As a global company with headquarters in Europe, Criteo has a strong foundation of dealing with several industry best practices, standards and regulations. It is Criteo’s view that consistency and certainty around privacy and data protection is a win-win for businesses and the consumers they serve. It is for this reason that Criteo is committed to comply with applicable laws and regulations in all countries where it operates, including notably the General Data Protection Regulation (GDPR) that harmonizes the different data privacy laws across the European Union’s member states, the California Consumer Privacy Act (CCPA) as well as the Brazilian General Data Protection Law (LGPD).
Criteo is supporting its advertiser clients (“Advertiser”) and publisher partners, including Retail Media retailers (“Publishers”) through their compliance journey by sharing guidelines and best-practices about how to meet their own legal obligations:
Clear, easily accessible and comprehensive information about the collection with tags and use of data related of your users must be provided on your properties.
Depending on the data protection regulation that applies to you, the information required may be slightly different. For instance, for websites and apps that target the European market, the information required includes:
This includes your corporate name and address.
This includes Criteo which acts as a joint controller.
Data collected by Criteo via cookies and non-cookie technologies are used for the purpose of serving targeted advertising based on the recognition of the user’s device and the collection of information about his/her browsing activity in order to provide advertisements about goods and services likely to be of greater interest to the user.
For example, this can be made by making choices on your cookie consent tool.
If a user consents to Criteo tags, he/she will benefit from personalized advertising and the user’s technical identifiers may be used to link devices or browsers to provide him/her with a seamless experience across the different environments used or likely used by him/her.
If a user refuses Criteo tags he/she will not benefit from personalized online advertising
The user should be informed how he/she can withdraw consent which was previously given to you.
For Criteo services, consent can also be withdrawn through Criteo’s Privacy Policy.
A layered approach can be used to provide such information to the user. A layered approach involves providing the key information to users together with links to obtain more detailed information.
The information should:
Plain language wording should be used. Complex, technical or purely legal wording should be avoided.
Disregarding the laws that apply to you, it is Criteo’s view that transparency with users is always beneficial if we want to foster trust in our respective services and in the entire digital economy . Being transparent involves describing in a comprehensive and user-friendly way how their data will be used and by who. That is the reason why Criteo strongly recommends that its partners include in their privacy policies a notice about the data collection for the purpose of serving interest-based advertising.
Under Criteo Terms and Conditions, in all countries where collecting consent is mandatory for the use of our services, it is our clients and publisher partners’ responsibility to collect valid consent of their users prior to any Criteo tags being fired. This is justified by the fact that you have direct access to users and that you control the choice mechanisms which are used on your properties to collect the consent of users for the implementation of different third-party tags.
Under EU laws, consent is considered valid provided that it is freely given, specific, informed and unambiguous.
Users should be able to give consent or refuse to give it for each processing purpose. In addition, it is also possible to provide “global” acceptance and “global” refusal options which will apply to more than one purpose.
This means that users should have all information about the use of cookies and non-cookie technologies by Criteo for the purpose of serving targeted advertising in hand before they give their consent (see section 1 above).
Consent must be given by a positive act. Continued browsing, scrolling or the use of a website or app is not considered as valid consent. Using pre-ticked boxes does not qualify as valid consent either.
Lack of action from a user cannot be interpreted as valid consent.
Yes. Users should be allowed to refuse the use of Criteo tags as simply as they could consent to it.
For example, if users have the option to consent to more than one purpose at a time, users should have the option to refuse to give consent to such purposes as simply as giving their consent.
Yes. Users should be able to withdraw consent for any reason, at any time. The means to withdraw consent should be made easily accessible to users. Withdrawing consent should be as easy as giving it.
No. Data protection authorities consider that browser settings do not allow to collect valid consent.
Users’ choice should be retained at least while they are browsing or using the property. The maximum period retention should be adequate to the nature of the property and its audience.
Yes. You must be able to demonstrate, at any time, that you have collected valid consent. You should be able to provide Criteo with proof of the consent which you have collected for each user, at Criteo’s request.
For more information about the GDPR and its application to advertisers and publishers:
EDPB guidance on Consent under the GDPR (2020)
Article 29 Working Party guidance on Transparency under the GDPR (2018)
Please note that the information provided here does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.
Last updated: 05/01/2021
