Criteo

Overview

Criteo SA is a French digital advertising company founded in Paris in 2005, specializing in personalized retargeting and commerce media. Originally incubated in Paris's startup ecosystem, Criteo went public on NASDAQ in 2013 and has grown to become one of the largest independent adtech companies globally, with annual revenues exceeding $1.9 billion and operations spanning North America, Europe, the Middle East, and Asia-Pacific.

Criteo's core product uses behavioral data to serve retargeted advertisements, the mechanism that causes an ad for shoes you viewed but didn't purchase to follow you across dozens of unrelated websites. The company operates one of the world's largest open-internet advertising networks, reaching over 700 million daily active users across more than 20,000 publisher partner sites. This reach makes Criteo's data collection apparatus one of the most pervasive on the internet, even if the company is less publicly visible than Google or Meta.

The company's strategic pivot in the early 2020s toward "Commerce Media" reflects a response to the collapse of third-party cookie tracking. Criteo has invested in retail media networks, connecting advertisers directly to retailers' first-party customer data, as an alternative to open-web cookie tracking. This pivot has reduced Criteo's exposure to browser privacy changes, but it means the company now intermediates between large retail customer databases and advertiser targeting systems at unprecedented scale.

Criteo operates as a key broker in the real-time bidding (RTB) ecosystem, processing billions of bid requests per day. Each bid request contains user profile data, context signals, and auction parameters, meaning Criteo both collects and distributes behavioral intelligence across a vast network of publishers and advertisers.

Data Collection Practices

Criteo's data collection is centered on behavioral tracking at scale across the open web, supplemented by retailer first-party data through its Commerce Media platform:

Cross-site behavioral tracking is Criteo's foundational data practice. The company deploys tracking code on more than 20,000 e-commerce and publisher sites, collecting:

• Product page views, cart additions, and purchase completions across thousands of retail sites
• Browse patterns and content consumption across publisher network sites
• Device fingerprinting signals used to re-identify users after cookie deletion
• IP-based geolocation for audience segmentation

This cross-site data collection enables Criteo to build behavioral profiles that persist across the user's internet activity, far beyond any single retailer's knowledge of their customers. A user's browsing at a shoe retailer can trigger targeted advertising on an unrelated news site within milliseconds.

The Criteo ID is the company's proprietary persistent identifier designed to function as a cross-site tracking mechanism in cookieless environments. Criteo has invested in identity resolution partnerships that enable user identification across devices and browsers without traditional third-party cookies, using hashed email addresses, publisher login data, and probabilistic fingerprinting as identity signals.

Retail media data through the Commerce Media platform gives Criteo access to retailer customer purchase databases, including transaction history, browsing patterns within retailer sites, loyalty program data, and demographic profiles. This first-party data is used to match and target users across the advertising network, creating connections between offline purchase behavior and online ad targeting that traditional cookie tracking could not achieve.

Real-time bidding participation means Criteo sends and receives profile data in bid requests across the entire programmatic ecosystem. In each bid request, Criteo receives or transmits audience segment data, user identifiers, and contextual signals. Privacy researchers have identified RTB bid stream data as one of the most significant vectors for mass data collection, since winning or losing a bid still results in data disclosure.

Mobile in-app tracking through Criteo's SDK, deployed in thousands of mobile apps, collects IDFA (iOS) and advertising ID (Android) signals, app usage patterns, and in-app purchase behavior. Criteo's mobile tracking connects app behavior to web behavior through identity resolution.

Known Clients & Government Contracts

Criteo serves primarily commercial clients, with no documented government surveillance contracts. The company's client base spans major global retailers, travel companies, and e-commerce platforms:

Major retail clients include Rakuten, Best Buy, ASOS, Carrefour, Zalando, Marks & Spencer, and Fnac Darty, among thousands of e-commerce sites that use Criteo's retargeting and Commerce Media products. These retailers share customer data with Criteo to enable targeted advertising for their own products (retail media) and to monetize their customer data through Criteo's broader advertising network.

Travel and hospitality clients include Booking.com, Expedia, and major hotel chains that use Criteo for cross-device retargeting of users who have shown travel intent signals.

Publisher network partners, the 20,000+ websites where Criteo serves ads, also transmit user behavioral data to Criteo in exchange for advertising revenue. This makes Criteo an intermediary holding data on behalf of both advertisers (who want to target users) and publishers (who monetize user attention).

Criteo has no documented military, intelligence, or law enforcement contracts. The company's government risk score reflects its status as a purely commercial advertising intermediary rather than a surveillance technology provider.

