Last June the French privacy authority (CNIL) fined French ad tech giant Criteo €40m for failing to honor user consent to tracking. In December the Amsterdam District Court also issued a ruling against Criteo which was later confirmed on appeal.
These cases are a big deal. Criteo is a large ad tech multinational that controls personal data from millions of Internet users. But most importantly, the reasoning behind the decision is a departure from the past and may very well send waves across several industries, including ad tech and web analytics,
Here is what the cases are all about, and why they could open up new opportunities for action against illegal tracking.
- What are the cases about?
- Who must deal with consent?
- The “Criteo doctrine”: a deeper look
- Joint controllers
- The allocation of responsibilities
- The effective protection of rights
- What does this mean for web analytics?
- Final words
What are the cases about?
So far, there are three decisions against Criteo:
- two privacy NGOs (Privacy International and noyb) filed a complaint with the French privacy watchdog (CNIL) claiming that websites were illegally placing Criteo cookies. This complaint was decided in June 2023 and resulted in a €40M fine for the company
- a Dutch citizen brought the same case in the Amsterdam District Court, resulting in an order to stop placing cookies and deleting the data already collected
- the District Court’s decision was later confirmed on appeal.
All the cases revolve around the unauthorized use of tracking cookies. Several popular websites used Criteo’s cookies for advertising purposes. This was done without consent, in breach of the GDPR and the ePrivacy Directive.
These look like standard cookie cases: someone realized they were tracked without their consent, took legal action, and won. But what makes these cases special is that the websites- not Criteo- placed the cookies. Criteo was held responsible for cookies written by its customers, and this is a big, big deal.
Who must deal with consent?
It is very common for ad tech and web analytics services providers to “offload” the compliance work to their customers- that is, to the websites that use the service.
For instance, let’s say your website uses Google Analytics. Google Analytics uses tracking cookies, which require consent under EU law. This is not Google’s problem: per Google Analytics’ Term of Service, it is up to you to implement Google Analytics in a compliant way (which includes making sure it only writes cookies after visitors accepts them). If you mess this up, you are violating the law, not Google.
This allocation of responsibilities is one of the reasons the Internet has become a cesspool of illegal tracking. Ad tech giants such as Google and Meta provide the Internet with powerful and invasive tracking tools but cannot be held accountable for their misuse. So, users and privacy advocates can only fight back against tracking by going after individual websites, in an endless and largely pointles game of whack-a-mole.
It is early to say whether this line of reasoning will gain momentum at European level. But there are reasons to be optimistic: the CNIL is a well respected authority that often sets influential examples for other regulators. Furthermore, privacy advocates (such as those involved in the CNIL case) are well aware of the potential of the decisions against Criteo and will surely attempt to leverage this potential in future litigation.
Bottom line: the cases won’t necessarily turn into an influential precedent at a EU level, but there is a very real chance that they do- and provide privacy advocates with a powerful legal tool against tracking.
The “Criteo doctrine”: a deeper look
In a nutshell, this is why the rationale behind the Criteo cases matter. But what is this rationale exactly, and how does it fit the GDPR?
Long story short, the “Criteo doctrine”- so to speak- says that joint controllers must allocate compliance obligations in a way that effectively protects privacy rights. That’s a lot to digest, so let’s break it down.
Explaining the notion of joint controllership in rigorous terms would require a blog of its own. In a nutshell, joint controllership is the situation where two or more entities handle data together, and they all get a say in what happens to the data. So, if two companies are joint controllers, they both decide what data are collected, why they are collected, how they are processed, and so on.
This was the type of relationship Criteo had with its customers. In fact, the company never claimed otherwise.
The allocation of responsibilities
Joint controllership poses a problem: joint controllers all have obligations under the GDPR, but who exactly needs to comply with which? In other words, how are compliance obligations allocated between joint controllers?
The solution of the GDPR is to allow joint controllers can allocate these responsibilities however they prefer, as long as they clarify this allocation in a legal contract called a joint controllership agreement.
In practical terms, whenever a legal issue arises with joint controllers, lawyers and regulators look to the joint controllership agreement to know who is supposed to do what- for instance, company A is solely responsible for managing consent, while company B is solely responsible for managing the database and reporting data breaches.
There are obvious advantages to this system. Data controllers can allocate compliance duties in an effective way because they know exactly how each party contributes to processing the data. For instance: if company B controls the database, it makes sense for it to be responsible for notifying data breaches. Likewise, if company A has a direct contact with the data subject (that is, the people whose data are being processed), while company B does not, then it makes sense for company A to collect and manage consent.
The downside of this allocation system is that it can fail. And in the case of online tracking, it fails systematically
The effective protection of rights
The “Criteo doctrine” provides a backstop against this failure. It acknowledges that the GDPR allows companies to allocate responsibilities however they want, but also holds that the allocation of responsibilities needs to protect data rights effectively.
So, joint controllers can allocate responsibilities how they like, but the consequence of this discretion is that they must find an allocation that protects privacy rights- or, at the very least, does not spectacularly and systematically fail to do so. This is where regulators draw a line and hold both controllers accountable for violations regardless of what their legal paperwork says.
What does this mean for web analytics?
The "Criteo doctrine" has many important consequences, some of which are difficult to foresee. When it comes to advertising and web analytics specifically, the doctrine means that providers should be much more concerned about the way their tools are used in practice, and take steps to combat abuse.
This is what regulators required from Criteo: the company was ordered to take steps in order to ensure valid consent was collected, rather than taking the customer’s pinky promise at face value. In other words, Criteo was required to audit its partners better than they already did (which is not a terribly high bar).
Auditing compliance sounds complicated and it usually is. But when it comes to cookie use, automated checks from the providers could weed out a lot of cookie violations. Surely automated checks would not spot all non-compliance, but they would still be a good start and show that providers are taking their responsibilities seriously.
On top of better auditing, providers would need to document user consent. This is harder than it sounds: documenting consent can be quite complicated, especially when the data flows are already up-and-running and handles enormous amounts of personal data.
But the general meaning behind Criteo matters more than the specific obligations imposed. Less-than-privacy-friendly providers such as Google Analytics and Meta would need to take steps to ensure that their services are not systematically abused (as is the case today). Should they fail to do so, consumers privacy advocates would be able to hold them accountable by acting against them directly rather than being forced to play whack-a-mole against the entire Internet.
It is worth highlighting once again that the “Criteo doctrine” has been upheld by two regulators so far: the CNIL and the Dutch courts. It is yet to be seen if it will catch momentum.
It must also be noted that the doctrine is not without drawbacks. Tracking and documenting consent is not an easy task for a data controller, especially when the systems that process the data are already up and running. The doctrine would increase the compliance burden for many companies- including companies that are handling data in proper and non-invasive ways.
We believe the pros outweigh the cons. Outsourcing compliance to individual customers allows many privacy-invasive services to shield themselves behind their ToS or joint controllership agreements. The "Criteo doctrine" could be just the tool we need to hold them accountable as we fight for a better Internet.
We at Simple Analytics do not like tracking. We believe that it is unethical and invasive, and makes the Internet a worse place. This is why we created Simple Analytics: a 100% tracking-free web analytics service that does not collect a single bit of personal data! If this sounds good to you, feel free to give us a try!