How the adtech industry continues to ignore online privacy: another conviction of Criteo

Reading time: 5 minutes

When the same adtech company is convicted twice in a few months for violations of cookie regulations and the GDPR in two different EU member states, there is clearly a structural problem. That is exactly what happened to Criteo, which was sentenced to a fine of  €40,000,000 by the French privacy regulator (CNIL) on June 15. It was also just recently ordered by a Dutch summary proceedings judge to immediately stop unsolicited tracking based on cookies in the Netherlands.

This lawsuit could (or should) be a turning point for the adtech industry. The succession of fines and convictions related to the so-called “Real Time Bidding” (RTB) as well as the imminent demise of  third-party cookies are forcing companies  to reconsider their marketing strategy. From the privacy lawyer’s point of view, this is hopefully a first step that could  lead to a more privacy-friendly approach to online advertisements and a greater emphasis on transparency and consent.

Targeted advertising en cookies

Criteo and other adtech companies use so-called tracking cookies (UID cookies) on computers and mobile devices via third-party websites. These tracking cookies collect and analyse your and my online behaviour, our interests and preferences as well as other data and then sell the profiles that are developed based on this data to the highest bidder.

The same tracking cookies are used, among other things, for targeted advertising. This involves tailoring advertisements to the individual user profiles of millions of internet users. Within a fraction of a second, internet users are identified based on the RTB mechanisms and an advertisement tailored to the user in question is sold to the highest bidding advertiser.

Criteo convicted (again)

A summary proceedings judge in Amsterdam has just ruled that the use of tracking cookies by the technology company Criteo violates the GDPR and the cookie regulations by placing or reading tracking cookies without permission, even after permission has been refused. 

An expert report confirms that Criteo systematically placed tracking cookies without consent based on a sample on 40 websites. On 39 websites Criteo interacted with cookies on the user’s device without consent. The report shows that Criteo tracking cookies f weresystematically placed on devices of the plaintiff without his prior consent.

It is not the first time that Criteo practices were controversial.  Earlier this year they were fined €40,000,000 by the French privacy regulator for violating the GDPR.

Incidentally, this is also very reminiscent of the lawsuits against the IAB Europe’s TCF framework in Belgium and surely the combination of these cases sheds a sharp light on the stubbornness of adtech companies when it comes to the GDPR and cookie compliance.


The entire adtech industry has been under pressure for some time due to the collection and use of personal data without consent or transparency. 

I have already voiced back in 2019 in my contribution to Marc Bresseel and Renout Van Hove’s book “Obsessed” (as well as in my “Guide to a Good Cookie Policy” (“Handleiding voor een goed cookiebeleid”) in 2020) that there is something fundamentally wrong with a business model that shadows millions of citizens online without their consent and then turns the (sometimes very) personal preferences of those citizens into a commodity in a global uncontrolled market.

Four years and many lawsuits later, painfully little has changed.

But the internet is evolving

But can you actually notice the change? The rulings against Criteo can also be seen as a harbinger of what will happen to the business model of adtech companies when third-party cookies are shortly phased out by the major browsers, three or four of which control the market and, thus, determine how we go about our online lives. 

The disappearance of those third-party cookies is already forcing companies to find alternative methods of collecting data for targeted advertising. In many cases, this means more owned data so that companies have a grip on their own audience, which is materialised through more gated content (for instance, encouraging users log in (and give consent) to have access to content) (again) more (“old-fashioned”) contextual advertising, and, not to mention,  focusing much harder on long-term engagement of your audience in exchange for the quick wins of the existing RTB model.

What does this mean for you and me?

In a broader context, these convictions also demonstrate the need for companies to take the GDPR and online privacy seriously and for users and consumers to consciously choose companies that employ ethical practices and are transparent about the use of our data. Only through collective efforts can we bring about positive change in the adtech industry and ensure the protection of our privacy.

The importance of greater transparency and respect online by all players involved cannot be underestimated. The success of online marketing will stand or fall in the future depending on the level of trust that consumers can and want to placein brands that try to gain their attention online. This trust is not only earned by their own efforts, but is also determined by the trust consumers place in the Internet in general. Stories like Criteo obviously undermine that trust and the credibility of online advertising as a whole.

Those entities whose brands are present online can of course also take concrete steps towards transparency and respect:

  • Make sure you always ask permission before placing or reading tracking cookies and that permission is given freely and consciously.
  • Make sure you provide clear and understandable information about how you collect, use and share data. Give users the opportunity to exercise their rights, such as the right to access their data and the right to be forgotten.
  • Respect privacy settings: be mindful of users’ privacy settings and respect their choices. If a user chooses not to accept tracking cookies, ensure that this choice is respected and no cookies are placed or read without permission.
  • Provide regular monitoring of cookie policy compliance and take appropriate action if violations are discovered. Take responsibility for the actions of your partners and ensure that they also comply with legal requirements.
  • Keep an eye on developments in privacy legislation and ensure that your cookie policy is up to date and complies with applicable laws and regulations.

By taking these tips into account, your company can also implement a compliant cookie policy and ensure that you properly and respectfully handle the rights of your website’s visitors.

Questions about GDPR and cookies? 

Feel free to email or schedule a meeting right here. 

Schedule a free appointment

About the author

Van den Brande

I am the founder and Managing Partner of Sirius Legal. In 2010, I decided to leave the Brussels big city law scene behind me to start practi...