Conseil d'État upholds Criteo's €40M GDPR fine
France's highest administrative court has upheld a €40 million GDPR fine against ad-tech company Criteo, originally issued by the French data protection authority CNIL. The ruling confirms CNIL's findings that Criteo could not demonstrate valid user consent for its tracking practices and failed to meet data subject rights obligations.
Why this matters: Criteo's business is built on following people around the web and building profiles of what they look at and buy. The core finding here is simple: the company could not prove it ever had real permission to do that. Consent is not a checkbox buried in a cookie banner. It has to be informed, specific, and genuinely given. This case took nearly seven years from complaint to final ruling, which tells you how slow enforcement can be even when the violation is clear. Ad-tech companies that run the same playbook now have one less place to hide.
Who should care: Lawyers · Privacy officers · Compliance · AI governance · Cybersecurity · General readers · Policy
This summary is AI-assisted and may contain errors. It is an original briefing to help you gauge significance quickly — not a reproduction of the source. Always read the linked original before relying on it. See our methodology.