CE - 482872

Summary

France's Council of State confirmed a €40,000,000 fine imposed by CNIL against Criteo for multiple GDPR breaches, including placing cookies for personalized ads without user consent, failing to inform users of data processing purposes, and refusing erasure requests. The court rejected Criteo's appeal, affirming violations of Articles 7, 12, 13, 15, 17, and 26 of the GDPR. The decision followed complaints by Privacy International and noyb.

Full text

Help CE - 482872: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 15:27, 11 March 2026 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators302 editsmTag: Visual edit← Older edit Latest revision as of 08:51, 16 April 2026 view source Sfl (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators405 editsm Line 58: Line 58: |Party_Name_1=Criteo|Party_Name_1=Criteo |Party_Link_1=|Party_Link_1= |Party_Name_2=CNIL|Party_Name_2=CNIL (France) |Party_Link_2=|Party_Link_2= |Party_Name_3=|Party_Name_3= Line 65: Line 65: |Party_Link_4=|Party_Link_4= |Appeal_From_Body=CNIL|Appeal_From_Body=CNIL (France) |Appeal_From_Case_Number_Name=SAN-2023-009|Appeal_From_Case_Number_Name=SAN-2023-009 |Appeal_From_Status=|Appeal_From_Status= Latest revision as of 08:51, 16 April 2026 CE - 482872 Court: CE (France) Jurisdiction: France Relevant Law: Article 7(1) GDPR Article 7(3) GDPR Article 12 GDPR Article 13 GDPR Article 15 GDPR Article 17 GDPR Article 26(1) GDPR Article 26(2) GDPR Decided: 04.03.2026 Published: Parties: Criteo CNIL (France) National Case Number/Name: 482872 European Case Law Identifier: Appeal from: CNIL (France)SAN-2023-009 Appeal to: Unknown Original Language(s): French Original Source: Legifrance (in French) Initial Contributor: n/a The Supreme Administrative Court confirmed a €40,000,000 fine against an advertising company for placing cookies for personalised ads without users’ consent, failing to inform users of processing purposes, to comply with access and erasure requests, and to have a joint controllers' agreement in place. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts In 2023, the French Data Protection Authority (CNIL) fined Criteo, an advertising company (the controller), €40,000,000 for breaches of the GDPR related to the processing of browsing data through cookies for the purpose of placing personalised advertisements. The decision followed complaints lodged by Privacy International and noyb. The DPA found violations of Article 26(1) GDPR and Article 26(2) GDPR based on the lack of a joint controllers' agreement with its partners, Article 7(1) GDPR by processing user data without consent, Article 7(3) GDPR and Article 17 GDPR by failing to erase data subjects’ personal data based on their requests, and Article 12 GDPR, Article 13 GDPR, and Article 15 GDPR by failing to inform data subjects of the processing of their personal data. The controller appealed the decision asking for its annulment or, alternatively, the reduction of the fine. Holding First, the Council of State (the court) held that the controller processed personal data since the identification of individuals would not be technically impossible based on the very large amount of information, sometimes very precise, collected and cross-referenced for a given identifier assigned to each data subject. Secondly, the court noted that the controller did not contest the DPA’s findings regarding the lack of a joint controllers' agreement. Thirdly, it found that the DPA’s conclusion regarding the violation of Article 7(1) GDPR did not disregard the principles of legality of offenses, presumption of innocence and exclusion of liability for others in criminal matters. Fourthly, it dismissed the argument that the contested decision was based on error of fact and assessment regarding the information provided to data subjects on the purposes for which their data were processed. Finally, the court noted that the controller could not rely on legitimate interest for continuing to process the data of data subjects who requested their erasure. Therefore, the court dismissed the controller’s appeal. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the French original. Please refer to the French original for more details. Council of State, 10th-9th Chambers sitting together, March 4, 2026, No. 482872, Unpublished in the Lebon Digest Council of State - 10th-9th Chambers sitting together No. 482872 ECLI:FR:CECHR:2026:482872.20260304 Unpublished in the Lebon Digest Read on Wednesday, March 4, 2026 Rapporteur Mr. Jean de L'Hermite Public Rapporteur Mr. Frédéric Puigserver Attorney(s) SCP GATINEAU, FATTACCINI, REBEYROL Full text FRENCH REPUBLIC IN THE NAME OF THE FRENCH PEOPLE Having regard to the following procedure: By a summary application, a supplementary memorandum, and seven further memoranda, registered on August 14 and November 13 On April 29, 2023, and September 16, 2024, and on February 5, March 3, April 7, May 30, and September 12, 2025, the company Criteo filed a petition with the litigation department of the Council of State, requesting the Council of State to: 1) annul the decision of the restricted panel of the National Commission for Information Technology and Civil Liberties (CNIL) dated June 15, 2023, imposing an administrative fine of €40 million for breaches of the General Data Protection Regulation (GDPR) and ordering the publication of its decision in a manner that allows the applicant company to be identified for two years from the date of publication; 2) in the alternative, amend the contested decision by reducing the amount of the administrative fine imposed; 3) to order the CNIL to reimburse the sum paid, plus interest at the statutory rate accrued since payment of the fine; 4) to order the CNIL to pay the sum of €25,000 pursuant to Article L. 761-1 of the French Code of Administrative Justice. Having regard to the other documents in the file; Having regard to: - the Constitution, in particular its Preamble; - the European Convention for the Protection of Human Rights and Fundamental Freedoms; - the Treaty on European Union; - the Charter of Fundamental Rights of the European Union; - the Treaty on the Functioning of the European Union; - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; - Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002; - Law No. 78-17 of January 6, 1978; - Constitutional Council Decision No. 2025-1154 QPC of August 8, 2025; - the Code of Administrative Justice; After hearing in open court: - the report of Mr. Jean de L'Hermite, State Councillor, - the submissions of Mr. Frédéric Puigserver, Public Rapporteur; Having heard, after the submissions, the arguments of SCP Gatineau, Fattaccini, Rebeyrol, counsel for Criteo; Having regard to the written submission filed on February 11, 2026, by the CNIL; Having regard to the written submission filed on February 12, 2026, by Criteo; Considering the following: 1. The investigation reveals that Criteo, whose principal place of business is located in France, operates a targeted advertising display service on websites managed and hosted by third parties. To this end, it collects and processes, using tracking technologies ("cookies"), the browsing data of individuals located in France or other European Union member states who visit websites whose managers or hosting providers have entered into paid partnership agreements with it. It requests the annulment of the decision of June 15, 2023, by which the restricted panel of the French Data Protection Authority (CNIL) imposed an administrative fine of €40 million on it for breaches of Articles 7, 12, 13, 15, 17, and 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC of October 24, 1995, known as the General Data Protection Regulation (GDPR), and decided to make its decision public, subject to an anonymization procedure after a period of

Entities