case, need to consider when assessing the compliance of their publisher partners:
- Are your publisher partners obtaining valid consent before deploying your cookies or other identifiers?
- Are they dropping trackers despite user refusal or without explicit consent?
- How do their compliance practices impact your overall adherence to GDPR principles?
- Are they transparently communicating which trackers they are deploying and why?
- How many publishers in your network fail to meet compliance standards, and what steps are they taking to improve?
This is done through a set of tools and reports that AdTech companies can leverage to audit, clean up, maintain, and prove the compliance of their vendor activity:
- Tracker monitoring, vendor identification, and impact assessment
- Detection of privacy breaches and violations
- Weekly reports on new vendor activity, GDPR and TCF violations, discrepancies in their chain of consent
To learn more about Advanced Compliance Monitoring, visit our dedicated page:
{{acm-start-monitoring-today}}
Next steps: AdTech and vendor management in 2025
I believe the Criteo case was only the beginning, and while some other fines have already been issued, the next wave of enforcement is on the way everywhere in Europe, targeting Adtech companies.
However, with the proper set of solutions and comprehensive work on auditing their vendor ecosystem, leading AdTech companies will be able to remain unscathed and will come out stronger: Vendor monitoring not only strengthens compliance but is a proven time and cost saver and a great way to optimize website performance.
To continue the conversation and get more insights, follow me on LinkedIn.
.png){kind=tracking}
.png)
.png)