On 22 June 2023, the French DPA (“CNIL”) announced the EUR 40M sanction issued on 15 June 2023 against a company specialized in behavioral retargeting (i.e., tracking an internet user’s navigation history to display personalized advertisements).
The background of this case
The sanctioned company collects internet users’ browsing data through a tracker (cookie) that is placed on their terminals when visiting certain partner websites. Based on the data thus collected, the said company analyzes browsing habits to determine which advertiser and for which product it would be most relevant to advertise to a particular user.
The CNIL conducted several investigations into these processing activities, following complaints submitted by Privacy International and None of Your Business NGOs.
The findings of the CNIL
Further to its investigations, the CNIL concluded the following:
1. Failure to provide evidence of data subjects’ consent to the processing of their data (i.e., violation of Article 7 (1) of the GDPR);
2. Failure to comply with the information and transparency requirements (i.e., violation of Articles 12 and 13 of the GDPR);
3. Failure to ensure several data subjects’ rights, namely:
- the right of access (i.e., violation of Article 15 (1) of the GDPR);
- the right to withdraw consent (i.e., violation of Article 7 (3) of the GDPR);
- the right to erasure (i.e., violation of Article 17 (1) of the GDPR);
4. Failure to provide for an agreement between joint controllers complying with the minimum content requirements (i.e., violation of Article 26 of the GDPR).
As a result of the above findings, the CNIL imposed a fine of EUR 40M on the company.
The criteria considered for individualizing the fine
The CNIL considered several factors when determining the penalty amount, including the following:
- the large scale of the data processing, as the company possessed data related to approximately 370M identifiers across the EU;
- the extensive collection of data regarding the internet users’ habits (i.e., despite not having access to users’ names, the CNIL deemed the data accurate enough to potentially re-identify individuals in certain cases);
- the company’s business model heavily relies on displaying highly relevant advertisements to internet users to promote its partners’ products, and thus, depends on its ability to collect and process a vast amount of data;
- the processing of individuals’ data without obtaining valid consent allowed the company to unjustly increase the number of individuals affected by its data processing, thereby increasing its financial income as an advertising intermediary.
The OSS proceedings
In accordance with the GDPR provisions establishing the one-stop-shop mechanism, the CNIL’s sanctioning decision was presented to all the other 29 European supervisory authorities. This was done as the case involved a cross-border matter of relevance for all of them. All the other 29 supervisory authorities granted their approval to the decision.
The press release is available here (in English), and the full text of the CNIL’s decision is available here (only in French).
