On March 4, 2026, the French Council of State upheld a €40 million fine against ad-tech company Criteo for multiple GDPR violations related to its targeted advertising practices and consent banners.

• The court confirmed that Criteo unlawfully placed tracking cookies for personalized ads without obtaining valid user consent
• Criteo allegedly failed to honor user requests for data erasure, simply stopping personalized ads while continuing to process identifiers to improve its algorithms
• The ruling rejected Criteo's argument that its tracking data was anonymous, finding that cross-referencing browsing history made re-identification possible

What’s this case about?

In 2023, the French Data Protection Authority (CNIL) fined Criteo €40 million following complaints by privacy groups noyb and Privacy International.

Criteo appealed the decision to the Council of State, France's highest administrative court. On March 4, 2026, the court dismissed the appeal and upheld the fine.

Criteo assigned users pseudonymous identifiers that it claimed did not constitute personal data because the company lacked the additional information necessary to re-identify them.

The court disagreed. It ruled that data is only anonymized if the risk of re-identification is insignificant. Because Criteo cross-referenced massive amounts of browsing data, such as websites visited and purchases made, the court found that identifying users was not technically impossible.

How did Criteo violate GDPR consent and erasure rules?

Having established that the advertising identifiers do constitute personal data, the court found that Criteo processed that data without valid consent. 

Criteo relied on its website partners to collect consent via their consent banners. But the regulator and the court held that as a “joint controller,” Criteo still had an obligation to prove valid consent was obtained, which it allegedly could not do.

Furthermore, when users withdrew consent or requested data erasure, Criteo merely stopped displaying personalized ads. It still retained the individual identifiers to configure and improve its algorithmic targeting processes. 

Criteo claimed it had a legitimate interest in this continued processing, but the court ruled that Criteo and its partners should have obtained consent for each of these data-processing activities.

Why is this case important for advertising privacy compliance?

This ruling highlights the severe regulatory risks of non-compliant data sharing to advertising third parties. 

To avoid fines over non-compliant advertising practices, businesses should: 

• Establish robust digital tracking governance to track all personal data elements shared and all third parties receiving personal data
• Continuously audit websites and apps to ensure that user consent is actually honored and no sensitive data is shared

Reduce your litigation risk with Privado AI solutions that continuously monitor privacy compliance on websites and apps, where companies have the most risk. Web Auditor and App Auditor are the most comprehensive solutions to verify in real-time that your websites, apps, and CMP are compliant with all applicable privacy requirements for each location, including your privacy policies.