Criteo: the yes nobody checked

In June 2023 France’s data protection authority, the CNIL, fined the advertising company Criteo 40 million euros for processing people’s data for targeted advertising without ensuring they had ever agreed to it. Criteo runs behavioural retargeting, the adverts that follow a person around the web after they look at a product, through tracking cookies placed across thousands of sites. The case reached the data of roughly 370 million Europeans.

The company few have heard of

Criteo is the adtech middle made visible. Most people have never chosen it, or heard of it, yet its cookie followed them from publisher to publisher, building the browsing picture that priced each advert. The adtech middle touches no consumer directly and appears in no policy anyone reads. The fine is what it looks like when that layer is finally named.

The CNIL’s central finding was that Criteo could not demonstrate valid consent for the people whose data it processed. It leaned on its publisher partners to collect that consent and took no step to check they had. The authority added failures of transparency, of the right of access, and of the rights to withdraw and to erase. It held the adtech firm accountable even though the banner belonged to the publisher, and the Conseil d’Etat, France’s highest administrative court, later upheld the penalty.

The pattern

This is consent manufactured to order seen from the accountability end: a chain in which each party assumes someone else obtained the yes, and no one can produce it. The penalty landed on the firm that profited from the profile, not the site that displayed the banner.

Last reviewed: 2026-07-17.