The CNIL’s recent condemnation of Criteo for non-compliance with the RGPD reminds us of one thing: compliance with data protection regulations is not only a legal obligation, but also a measure of good management.
Criteo, a major French player in online targeted advertising, has been fined 40 million euros for several failures to comply with the RGPD, particularly with regard to verifying the collection of consent and the transparency of its privacy policy. Criteo felt that this fine was grossly disproportionate to the alleged breaches. We won’t discuss the merits of Cnil’s decision here.
Our observation is as follows: the RGPD provides for the possibility of imposing fines of up to 4 u company turnover. In this case, the fine of 40 million euros represents around 1.8 u of Criteo’s 2021 sales (2.2 billion euros), and more than 40% of its average net profit over the period 2019-2022.
The Cnil has therefore decided to hit hard, and is still giving itself room to maneuver, since this fine could have been twice as high.
The good news is that efforts to meet RGPD compliance, in addition to enabling you to make better use of your data, can help avoid a sharp cut in your company’s profits…
The idea is not necessarily to aim for zero risk, but rather to adopt a « risk management » approach, measuring risks in proportion to your stakes.
If you’d like to assess your RGPD compliance with a « Risk Management » approach, we can help.