French advertizing giant Criteo was found in violation of European Union data protection legislation and fined $64 million in a preliminary verdict after a multi-year inquiry by the country’s national privacy authority. The verdict is the latest setback to Criteo’s unsettling ‘tracking-ads’ system.

Privacy International, a digital rights advocacy organization, announced the fine on Friday last week. Privacy International filed a formal complaint against Criteo in 2018, when the EU’s General Data Protection Regulation (GDPR) went into effect.

It accused Criteo of operating a “manipulation machine” through a bundle of monitoring tools and data procedures meant to profile web users so that behavioural advertisements can target them and advertisers pay for “individual-level consumer predictions”.

Criteo should not have been doing any of this

According to Privacy International’s complaint, Criteo lacks the legal underpinnings required for all this surveillance and profiling to be GDPR compliant. It’s looking like French privacy watchdog CNIL was inclined to agree.

According to a Privacy International spokesperson, the organization did not obtain a copy of the CNIL’s preliminary ruling. Still, it was notified of the development by the French watchdog following routine complaint processing procedures. The CNIL alerted the organization on Tuesday, August 3rd, as they are required to keep complainants informed of the status of their complaints. 

The decision is not final yet

The decision isn’t final yet. As a result, the case remains private for now, according to a statement from a spokeswoman to TechCrunch. She added that they can’t share the decision with the organization just yet. Criteo now has the option to make comments and adopt corrective measures, after which a hearing will be held, with a final verdict expected in 2023.

A series of privacy and data scandals have boosted understanding of what some critics call the largest data breach of all time, resulting in a rude awakening about conventional advertizers’ creepy, no-permissions-required mode of operation, which is prompting a two-fold regulatory and legislative reassessment.