France's Conseil d'État upheld Criteo's €40M GDPR fine on March 4, 2026, covering 370M identifiers. Legal experts question the court's evidentiary reasoning on personal data.
France's highest administrative court this week upheld a €40 million fine against Criteo, the Paris-headquartered advertising technology company, confirming a 2023 penalty issued by the French data protection authority. The ruling, Décision n° 482872, was handed down on March 4, 2026 by the Conseil d'État's 10th and 9th combined chambers and closes a multi-year legal battle that began when France's Commission Nationale de l'Informatique et des Libertés (CNIL) sanctioned Criteo on June 15, 2023. But the decision has already triggered sharp debate among privacy lawyers over the evidentiary standards used to justify the penalty's full amount - and what those standards mean for the broader adtech industry.
Criteo, which is listed on Nasdaq (ticker: CRTO) and whose main establishment is in France, operates by displaying targeted advertising on websites managed by third parties. To do this, it collects and processes browsing data using connection trackers - cookies - from individuals located in France and other EU member states who visit partner websites. The CNIL found that Criteo had committed violations of Articles 7, 12, 13, 15, 17 and 26 of the General Data Protection Regulation (GDPR), and imposed a sanction of €40 million, half the maximum permitted amount under Article 83 of the GDPR.
Criteo appealed that decision in August 2023. The case accumulated nine separate legal submissions between August 2023 and September 2025 before the Conseil d'État rendered judgment.
The Conseil d'État upheld the CNIL's findings across every contested ground. On the fundamental question of whether Criteo's data even qualified as personal data under GDPR Article 4(1), the court ruled against Criteo. Criteo had argued that the identifiers it assigns to users are pseudonyms - not personal data - because the company holds no re-identification key that directly links an identifier to a named individual.
The court was unpersuaded. According to the decision, the identifiers used by Criteo are associated not only with the user's IP address, but with geographic location data tied to that IP address, terminal identifiers, partner-specific user identifiers, and extensive behavioral data - visited websites, purchases made, advertisements viewed, and purchases following ad exposure. The court noted that "the very purpose of the processing is to offer the most relevant advertisements possible based on browsing habits and consumer interests," creating a situation where many data points, sometimes highly precise, can be collected and cross-referenced for a given identifier. Given all of this, according to the ruling, "at least some of the very large number of data subjects were identifiable by means that did not require disproportionate effort in terms of time, cost and manpower."
On consent, the court confirmed that Criteo had processed personal data from internet users visiting partner websites without being able to demonstrate that those users had validly consented. Criteo had argued that, under its joint controller agreements with partners, the responsibility for collecting consent lay with those partners. The Conseil d'État rejected this, holding that a data controller responsible for processing must be able to demonstrate proof of valid consent at any time, even if that consent was collected by a third party.
The court also upheld findings on consent withdrawal and erasure. When users exercised their right to erasure, Criteo had stopped displaying personalised advertising to those individuals - but had not deleted the underlying identifiers or the data associated with them. The company continued to use that data to improve its targeting algorithms. According to the court, this was unlawful because data collected on the basis of consent cannot be retained and reused once that consent has been withdrawn.
On information obligations, the court found that Criteo had told users only that it processes their data "for personalised advertisements." It did not inform them that the same data would also be retained and used to configure and improve the algorithmic targeting systems underlying Criteo's service. The court considered this a distinct processing purpose, inadequately disclosed.
Finally, on the joint controllership arrangements with partners (governed by Article 26 GDPR), the court confirmed that Criteo's agreements with partners had not specified certain mutual obligations - including how users could exercise their rights, how data breaches would be notified to regulators, and whether data protection impact assessments would be conducted.
The penalty - €40 million, set at half the maximum available - was upheld in full. The Conseil d'État considered several factors: the particular seriousness of the violations, the cross-border and large-scale nature of Criteo's processing (covering more than 370 million user identifiers in the European Union, including 50 million in France), Criteo's position as a major player in online advertising services, and the fact that it had derived direct financial gain from the violations - since it was remunerated by advertisers for targeting individuals who may not have consented had their consent been properly sought.
The court acknowledged Criteo's cooperative attitude during the proceedings and the fact that it had come into compliance on certain violations before the sanction was issued. These factors were not sufficient to reduce the penalty.
This is precisely where legal critics have focused their attention. According to Peter Craddock, a data and technology lawyer whose analysis circulated widely after the ruling, the court's reasoning creates what he describes as "a very awkward piece of legal justification." Writing on LinkedIn, Craddock noted that the Conseil d'État "basically says 'at least some of the very large number of data subjects were identifiable by means that did not involve a disproportionate effort in terms of time, cost and manpower' - before saying 'because it's such a big processing activity, with over 370 million identifiers, including 50 million for France, we're confirming the full extent of the fine imposed.'"
