Updated Tuesday April 24th, 2018.
From the Criteo Privacy Team: This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.
In 1995, the EU implemented the Data Protection Directive. That directive permitted broad discretion as to how it would be implemented and sometimes resulted in dissimilar or even inconsistent rules.
Now, 23 years later, the directive is being replaced by the General Data Protection Regulation (GDPR). The GDPR will harmonize the various data privacy laws that exist across the European Union (EU), including the U.K. This harmonization will increase certainty and predictability producing a win-win for businesses and the consumers they serve.
In previous blog posts, we’ve addressed the six bases for collecting personal data as set forth by the GDPR, as well as the crucial differences between sensitive and non-sensitive personal data, of which we only collect the latter.
If you still have questions, you may find useful elements of answers in the following FAQ’s
What is the role of Criteo, as defined by GDPR?
Criteo acts as co-data controller, together with our clients.
A Data Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others, determines the purposes and means of the processing of personal data.
Criteo cannot be considered a “Data Processor”, since Data Processor means a natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the controller. Data protection authorities in Europe consider that Criteo cannot be qualified as Data Processor and shall be qualified Data Controller, as defined in the Directive 94/46/EC.
What does it mean to be co-data controllers?
Being co-data controllers does not necessarily mean that each party is liable for everything. Article 26 of GDPR imposes on the joint controllers to determine the scope of their respective liability in their agreement.
In this regard, our standard terms and conditions that we have in place today are already clear on this:
- Clients are responsible for the information of users and collection of consent in countries where it is mandatory. This is justified by the fact that Criteo has no control on the privacy disclaimers and websites of its clients.
- Criteo is directly liable for all other aspects related to its technologies and services (security, data retention, users’ rights, etc.). This is justified by the fact that clients have no control on our data centers or security processes.
According to GDPR, what are Criteo’s obligations?
To comply with GDPR we:
- Implement a privacy by design approach, making sure that a privacy expert is involved at the very first stage of the design of any product, technology or services developed at Criteo
- Only collect and process pseudonymous data that offers more security to users in terms of confidentiality, but still provides a rich understanding of shopping intent. Our technology is based on making relevant, personalized product recommendations and promoting those items most likely to interest and engage a consumer.
- Ensure that we respect all individual rights notably to be forgotten or access their data.
- Contractually undertake to comply with all applicable local laws and regulations notably but not limited to privacy and data protection law.
(Learn more: How Will GDPR Affect Criteo Solutions?)
What is “Personal Data” as defined by GDPR?
Personal data means any information relating to an identified or identifiable natural person (or ‘data subject’). An identifiable natural person is an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data that is considered personal data under the scope of GDPR includes but is not limited to:
- first and last name
- phone number
- social security number
- IP address
- Online identifiers like cookie IDs or mobile advertising IDs
However, GDPR establishes a distinction between two different categories of personal data:
Directly identifying information: a subcategory of personal data that allows to directly identify the individual (e.g. name, surname, social security number…)
Pseudonymous data: a subcategory of personal data that allows the singling out of individual behaviors without identifying the data subject directly (e.g. cookie ID, hashed email, device ID…)
What kind of Personal Data does Criteo Collect?
Criteo already acknowledges that the data collected for the purpose of its services is personal data, and only collects pseudonymous data linked to browsing events. For instance, Criteo can notably collect the following data on its advertiser clients’ websites or on their mobile applications:
- Names of the websites browsed by the users – list of pages and products viewed, clicked, put in basket or bought on the advertiser clients websites
- URL of the pages viewed by the users (“referrer”),
- Aggregated technical information related to the browser and device of the user (“user agent”)
- Time stamp (date, time)
- Criteo Cookie (or mobile advertising ID in the mobile app environment where cookies are not supported)
- Truncated IP address
- Hashed CRM ID (optional at the choice of Criteo advertiser clients for cross-device retargeting purposes)
- Hashed email address (optional at the choice of Criteo advertiser clients for cross-device retargeting purposes)
Criteo uses state-of-the-art data hashing algorithms to pseudonymize the data and ensure that no directly identifying information is willingly stored in plain form, such as name, surname or email address. The pseudonymization of personal data is considered a best practice to reduce the risks for the data subjects concerned, and helps companies meet their data protection obligations.
Does Criteo collect anonymous data?
No. Criteo collects pseudonymous data, which is a sub category of personal data that allows us to single out individual behaviors and serve relevant ads to relevant users without directly identifying them.
Anonymous data is the only category of data that falls out of the scope of the GDPR. However, it must be understood as highly aggregated information about a vast group of person and limited to information which does not relate to an identified or identifiable natural person and therefore does not allow singling out individual behaviors. When you aim to personalize content, you have to single out individual behaviors and should make sure you don’t say to your user you only collect anonymous data.
What is “Sensitive Data” as defined by GDPR?
The GDPR law defines sensitive data as any data that reveals:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health or a natural person’s sex life and/or sexual orientation
By nature, the data that Criteo collects and processes for the purpose of its services does not qualify as sensitive data as defined by the GDPR.
Criteo gathers several data about users that may allow Criteo to build an ultimate “identity” of these users. Could the sum of all pseudonymous data somehow result in a PII (Personally Identifiable Information)?
We commit to respect and apply data minimization principle, making sure that we don’t collect more information than what is strictly necessary for the purpose of our services.
Since the data collected in the first place is only pseudonymous and cannot lead to the personal identification, Criteo is not able to build any identity of the user.
Because a zero-risk can never be granted, the law considers this data a subcategory of personal data that falls in the scope of the regulation. The goal is to limit this risk at a maximum by promoting practices such as data minimization and pseudonymization. Via the collection of pseudonymous data we ensure Criteo is reducing the risks to the end users to a maximum.
(Learn More: A GDPR Checklist: Are you Ready?)
Is Criteo Compliant with GDPR?
In our standard terms with clients and partners, Criteo already undertakes to comply with all applicable laws and regulations. This will of course cover the GDPR when it comes into force.
We already have a strong foundation and legacy of following several industry best practices, standards and regulations and applying high levels of security and data privacy across our portfolio of products, technologies and services.
How does the new regulation impact Criteo?
There will be no major change for Criteo, since we are already aligned with the the industry’s high standards for data protection, privacy, and security, and only collect pseudonymous data that are strictly necessary for the purpose of our business.
Criteo already acknowledges that the data collected for our services is personal, non-directly identifiable data, and that we are directly liable for the compliance of our technologies with applicable data protection laws. Moreover, the recognition of pseudonymization techniques is also the confirmation that we have been already doing the right things by applying a state-of-the-art hashing process to the data we collect for the purpose of our services.
We are proactively working with and advising our clients on how to prepare for the GDPR within the scope of personalized advertising.
We are Ready for GDPR
Since our founding in Europe in 2005, Criteo has had a proven track-record of ensuring our technology has high levels of data privacy and security. As a global company with major offices in multiple EU countries, we are accustomed to complying with country-level requirements across the world.
On many key aspects, the GDPR is the confirmation that Criteo has been doing the things right for years (implementing a privacy by design approach, appointment of a data protection officer, etc.) and we are well-positioned to quickly implement any additional requirements.
We’re here to help our clients and publisher partners gain a better understanding of how GDPR will affect all of us, and further the conversation of the overall benefits of the GDPR to the ad-tech industry, all the while helping our clients meet shopper expectations with commerce marketing that is personalized and relevant.