May 25, 2018 is an important day for the citizens of the European Union as the General Data Protection Regulation (GDPR) goes into effect. The GDPR replaces the 1995 Data Protection Directive and harmonizes the various data privacy laws that exist across all 28 member states including the UK. Here at Criteo, our view is that consistency and certainty around privacy and data protection is a win-win for businesses and the consumers they serve.
Since our founding in Europe in 2005, Criteo has had a proven record of ensuring our technology has the highest levels of data privacy and security while helping our clients meet shopper expectations with advertising that is personalized and relevant. As a global company with major offices in multiple EU countries, we are accustomed to complying with country-level requirements across the world.
In fact, we are already in compliance with key elements of GDPR and are well-positioned to rapidly implement any additional requirements. Furthermore, we are working with clients and partners who are subject to the new regulations, offering them support and sharing best practices for them to best manage the transition. Criteo is ready to tackle the GDPR challenge and expects limited impact of the new regulation, if any, on our clients’ and partners’ ability to work with Criteo.
GDPR: An Evolution Not a Revolution
Overall this regulatory update is an evolution that aligns data protection policies across the EU member states while providing consistent application and enforcement by local Data Protection Authorities (DPA) in each EU member state. The objectives of the GDPR are clear:
- Modernize the legal system to protect personal data in an era of globalization and technological innovation.
- Strengthen individual rights while reducing administrative burdens to ensure a free flow of personal data within the EU.
- Bring clarity and coherence to personal data protection rules and ensure consistent application and effective implementation across the EU.
GDPR protects the privacy of EU citizens and applies to all companies collecting or processing personal data on individuals in the European Union, even if not established in the European Union. A significant confirmation for the digital marketing industry is that the GDPR applies to any information concerning an identified or identifiable natural person, and this includes technical identifiers such as Cookie IDs and Mobile Advertising IDs. Both are now explicitly covered by the definition of personal data.
It is important to note that these technical identifiers were already considered personal data by many DPAs including in France. This is not a new requirement for Criteo and we have well-established methods for compliance while delivering performance to our clients. Overall, the GDPR provides six legal bases for data collection and data processing in Europe. Learn more about how these apply to Criteo and our clients here.
Unambiguous consent is not an opt-in
GDPR establishes a clear distinction between unambiguous consent and explicit consent. Explicit consent means the user must proactively opt-in. This applies solely to sensitive personal data such as race, religion, sexual orientation, political affiliation, and health status. Importantly, online identifiers (e.g. cookies) alone are categorized as non-sensitive personal data, therefore an explicit opt-in consent is not required.
Ad Choices: A Focus on Consumer Rights and Control
Criteo has long recognized the need to balance relevant advertising experiences with privacy expectations while empowering consumers to control their experiences. Consumers understand this trade off. According to a recent Criteo-IPSOS survey, 90% of EU internet users are aware of behavioral targeting and 75% of respondents expect to be served ads that match their interests. They are familiar with cookies and understand the role they play in the advertising-driven business model that powers the content they access.
This is why Criteo committed to the Ad Choices program as early as from 2008 to allow consumers, with a single click, to see exactly where Criteo is using data, and how we protect their privacy. When a consumer chooses to opt-out, we immediately stop tracking and retargeting. We then remove all identifiers from their browsers, making it impossible to target them in the future. Per EU data protection regulations, all collected consumer-level data is only kept for 13 months. Learn more about our commitment to Ad Choices here.
Privacy by Design: A Corporate Commitment to Best Practices
Privacy by Design is Criteo’s long-standing practice and commitment to ensuring industry-leading privacy, security and safety for consumers and marketers. Key elements include:
- As required by the GDPR, we have had a designated Data Privacy Officer since 2013 along with a team of privacy experts.
- These experts are part of the Product and R&D organization. They perform ongoing Privacy Impact Assessments to monitor potential risks during the product lifecycle and proactively mitigate those risks.
- The Data Privacy team delivers company-wide privacy training, enforces codes of conduct, and is integral to ensuring that we build the best products and services.
- We regularly review and document our internal policies, amend existing privacy policies as necessary, and enforce these policies with our partners and vendors.
Best-in-class Security Measures
As required by GDPR, Criteo already maintains strict security measures when collecting consumer data from our clients. We utilize modern pseudonymous methods, including hashing processes, that are considered best practices under the GDPR, and never willingly store any directly identifying personal information about individual consumers. For compliance and optimal performance, we store EU consumer data within the European data center that is physically closest to them.
Industry Leadership: Investing in Standards and Certifications
Criteo has an extensive number of certifications already in place that are reviewed annually by governing and standards bodies, including:
- Network Advertising Initiative Standards
- IAB Europe
- Digital Advertising Alliance Self-Regulatory Principles for Online Behavioral Advertising
- European Digital Advertising Alliance’s Self-Regulatory Principles
- Digital Advertising Alliance of Canada’s Self-Regulatory Principles
- TrustArc Trusted Data Collection Certification
We at Criteo view the GDPR as a positive development that will foster trust in our digital economy and provide an environment of transparency, control and certainty for businesses and consumers. We are accustomed to complying with the stricter EU standards and are prepared to support our clients and partners through their GDPR compliance journey. We will continue to publish regularly on the issues and best practices around effective GDPR compliance.
So stay tuned.
 Criteo-IPSOS Study, 2017