On March 4, 2026, the State Council put a definitive end to the Criteo case. The 40 million euro fine imposed by the CNIL in June 2023 is confirmed, once and for all. The French retargeting giant, which processes data from 370 million users across Europe, had exhausted every possible legal avenue. Without success. This decision is not just bad news for Criteo. It is an earthquake for the entire European advertising ecosystem. Here is why.

How we got here

It all started in December 2018. Two organizations, noyb (founded by Max Schrems, the Austrian activist who brought down the Privacy Shield) and Privacy International, filed a complaint against Criteo with the CNIL. The main allegation: Criteo was placing tracking cookies on thousands of partner websites to analyze users’ browsing behavior and serve them “retargeting” ads, those ads that follow you around after you looked at a pair of sneakers on an e-commerce site!

The problem was that Criteo did not verify whether its publisher partners had actually obtained user consent before dropping its cookie. The company relied on contractual clauses with its partners, in a “we trust them” approach.

After 5 years of investigation, the CNIL issued its decision on June 15, 2023: a 40 million euro fine and publication of the sanction for 2 years. Criteo appealed to the State Council. On March 4, 2026, the appeal was dismissed. Case closed.

The 5 violations identified by the CNIL

The sanction does not concern a single infringement. The CNIL identified five GDPR violations, and each one has direct implications for the entire adtech industry.

1. Inability to prove consent (Article 7.1): Criteo was never able to demonstrate that users had given their consent to the placement of its retargeting cookie. The company relied on contractual commitments with its publisher partners. For the CNIL and the State Council, that is not enough. The data controller must be able to provide proof of consent, regardless of who collected it.
2. Lack of information and transparency (Articles 12 and 13): users were not properly informed about the data processing carried out by Criteo. The privacy policy was either absent from partner websites or incomplete regarding the actual purposes of the processing.
3. Failure to comply with the right of access (Article 15.1): when users requested access to their data, Criteo did not provide a complete response within the required timeframe.
4. Failure to comply with the right to withdraw consent and the right to erasure (Articles 7.3 and 17.1): this is perhaps the most impactful point. When a user withdrew their consent, Criteo did stop showing them targeted ads. But the company retained their data to “improve its prediction algorithms.” In plain terms: you say stop, we stop showing you ads, but we keep using your data to train our models. The State Council confirmed that this is illegal. Withdrawal of consent requires complete deletion of data, not just the deactivation of a feature.
5. Absence of a joint controller agreement (Article 26): Criteo and its publisher partners were acting as joint controllers without having formalized a GDPR-compliant agreement. Each party handled its part without a clear common framework.

The 4 lessons that change the game

Beyond the Criteo case itself, this decision establishes rules that now apply to the entire advertising ecosystem. Here are the 4 key takeaways.

1. Pseudonymized data = personal data

This was the first argument Criteo raised before the State Council: “we only process pseudonymous identifiers, we cannot directly identify individuals.” Rejected. The State Council upheld the CNIL’s position: as soon as an entity can cross-reference sets of indicators – browsing history, geolocation, purchasing habits – to single out a user “without disproportionate effort,” it is processing personal data. It does not matter whether the identifier is a cookie ID, a device ID, or a hash.

This is a major blow to all adtech players who hide behind pseudonymization to escape the GDPR. The argument no longer holds.

2. You are responsible for consent, even if someone else collects it

This is the most structurally significant lesson for the ecosystem. In the traditional advertising chain, it is the publisher who collects consent through its CMP (Consent Management Platform). Adtech partners – DSPs, SSPs, DMPs, ad networks – simply verify that a consent signal exists in the TC String.

The State Council clearly states that this is not sufficient. The data controller – in this case Criteo, but tomorrow any adtech player – must be able to prove that consent was validly obtained. A contract stating “the partner undertakes to collect consent” does not constitute proof of consent.

In practical terms, this means that every link in the advertising chain must be able to audit its partners’ compliance. Not just sign a contract and look the other way.

3. The illegality of the initial collection taints everything downstream

If data collection is illegal from the start (no valid consent), then all subsequent processing of that same data is illegal. You cannot “launder” improperly collected data by using it for a different purpose.

For adtech, this is a wake-up call. The entire value chain depends on the validity of the initial consent. If that first link is flawed, everything else collapses.

4. The right to erasure means total erasure

Criteo had a creative interpretation of the right to erasure: stop ad targeting but keep the data to improve its algorithmic models. The State Council ruled: erasure means erasure. Not partial deactivation, not cold storage archiving, not reuse for model training.

For companies using behavioral data to train AI or optimization models, this is a real concern. The data does not belong to you, and the withdrawal of consent must be total and irreversible.

What it changes for publishers

If you are a website publisher, this decision directly concerns you. Not because you risk a 40 million euro fine, but because you are an essential link in the consent chain.

First consequence: your adtech partners will hold you accountable. Expect to receive more thorough questionnaires about your CMP, your TC String management, and your ability to prove that consent was validly obtained.

Second consequence: consent quality becomes a competitive advantage. A publisher that can demonstrate impeccable, traceable, and compliant consent will be more valuable to advertisers and adtech partners than a publisher with a high but unverifiable consent rate.

And third consequence: publishers who neglect their CMP are taking on increasing legal risk. In 2025, the CNIL sanctioned 21 organizations for cookie and tracker-related violations. This is no longer a theoretical risk.

What it changes for advertisers

For advertisers, the message is equally clear. When you buy programmatic advertising space, you bear responsibility for the provenance of the data used for targeting.

The new question to ask your vendors is “how can you prove to us that consent is valid for each impression served?”

The most forward-thinking advertisers are already incorporating compliance audits into their RFPs. After this decision, it will become the norm.

The context: a CNIL more aggressive than ever

This decision comes in a context of massively tightened enforcement. In 2025, the CNIL issued 83 sanctions totaling 487 million euros, an all-time record, nearly 9 times more than in 2024.

Among the notable sanctions in 2025: Google (325 million), Shein (150 million), and a series of smaller but targeted sanctions related to cookies.

In January 2026, Free and Free Mobile were hit with a combined 42 million euros, and France Travail with 5 million.

The message is crystal clear: the CNIL now considers certain compliance measures to be non-negotiable prerequisites. Multi-factor authentication, consent traceability, strict data lifecycle management, none of this is optional anymore.

And what about Criteo?

The irony is that Criteo is no longer really a traditional retargeting player. The company has pivoted to retail media, which now accounts for 37% of its revenue. Its total revenue stands at 1.18 billion dollars in 2025, but growth is slowing for 2026 (between 0% and 2% expected growth).

Even more symbolic: Criteo has announced the transfer of its registered office from France to Luxembourg through a cross-border conversion, subject to shareholder approval. The enfant terrible of French adtech, founded in 2005, is turning a page. But the case law it leaves behind will endure.

Key takeaways

The Criteo decision is not just another fine. It is a legal clarification that redefines the rules of the game for the entire European adtech industry.

In summary:

Pseudonymized data is personal data. The burden of proving consent also falls on the data controller. A contract does not replace proof. Saying “my partner commits to collecting consent” is not enough. Withdrawal of consent requires complete deletion of data, including for model training. The illegality of the initial collection taints all subsequent processing.

For publishers and advertisers, consent is no longer just another compliance topic. It is the foundation on which the entire European advertising model rests. And the State Council has just reminded everyone that this foundation must be rock solid.

---

Thomas Gicquel – CEO of Gimii / Cookies for Good