Dutch court rules on ad tech provider’s failure to meet cookie consent obligations.

The court said that Paris-based online advertising company Criteo may “outsource” its obligation to request consent for dropping a Criteo tracking cookie to the publishers it partners with, meaning that if the publisher provides all of the required information to website users on Criteo’s cookie drop, Criteria is not required to provide this information to the user. However, it clarified that Criteo remains legally obliged to ensure those users have validly consented to the processing of the data collected about them.

The court ordered Criteo to stop placing the cookies on the devices of the Dutch claimant, remove any personal data of his that has been processed unlawfully, and contact any third-party recipients of the data so that they, too, can delete such data.

The orders were made after the court rejected claims raised by Criteo that it was not responsible for obtaining the necessary consent.

Tracking cookies are small text files that businesses can place on internet users’ devices to collect information about the users’ online browsing habits. Businesses often use such cookies to gain an insight into the user's perceived interests with a view to personalising the services they provide them or – in an advertising context – serve them with adverts tailored to those perceived interests.

According to facts established by the Amsterdam court, in Criteo’s case, its tracking cookies are placed on internet users’ devices when they visit certain third-party websites. Where those cookies are set, a unique ID is generated for a user’s browser. When the user subsequently browses the websites, data is gathered by Criteo’s cookie and used to build a profile about the user’s online interests. The profiling helps inform near-instantaneous online ad auctions that determine what ads are served to users as they browse. The Amsterdam court said tracking cookies “play an essential role in this process”.

Under EU cookies law, storing and accessing information on users' computers is, generally, only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing". An exception to the consent requirements exists where the cookie is "strictly necessary" for providing a service "explicitly requested" by the user.

Where cookies are used to collect and process personal data, businesses must have a valid lawful basis for processing the data under the EU General Data Protection Regulation (GDPR). One lawful basis is consent. Under the GDPR, consent is only valid if it is freely given, specific, informed, unambiguous, and provided by users through a "clear affirmative action".

As part of assessing the claimant's case against Criteo, the Amsterdam court considered the contents of a report prepared by an expert who analysed the claimant’s visits to 40 different websites on 29 August this year.

According to the court, the report found that, in respect of at least 39 sites, Criteo “interacted with cookies on the claimant's device” without first obtaining consent from the claimant for that activity. This behaviour continued even after the attorney for the claimant sent a cease-and-desist letter.

However, Criteo argued before the court that the publishers it partners with were responsible for obtaining the claimant’s consent, not it. It highlighted that while it contractually obliges the publishers to obtain consent to its cookies and acts immediately after it becomes aware of a breach of those contractual provisions, only the publishers have “direct contact” with the users served its cookies.

The Amsterdam court determined, however, that Criteo is a joint controller, together with the publishers, concerning personal data collected from its tracking cookies. Criteo, therefore, had a responsibility under data protection law to ensure valid consent was obtained in relation to the processing of that data.

In June this year, Criteo was fined €40 million by CNIL, the French data protection authority, for failing to verify that individuals whose data it had processed had consented to that processing. Criteo has appealed.

In the Amsterdam proceedings, Criteo said it had changed its practices since the period in question in the CNIL case. It said its practices now comply with the GDPR because it “screens new partners in advance (KYC), imposes the [GDPR] obligations on partners by contract, audits its partners and takes action if they do not correctly request prior consent”. The Amsterdam court characterised the reactive action Criteo takes as its ‘beeping system’ and said its existence “cannot … remove the established unlawfulness of the actions towards [the claimant]”.

Criteo further highlighted that the claimant, who was not named in the judgment, has options to avoid being tracked with tracking cookies, including through changes he can make to browser settings, and claimed he chooses not to use them. The Amsterdam court considered, though, that this does not remove Criteo’s need to obtain prior consent to place the cookies and process the man’s personal data.

The court also used its ruling to reiterate case law established by the EU’s highest court, the Court of Justice of the EU, that controllers are required, upon request, to disclose to the data subject the identity of those recipients when personal data have been or will be disclosed to recipients, and not just a list of categories of possible recipients.