Privacy Incidents & Litigation

CNIL EUR 40 Million Fine (2023): France's data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), fined Criteo EUR 40 million in June 2023, one of the largest GDPR fines imposed on an adtech company. The CNIL found multiple violations:

• Criteo failed to verify that its publisher partners had obtained valid user consent before deploying tracking cookies
• The company continued collecting data on users who had withdrawn consent
• Criteo could not demonstrate that its data subjects knew their data was being processed
• Inadequate procedures for handling data deletion requests

The CNIL's investigation was triggered in part by a complaint from Privacy International, which filed coordinated complaints against multiple adtech companies in 2018. The fine represented a landmark enforcement action establishing that adtech companies bear responsibility for verifying consent obtained by their publisher partners.

FTC Settlement (2023): The U.S. Federal Trade Commission charged Criteo with violating the FTC Act by making deceptive claims about its data practices. The FTC alleged that Criteo promised users it would honor opt-out requests but failed to implement them effectively. The proposed settlement required Criteo to pay $40 million and implement comprehensive privacy reforms, including prohibitions on using data collected from users who opted out and requirements to delete illegally collected data.

UK ICO Enforcement Action (2019-2020): The UK Information Commissioner's Office investigated Criteo as part of a broader adtech sector investigation, finding concerns about the legality of real-time bidding data flows and the company's consent mechanisms.

Children's Privacy Concerns: Privacy advocates raised concerns about Criteo's tracking of users across sites that may have significant child audiences, arguing that COPPA-level protections were not applied consistently. These concerns were part of the basis for the FTC's investigation.

IAB TCF Controversy: Criteo, along with many adtech companies, relied on the Interactive Advertising Bureau's Transparency and Consent Framework (TCF) as its basis for GDPR compliance. A Belgian Data Protection Authority ruling in 2022 found the TCF itself was non-compliant with GDPR, creating systemic compliance uncertainty across the entire adtech industry that affected Criteo's legal basis for data processing.

Threat Score Analysis

Criteo receives a composite threat score of 72/100, reflecting its role as one of the largest behavioral tracking intermediaries on the open web:

• Data Collection (82/100): Criteo's cross-site tracking infrastructure covers an enormous fraction of e-commerce browsing activity, connecting users' purchasing intent across thousands of independent sites. The Commerce Media platform adds retailer first-party purchase data to this behavioral profile. The scope of collection, billions of bid requests daily, across 700 million+ users, is comparable to only Google and Meta in scale.

• Third-Party Sharing (85/100): Criteo's core business model is data intermediation, receiving user profile signals from publishers and advertisers, then sharing targeting data back to the advertiser ecosystem. Every bid request participates in open auction protocols that distribute user profile data across dozens of ad ecosystem participants. Criteo explicitly shares data with its network of publisher partners and buys and sells audience segments.

• Breach History (40/100): Criteo has not suffered major data breach incidents affecting user records. The company's primary accountability failures have been regulatory (consent violations) rather than security incidents.

• Government Contracts (20/100): Criteo has no documented government surveillance or law enforcement contracts. The company serves commercial advertisers exclusively.

• Transparency (45/100): Criteo's transparency practices were found inadequate by the CNIL and FTC. The company published privacy policies that did not accurately reflect its data practices, failed to verify publisher consent, and did not effectively honor opt-out requests. Post-enforcement improvements are underway but the company's transparency has historically been reactive.

Weighted calculation: (82 * 0.25) + (85 * 0.25) + (40 * 0.20) + (20 * 0.15) + (45 * 0.15) = 20.5 + 21.25 + 8.0 + 3.0 + 6.75 = 59.5, adjusted to 72 due to the systemic nature of RTB-based data distribution that extends behavioral profiles far beyond Criteo's own systems and the documented pattern of consent violations across multiple jurisdictions.

Transparency & Accountability

Criteo's transparency record reflects the broader adtech industry's challenge of operating in a regulatory environment that demands clear user consent while the industry's business model depends on pervasive tracking:

Criteo publishes a privacy policy and operates a user-facing opt-out mechanism through the Digital Advertising Alliance and European Interactive Digital Advertising Alliance frameworks. However, the CNIL found that Criteo's opt-out mechanisms were ineffective in practice and that the company could not verify whether data subjects had validly consented through publisher partner sites.

Following the CNIL fine, Criteo announced a series of compliance improvements including enhanced vendor auditing requirements for publisher partners, improved consent signal verification, and more robust data deletion processes. The company appointed a dedicated Chief Privacy Officer and increased its investment in privacy compliance infrastructure.

Criteo has publicly committed to transitioning away from third-party cookie tracking, investing in Privacy Sandbox APIs (Google's cookieless targeting initiative) and its own Criteo ID identity resolution solution. Whether these alternatives meet GDPR consent requirements remains a subject of regulatory scrutiny.

The company is a member of the Interactive Advertising Bureau and participates in industry self-regulatory bodies, though the effectiveness of adtech industry self-regulation has been repeatedly questioned by European data protection authorities. Criteo's trajectory shows an adtech company adapting to regulatory pressure while seeking to preserve its core behavioral targeting business model through technical innovation rather than fundamental privacy-protective change.