Criteo: France’s Conseil d’État upholds €40M — consent prevails in AdTech

4 March 2026 — Conseil d’État (France): the €40M CNIL fine against Criteo for personalized advertising without valid consent is upheld. Key takeaway for executives and DPOs: in AdTech, Article 6 GDPR almost invariably requires consent that is compliant and provable.

The case

• Organisation: Criteo (adtech, retargeting)
• Authority: CNIL (France); dispute closed by the Conseil d’État
• Decision: Conseil d’État, 10th–9th chambers sitting jointly, 4 March 2026, No. 482872 — full text on Légifrance
• Amount: €40,000,000 (confirmed)
• Grounds: infringements of GDPR Arts. 7, 12–13, 15, 17, 26; ePrivacy cookies rules; and Art. 83 criteria. Cross‑border scale (>370M EU identifiers) and proportionality confirmed.

The ruling confirms the CNIL’s 15 June 2023 decision, notably for lack of proof of valid consent collected via publisher partners, insufficient information, and deficient rights handling. See CNIL notice.

Legal reasoning

1. Lawful basis (Art. 6 GDPR). For behavioural advertising with trackers, legitimate interest (6(1)(f)) is not the default basis: EDPB Guidelines 05/2020 require consent compliant with 6(1)(a) + 4(11) and 7. No pre‑ticked boxes or implied consent. Source: EDPB 05/2020.
2. Cookies and ePrivacy. Placing/reading non‑essential cookies requires prior consent (Directive 2002/58/EC, Art. 5(3)), with proof under Art. 7(1) GDPR. CNPD references: legal context and applicable principles.
3. Planet49 case law. CJEU (1 Oct 2019, C‑673/17) invalidated consent via pre‑ticked boxes for cookies, whether or not personal data is involved. Text: eur-lex.
4. Joint controllership (Art. 26). Publishers and cookie emitters may be joint controllers; the Art. 26 arrangement must clearly allocate obligations and information duties. The Conseil d’État found Criteo’s arrangements lacking. See the judgment.
5. Penalty (Art. 83). Severity, number of data subjects, gains derived, and financial position justify €40M (about half the applicable cap). Ref.: Légifrance.

Regulators’ stance

• CNIL: consent is central; proof is mandatory; AdTech actors bear their own responsibilities, including toward partners. CNIL.
• CNPD (Luxembourg): prior consent for targeting; keep proof and manage consent renewal (often ≤12 months). CNPD — principles.
• EDPB: consent and transparency are prerequisites for retargeting and social ads. EDPB 05/2020.

What this changes in practice

• Web/app behavioural ads: lawful basis = explicit, documented, and traceable consent. Partners do not “transfer” the burden of proof: the AdTech third party must require and audit proof (Art. 7(1) GDPR). To structure this, engaging a certified DPO mandate can help secure governance and evidence logs.
• AdTech chain: update Art. 26 joint controller arrangements (data subject rights, security Art. 32, DPIA Art. 35, breach management Arts. 33–34, transparency Arts. 12–13). Reference: the 4 March 2026 ruling and the GDPR framework.
• Cookie banners: implement a compliant CMP (no pre‑ticked boxes; refusal as easy as acceptance; purpose‑granularity; proof log; renewal). CNPD often recommends renewal ≤12 months and two‑layer information. See CNPD principles.
• Data subject rights: provide all relevant data with intelligible explanations; implement effective consent withdrawal (Art. 7(3)) and erasure (Art. 17). For Luxembourg organisations, this aligns with CNPD compliance locally.

Quick decision tree (Art. 6 GDPR)

• Non‑essential trackers for ad targeting? Yes → explicit consent (Arts. 4(11), 7 GDPR + ePrivacy), proof, refusal as easy as accept, no abusive cookie walls. Ref.: EDPB 05/2020.
• Customer data without trackers (e.g., CRM segmentation for transactional emails)? Legitimate interest may be possible if clear notice and a documented balancing test; not for cross‑site retargeting. Ref.: EDPB.
• Social pixels or custom audiences? Consent required and joint controllership to be framed (Art. 26). Provide precise information, including algorithmic optimisation.

Common pitfalls seen in audits

1. “Legitimate interest for all marketing.” Wrong for targeting cookies/SDKs: consent is required. CNPD — context.
2. Non‑compliant CMP: pre‑ticked boxes, refusal harder than accept, no proof log, renewal >12 months. CNPD — principles.
3. Weak partner arrangements: no Art. 26 joint controller agreement or missing clauses (rights, DPIA, breaches). Légifrance.
4. Incomplete access responses: partial extracts without intelligible explanations. CNIL.
5. Vague privacy notices: “personalised ads” without specifying retention, enrichment, or algorithmic optimisation.

Official sources (selection)

• Conseil d’État (France), Criteo ruling, 4 March 2026, No. 482872 — legifrance.gouv.fr
• CNIL, SAN‑2023‑009 — cnil.fr
• EDPB, Guidelines 05/2020 — edpb.europa.eu
• CNPD (Luxembourg), cookies — context and principles
• CJEU, Planet49 (C‑673/17) — eur-lex.europa.eu

Bottom line: in Luxembourg and across the EU, for tracker‑based ad targeting the lawful basis is consent — duly evidenced and contractually governed across the chain.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.