The problem, according to Craddock, is the logical tension: the court admits there is no evidence that all 50 or 370 million identifiers constitute personal data, while simultaneously maintaining 100 percent of a fine calibrated on the assumption that they do. As Craddock wrote: "If scale is a justification for the size of a fine, you don't maintain 100% but try to establish how much % is justified."
The debate over whether Criteo's identifiers constitute personal data under the GDPR goes to the core of how digital advertising is regulated. Criteo processes advertising data by assigning each user a pseudonymous identifier - an alphanumeric string tied to a cookie. The company argued this identifier, without a re-identification key connecting it to a natural person's name or contact details, cannot constitute personal data.
Legal experts have long grappled with this question. The GDPR's Article 4(1) defines personal data as any information relating to an "identified or identifiable" natural person. Recital 26 of the regulation provides that identifiability requires consideration of "all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly," taking into account objective factors including "the costs of and the amount of time required for identification."
Craddock's December 2025 analysis on pseudonymisation - published ahead of a European Data Protection Board stakeholder event on December 12, 2025 - makes a detailed case that singling out a data point is not the same as identifying a natural person. According to Craddock, identifying a natural person requires three conditions: "(i) the ability to attribute certain information to a natural person, (ii) the ability to distinguish that person from any other persons (i.e. so it is a specific natural person, not just any natural person) and (iii) that distinction must be of such a nature as to make it possible to act upon or in relation to such person."
By that framework, an advertising identifier like "A1B2C3" may be sufficient to single out a data point and deliver an advertisement to a device - but it does not necessarily allow the controller to know who that device belongs to, address that person by name, or take any real-world action in relation to them as an individual. Craddock argues that both the CNIL and the Conseil d'État "have seized upon the notion of 'identifiers' as meaning a natural person is 'identifiable' when in fact they seem to mean that the natural person can be singled out."
This is not merely a theoretical dispute. The European Court of Justice's SRB judgment of September 4, 2025 established that pseudonymised data is not necessarily personal data for every recipient - a finding that created direct tension with earlier EDPB guidance. The EDPB published updated pseudonymisation guidelines in January 2025 and later convened a stakeholder event to reconcile the guidelines with the court's reasoning. The Conseil d'État's ruling does not engage with that evolving case law in any depth. Germany, in a proposal submitted in October 2025, called explicitly for clarification of what anonymisation and pseudonymisation require to achieve GDPR compliance, noting that "it is still unclear what anonymisation and pseudonymisation requirements need to be fulfilled."
A secondary critique raised in legal commentary concerns the consistency of evidentiary standards across different branches of enforcement. Dr. M.R. (Mark) Leiser, an academic and consultant specialising in AI and digital law, noted on LinkedIn that the Conseil d'État ruling sits awkwardly beside the demanding evidentiary thresholds that courts impose on civil society when it attempts collective redress for GDPR violations. According to Leiser, when "civil society attempts collective redress, courts insist on granular proof of representation, harm structure, and factual similarity across the group. But when regulators impose sanctions, courts appear more willing to accept large-scale assumptions about scope of affected individuals and data identifiability."
Leiser is referencing what he describes as an "uncomfortable question about evidentiary symmetry in digital enforcement." The concern is that the burden of evidential precision falls almost entirely on those seeking judicial remedies, while administrative enforcement can proceed on probabilistic assumptions about scale.
Craddock has suggested that one practical solution would be random sampling: if there is a serious allegation that not all identifiers constitute personal data, regulators should test a statistically representative sample rather than assuming the entire dataset is covered. This approach would anchor enforcement to demonstrable facts rather than inferences from scale.
It is worth separating the evidentiary dispute over the fine's magnitude from the underlying conduct. The Conseil d'État found multiple discrete violations, each assessed on its own merits.
On consent, the core problem was structural. Criteo depended on partner websites to collect user consent, but had no reliable mechanism to verify whether consent had actually been given. When the CNIL asked for proof, Criteo could not supply it. The joint controller arrangements with partners did not require partners to document consent in a manner that Criteo could retrieve and present to regulators.
On information, Criteo told users it used their data for personalised advertising. It did not tell them that the same data fed algorithmic improvement processes - effectively a second, distinct purpose for retaining and processing the data.
On erasure, the technical implementation of consent withdrawal was incomplete. Criteo suppressed ad delivery to users who requested erasure but retained identifiers and associated behavioral records, continuing to use them internally. According to the Conseil d'État, Criteo would have been materially capable of actually deleting this data but chose not to.
