As a global company with headquarters in Europe, Criteo has a strong foundation of dealing with several industry best practices, standards and regulations. It is Criteo’s view that consistency and certainty around privacy and data protection is a win-win for businesses and the consumers they serve. It is for this reason that Criteo is committed to comply with applicable laws and regulations in all countries where it operates, including notably the General Data Protection Regulation (GDPR) that harmonizes the different data privacy laws across the European Union’s member states, the California Consumer Privacy Act (CCPA) as well as the Brazilian General Data Protection Law (LGPD).
Criteo is supporting its advertiser clients (“Advertiser”) and publisher partners, including Retail Media retailers (“Publishers”) through their compliance journey by sharing guidelines and best-practices about how to meet their own legal obligations:
1. Information Requirement: You are required to be transparent with the users who visit your properties (websites/apps)
Clear, easily accessible and comprehensive information about the collection with tags and use of data related of your users must be provided on your properties.
What information should be provided to users?
Depending on the data protection regulation that applies to you, the information required may be slightly different. For instance, for websites and apps that target the European market, the information required includes:
This includes your corporate name and address.
The identity of controllers and joint controllers you share personal data with
The purposes of the processing for which data are collected on your properties
Data collected by Criteo via cookies and non-cookie technologies are used for the purpose of serving targeted advertising based on the recognition of the user’s device and the collection of information about his/her browsing activity in order to provide advertisements about goods and services likely to be of greater interest to the user.
- If you are an Advertiser: the processing enables you to show advertisements for your products and/or services to users on third-party websites and apps.
- If you are a Publisher: the processing enables brands and e-commerce retailers and service providers to show advertisements for their products and/or services to users on your website.
- For Advertisers and Publishers sharing data with Criteo for cross-device linking purposes, such as advertisers live on Criteo Shopper Graph: You may share data, such as technical identifiers derived from users’ registration information on your website or your CRM system with your advertising partners. This allows them to link devices or browsers and provide users with a seamless experience across the different environments used or likely to be used by them.
How to give consent to or refuse tags
For example, this can be made by making choices on your cookie consent tool.
Consequences if a user consents to or refuses tags
If a user consents to Criteo tags, he/she will benefit from personalized advertising and the user’s technical identifiers may be used to link devices or browsers to provide him/her with a seamless experience across the different environments used or likely used by him/her.
If a user refuses Criteo tags he/she will not benefit from personalized online advertising
The right of the user to withdraw his/her consent and how to withdraw it
The user should be informed how he/she can withdraw consent which was previously given to you.
A layered approach can be used to provide such information to the user. A layered approach involves providing the key information to users together with links to obtain more detailed information.
When and where should this information be provided?
The information should:
- be provided to users before they are offered a choice to give (or refuse to give) consent in a visible and obvious manner; and
What kind of wording should be used?
Plain language wording should be used. Complex, technical or purely legal wording should be avoided.
What if the GDPR does not apply to me and my properties?
Disregarding the laws that apply to you, it is Criteo’s view that transparency with users is always beneficial if we want to foster trust in our respective services and in the entire digital economy . Being transparent involves describing in a comprehensive and user-friendly way how their data will be used and by who. That is the reason why Criteo strongly recommends that its partners include in their privacy policies a notice about the data collection for the purpose of serving interest-based advertising.
2. Consent Requirement: You shall collect the consent across your properties for your use of Criteo services when legally compulsory
Under Criteo Terms and Conditions, in all countries where collecting consent is mandatory for the use of our services, it is our clients and publisher partners’ responsibility to collect valid consent of their users prior to any Criteo tags being fired. This is justified by the fact that you have direct access to users and that you control the choice mechanisms which are used on your properties to collect the consent of users for the implementation of different third-party tags.
Under what conditions is consent valid?
Under EU laws, consent is considered valid provided that it is freely given, specific, informed and unambiguous.
What does “freely given” and “specific” mean?
Users should be able to give consent or refuse to give it for each processing purpose. In addition, it is also possible to provide “global” acceptance and “global” refusal options which will apply to more than one purpose.
What does “informed” mean?
What does “unambiguous” mean?
Consent must be given by a positive act. Continued browsing, scrolling or the use of a website or app is not considered as valid consent. Using pre-ticked boxes does not qualify as valid consent either.
Lack of action from a user cannot be interpreted as valid consent.
Do I need to allow users to refuse to give consent?
Yes. Users should be allowed to refuse the use of Criteo tags as simply as they could consent to it.
For example, if users have the option to consent to more than one purpose at a time, users should have the option to refuse to give consent to such purposes as simply as giving their consent.
Do I need to allow users to withdraw the consent they have previously given?
Yes. Users should be able to withdraw consent for any reason, at any time. The means to withdraw consent should be made easily accessible to users. Withdrawing consent should be as easy as giving it.
Can I rely on browser settings to collect consent?
No. Data protection authorities consider that browser settings do not allow to collect valid consent.
How long should I keep users’ choices for?
Users’ choice should be retained at least while they are browsing or using the property. The maximum period retention should be adequate to the nature of the property and its audience.
Do we need to keep track of consent given by users?
Yes. You must be able to demonstrate, at any time, that you have collected valid consent. You should be able to provide Criteo with proof of the consent which you have collected for each user, at Criteo’s request.
For more information about the GDPR and its application to advertisers and publishers:
EDPB guidance on Consent under the GDPR (2020)
Article 29 Working Party guidance on Transparency under the GDPR (2018)
Please note that the information provided here does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.
Last updated: 05/01/2021