What was Criteo fined for?

Criteo was fined €40 million by France's CNIL for six GDPR violations related to its advertising technology. The key issues: processing personal data without being able to prove consent, treating pseudonymous cookie identifiers as non-personal data, failing to delete data when consent was withdrawn, incomplete transparency about data usage, and inadequate joint controller agreements with partner websites.

Why does the Criteo ruling matter for my website?

If your website uses any ad tech (retargeting pixels, programmatic ads, analytics cookies), the Criteo ruling directly applies. The court confirmed that website operators must be able to prove consent was obtained for tracking - 'our vendor handles that' is not a legal defense. Cookie identifiers are personal data, and scripts cannot fire before valid consent is given.

Was Criteo's appeal successful?

No. On March 4, 2026, France's highest administrative court (the Conseil d'Etat) upheld the full €40 million fine. The court rejected every argument Criteo raised, including that pseudonymous identifiers aren't personal data and that partner websites were responsible for consent collection.

Are cookie identifiers considered personal data under GDPR?

Yes. The Criteo ruling confirmed that cookie identifiers, when combined with IP addresses, geographic location, device identifiers, and behavioral data, constitute personal data under GDPR Article 4(1). The court noted that cross-referencing these data points is the entire purpose of ad tech, making identification possible without disproportionate effort.

Criteo's €40M GDPR Fine Is Final. Your Ad Stack Is Next.

TL;DR

On March 4, 2026, France's Conseil d'Etat upheld a €40 million GDPR fine against Criteo - the largest ad tech consent penalty ever confirmed by a European high court. The ruling establishes that ad tech companies (and the websites using them) must be able to prove consent at any time, that cookie identifiers are personal data, and that data collected under consent cannot be kept after consent is withdrawn. If your site runs retargeting pixels, this ruling applies to you.

On March 4, 2026, France's Conseil d'Etat - the country's highest administrative court - upheld a €40 million GDPR fine against Criteo, the Paris-based advertising technology company. The ruling closes a multi-year legal battle that started when the CNIL sanctioned Criteo in June 2023, and it sends a clear message to every business that uses third-party ad tech: if you can't prove your users consented, you're liable.

This isn't abstract regulatory theory. Criteo's business model - displaying targeted ads on third-party websites using cookie-based tracking - is the same model that powers retargeting, programmatic advertising, and conversion tracking on millions of websites worldwide.

What Criteo actually did wrong

The CNIL found violations across six GDPR articles. The Conseil d'Etat upheld every single one:

1. No proof of consent

Criteo processed personal data - browsing behavior, purchase history, ad interactions - from users visiting partner websites. Criteo argued that its partners were responsible for collecting consent. The court rejected this outright: a data controller must be able to demonstrate proof of valid consent at any time, even if a third party collected it.

Important

This is the critical takeaway. If you use any ad tech, analytics, or retargeting platform that tracks users on your site, you need to prove consent was obtained. "Our vendor handles that" is not a defense.

2. Pseudonymous identifiers are still personal data

Criteo argued that the alphanumeric identifiers it assigns to users aren't personal data because the company doesn't hold a re-identification key. The court disagreed. Those identifiers are associated with IP addresses, geographic location, device identifiers, partner-specific user IDs, and detailed behavioral data. The court noted that "the very purpose of the processing is to offer the most relevant advertisements possible based on browsing habits" - meaning cross-referencing these data points is the entire business model.

For website operators, this means: cookie identifiers, device fingerprints, and ad IDs are personal data under GDPR. Full stop.

3. Consent withdrawal didn't mean deletion

When users exercised their right to erasure, Criteo stopped showing them personalized ads - but kept their data and used it to improve its targeting algorithms. The court ruled this unlawful: data collected on the basis of consent cannot be retained once consent is withdrawn.

4. Incomplete transparency

Criteo told users their data was processed "for personalised advertisements." It didn't disclose that the same data was also used to configure and improve its algorithmic targeting systems. The court considered this a distinct processing purpose that should have been separately disclosed.

5. Joint controller agreements were incomplete

Criteo's agreements with partner websites didn't specify how users could exercise their rights, how data breaches would be reported, or whether data protection impact assessments would be conducted.

Why the €40M amount matters

The fine was set at half the maximum available under GDPR Article 83. The court considered several factors:

The seriousness of the violations
The scale: more than 370 million user identifiers across the EU, including 50 million in France
Criteo's position as a major player in online advertising
Direct financial gain from the violations - Criteo was paid by advertisers for targeting users who may never have validly consented

Even Criteo's cooperation during the proceedings and partial compliance before the sanction were not enough to reduce the penalty.

Legal commentators have questioned the logic of maintaining 100% of a fine calibrated on 370 million identifiers when the court acknowledged that not all identifiers were proven to be personal data. But the practical message is clear: scale amplifies liability.

The pattern: consent enforcement is accelerating

This isn't an isolated case. In the past week alone:

California fined PlayOn Sports $1.1 million for consent violations including forced cookie consent and ignoring GPC signals
Disney was forced to overhaul its opt-out systems across all streaming services
The EDPB announced a 2026 Coordinated Enforcement Action focused on the transparency of privacy notices
Google was fined €150 million by the CNIL for cookie consent failures
Meta was fined €1.2 billion by the Irish DPC for unlawful data transfers

The direction is unmistakable: regulators are no longer satisfied with privacy policies that exist on paper. They're testing whether consent systems actually work.

What this means for your website

If your website uses any of the following, the Criteo ruling directly applies to you:

Retargeting pixels (Criteo, Meta, Google Ads)
Programmatic ad exchanges
Analytics platforms that use cookies or device identifiers
Session replay tools
Tag managers loading third-party scripts

You must be able to prove consent

Not your ad tech vendor. Not your tag manager. You. If a regulator asks whether User X consented to tracking on March 3, 2026, you need a timestamped consent record that shows what they agreed to.

Scripts must not fire before consent

The court confirmed that using data collected without consent - even for algorithm improvement - is unlawful. That means tracking scripts cannot load until the user has made an affirmative consent choice (in opt-in jurisdictions) or has been given a clear opportunity to opt out (in opt-out jurisdictions like California).

Cookie identifiers are personal data

If your privacy policy or consent banner treats cookies as "non-personal" or "anonymous," it's wrong. Update it.

Consent withdrawal must trigger deletion

If a user withdraws consent, you can't keep their data for analytics, model training, or "service improvement." It has to go.

Your vendor agreements need teeth

Joint controller or controller-processor agreements must specify data subject rights procedures, breach notification, and DPIA obligations. Vague partnership terms won't survive scrutiny.

The cost of getting it wrong vs. getting it right

Criteo's €40 million fine is roughly half of what GDPR allows. For context:

Google: €150 million (CNIL, cookie consent failures)
Meta: €1.2 billion (Irish DPC, unlawful data transfers)
PlayOn Sports: $1.1 million (California, consent violations)

Compare that to the cost of implementing proper consent management: a tiny fraction of any single fine. The math isn't complicated.

Tip

The Criteo ruling makes one thing clear: "our vendor handles consent" is not a defense. You need your own consent infrastructure that works, logs everything, and can prove it.