On joint controllership, the agreements with partners contained gaps: missing provisions for notifying data breaches to supervisory authorities, absent procedures for conducting data protection impact assessments under GDPR Article 35, and unclear responsibilities for facilitating users' data subject rights.
The ruling matters to the marketing community for several reasons, most of which extend well beyond Criteo itself.
First, the consent proof obligation is absolute. The Conseil d'État confirmed that a data controller cannot delegate consent collection to a partner and then rely on that delegation as a shield when regulators ask for proof. The controller must hold the evidence, not merely have a contractual claim to it.
Second, purpose limitation requires specificity. Informing users that data is used "for personalised advertising" does not cover the use of the same data to train and improve algorithmic systems. These are treated as separate purposes under GDPR, each requiring separate disclosure.
Third, erasure requests require actual deletion. Suppressing ad delivery while retaining the underlying data - even for internal improvement purposes - does not satisfy Article 17 GDPR once consent has been withdrawn.
Fourth, and more broadly, the ruling confirms France's position as one of the most active GDPR enforcement jurisdictions in Europe. The CNIL has fined Google €325 million in September 2025 for Gmail advertising and cookie violations, sanctioned SHEIN's subsidiary €150 million for cookie consent failures, and imposed a €1 million penalty on Optimove in December 2025 for processor violations in the Deezer data breach case. The Conseil d'État also reduced Amazon's original €32 million GDPR fine to €15 million in December 2025 - the only recent case where France's highest administrative court reduced a CNIL penalty rather than confirming it.
For Criteo specifically, the ruling closes one front in what has been a legally complex period. The company recently announced that it became the first advertising technology partner in OpenAI's ChatGPT advertising pilot on March 2, 2026, and has been diversifying away from retargeting toward retail media, with retargeting dropping from approximately 90 percent of revenue in 2020 to 40 percent by end of 2024.
The Conseil d'État ruling arrives as European institutions are actively reconsidering the legal boundaries of personal dataand pseudonymisation. The European Commission's Digital Omnibus proposal introduced in late 2025 would amend GDPR Article 4(1) to embed a "relativity" approach, clarifying that information is not necessarily personal data for every entity merely because another entity can identify the natural person. This codifies elements of the SRB judgment but, according to legal experts, potentially extends beyond what that ruling actually established.
Whether that proposal advances through the legislative process will determine how much of the conceptual tension surfaced by the Criteo case gets resolved at the regulatory level - or whether the question of what counts as an "identifiable" person in digital advertising continues to be settled, case by case, by national courts applying their own readings of a regulation that was not written with 370 million advertising identifiers squarely in mind.
The Conseil d'État issued its decision without submitting preliminary questions to the Court of Justice of the European Union, finding that the applicable law was clear enough to decide the case without EU-level guidance. Legal experts may disagree.
Who: Criteo SA (NASDAQ: CRTO), a French-headquartered advertising technology company, and France's Commission Nationale de l'Informatique et des Libertés (CNIL), with the case adjudicated by the Conseil d'État's 10th and 9th combined chambers, rapporteur M. Jean de L'Hermite.
What: The Conseil d'État upheld the CNIL's €40 million GDPR fine against Criteo, confirming violations related to consent proof obligations, inadequate information provided to users, failures to execute erasure requests completely, and gaps in joint controllership agreements with partner websites. The ruling confirms Criteo's status as a data controller for cookies it places on third-party partner sites, and as the sole controller when it subsequently processes the data collected. Legal experts have raised concerns about the court's evidentiary approach to the fine's magnitude, specifically its acceptance of scale-based justification without proof that all 370 million identifiers constitute personal data.
When: The CNIL decision was issued June 15, 2023. The Conseil d'État dismissed Criteo's challenge on March 4, 2026, following a legal process spanning nine submissions between August 2023 and September 2025.
Where: The processing violations occurred across France and other EU member states, affecting users who visited partner websites on which Criteo deployed cookie-based tracking. Criteo's principal establishment is in France, which established the CNIL's competence as lead supervisory authority under GDPR Article 56.
Why: The case matters because it confirms that adtech companies acting as joint controllers with publisher partners bear independent consent proof obligations - they cannot rely on partner agreements as evidentiary substitutes. It also surfaces an unresolved tension in EU data protection law: whether large-scale processing of advertising identifiers automatically constitutes large-scale processing of personal data, even when the identifiability of individuals from those identifiers has not been systematically demonstrated. That question is now entangled with active legislative proposals at EU level, making the Conseil d'État's decision a marker in an ongoing legal debate rather than a conclusive endpoint.