“Criteo has taken note of the CNIL’s final sanction decision received on June 21, 2023 and intends to appeal this decision before the competent courts. While the CNIL reduced the final sanction from the original proposed amount of €60 million to now €40 million, the sanction remains vastly disproportionate in light of the alleged breaches and misaligned with general market practice in such matters. In addition, we believe that a number of the CNIL’s interpretations and applications of the GDPR are not consistent with the European Court of Justice rulings and even with the CNIL’s own guidance.
As we stated previously, we consider that the allegations made by the CNIL do not involve risk to individuals nor any damage caused to them. Criteo, which uses only pseudonymized, non-directly identifiable and non-sensitive data in its activities, is fully committed to protecting the privacy and data of users. The decision relates to past matters and does not include any obligation for Criteo to change its current practices; there is no impact to the service levels and performance that we are able to deliver to our customers as a result of this decision.
We continue to uphold the highest standards in this area and operate a fully transparent and regulatory-compliant global business. The €40 million ($44 million) penalty will be applied against the previously accrued liability for loss contingency reflected in our financial statements for the period ended June 30, 2022, which amounted to €60 million ($65 million). We anticipate making the required sanction payment in the second half of 2023. We will be making no further statement at this stage.” – Ryan Damon, Chief Legal Officer at Criteo.