French adtech firm Criteo provides “behavioral retargeting” services – tracking and analyzing people’s internet activity via cookies deposited by Criteo’s network of advertising partners.

But the French data protection authority (the “CNIL”) found that Criteo had violated several articles of the GDPR, and delivered the largest GDPR fine ever levied on a non-US business (€40 million).

This article draws five lessons from Criteo’s alleged GDPR infringements—around consent, transparency, joint controllership, and data subject rights—that apply to companies across every sector.

Demonstrating consent (Article 7)

Lesson 1: If you’re relying on consent, make sure you can demonstrate that consent has been obtained—if you’re not the organization responsible for requesting consent.

The CNIL found that Criteo could not demonstrate that people had provided consent before being tracked by Criteo’s cookies.

Under the ePrivacy Directive—another EU law that France has written into its Data Protection Act—people must provide consent before non-essential cookies (cookies used for activities like marketing and analytics) are placed on their devices.

Note that Criteo itself was not required to get consent. That job fell to Criteo’s partners, which set the cookie when a person visits their websites.

But look at the wording of Article 7 (1) of the GDPR:

“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

This provision applies to Criteo.

For the purposes relevant to this investigation, Criteo was a data controller. Criteo did not collect personal data—its advertising partners collected it. But because Criteo is relying on consent, the company should have been able to demonstrate that consent had been obtained.

Criteo had contracts with its partners governing the collection and sharing of personal data.

But the contracts did not require Criteo’s partners to record and demonstrate that they had obtained consent before setting Criteo’s cookies on their visitors’ devices.

Transparency and notice (Articles 12 and 13)

Lesson 2: Make sure your privacy notices and other communications are clear, concise, and comprehensive.

Articles 12 and 13 of the GDPR relate to the law’s transparency requirements.

Effectively, Article 13 requires a controller to explain what personal data it processes, why it processes personal data, and how it processes personal data (among other things).

Article 12 requires the controller to explain its practices in clear, accessible, and concise language.

The CNIL found Criteo had violated both articles. The company’s privacy notice was allegedly incomplete, vague, and overly broad.

The regulator notes that Criteo has since updated its privacy notice to meet the GDPR’s requirements.

Right to erase personal data (Article 17) and to withdraw consent (Article 7)

Lesson 3: If someone withdraws consent, you must stop any processing for which you relied on the person’s consent—including storing their personal data. If someone makes a valid erasure request, make sure you actually erase their personal data.

Two other core GDPR rights enable individuals to erase personal data under certain circumstances and to withdraw their consent.

The CNIL found that Criteo violated both of these provisions.

The company offered people a way to withdraw their consent for processing and to request that Criteo delete their personal data.

When a person exercised either of these rights, Criteo and its partners would stop displaying targeted advertising to that person—but would not erase the individual’s personal data.

Joint controller agreement (Article 26)

Lesson 4: If you’re in a “joint controller” relationship, make sure your joint controller agreement covers all the relevant aspects of GDPR compliance.

When two or more controllers decide why and how to process the same set of personal data, with each controller using the data for its own purposes, they are “joint controllers” under Article 26 of the GDPR.

Joint controllers must implement an agreement that describes which controller is responsible for which aspects of GDPR compliance. For example, one controller might facilitate data subject rights requests while the other ensures the personal data is stored securely.

The CNIL found that Criteo’s joint controller agreements did not cover important aspects of the company’s and its partners’ joint data processing activities, such as providing notification of data breaches or conducting data protection impact assessments (DPIAs).

Right of access (Article 15)

Lesson 5: Think carefully before relying on an exception to the GDPR’s “right of access”.

Article 15 of the GDPR provides individuals with the right to access the personal data a controller processes about them—and to obtain an explanation of how the controller is processing that personal data (a “subject access request”).

The CNIL’s findings on Criteo’s Article 15 compliance suggest that the company only provided access to half of the datasets it processed about the complainant.

Criteo provided access to three out of the six data tables it held concerning the complainant. The company argued that providing access to the other three tables could reveal information about other individuals and violate their privacy.

While this can be a valid reason to decline a subject access request, the CNIL found that Criteo could not rely on this exception in relation to all the data tables. The regulator forced Criteo to provide access to a further two tables out of the three it had originally excluded.

Compliance with Article 15 of the GDPR can be challenging in the adtech ecosystem, where personal data about an individual is often complex, disparate, and intermingled with other people’s data.

However, a controller is not relieved of its responsibility to uphold people’s rights simply because its business model makes it difficult to do so.