Criteo is the dominant retargeting network, recognized by consumers as the source of ads that appear after browsing a product or service. Its infrastructure collects behavioral data across millions of publisher pages to build purchase-intent profiles. In 2023, France's CNIL fined Criteo 40 million euros for consent violations. The enforcement record makes Criteo one of the higher-scrutiny third-party tags in any consent review.
Marketing and Analytics
Criteo is a performance advertising platform that collects behavioral data across publisher sites to build retargeting audiences and deliver personalized ads to visitors based on their browsing and purchase history.
Trademark
Criteo is a trademark of Criteo S.A.. Lokker is not affiliated with or endorsed by Criteo S.A..
Risk and failure modes
Criteo's value proposition requires persistent cross-site tracking. That tracking is precisely what GDPR opt-in requirements and California's opt-out of sale and sharing rights under the CPRA are designed to address. The CNIL enforcement action confirms the regulatory risk is real.
Criteo uses cookies and identifier syncing to track visitors across publisher sites. Those persistent identifiers are personal data under GDPR and require opt-in consent in European jurisdictions.
France's CNIL found Criteo in violation of GDPR consent requirements and issued a 40 million euro fine in 2023. The enforcement action established that retargeting consent obtained indirectly through partners does not meet the GDPR standard.
Criteo's profiling data is used by a large ecosystem of advertisers. The breadth of data sharing creates obligations around data processor agreements and consent chain validation that many deploying organizations have not addressed.
Consent and configuration
Given the regulatory history around retargeting consent, validating that Criteo actually stops firing in the reject state is more important than confirming the CMP category assignment. Network-layer evidence is required.
Criteo OneTag or the Criteo pixel should be assigned to an Advertising consent category and blocked in the reject state, confirmed by network-layer testing.
Criteo's consent signal integration through the tag manager needs to be tested independently of any IAB TCF consent passed at the bidding layer.
GPC signal handling requires a blocking condition at the tag or CMP level, as Criteo does not independently process GPC signals in the browser.
Regional compliance
The 2023 CNIL enforcement action against Criteo sets a precedent for what regulators expect from retargeting consent: explicit, specific opt-in obtained directly by the site deploying the tracker. Organizations in GDPR jurisdictions cannot rely on Criteo's own consent collection. In California, Criteo's data sharing for advertising purposes is subject to opt-out rights under the CPRA (which amended the CCPA), and GPC must be treated as a valid opt-out signal for that sharing. The California Privacy Protection Agency (CPPA) enforces these obligations alongside the Attorney General.
How Lokker helps
Lokker detects Criteo across your properties, tests whether it fires in pre-consent and opt-out states, and provides the network-layer evidence needed to confirm or remediate deployment against the consent standard established by CNIL enforcement.
Consent Validator tests whether Criteo fires before opt-in, after rejection, and in GPC states, delivering the network evidence needed to satisfy the consent standard regulators apply to retargeting tools.
Explore Consent ValidatorPrivacy Edge detects Criteo across all your properties, scores retargeting tracker risk, and flags sites where deployment occurs without corresponding consent conditions.
Explore Privacy EdgeExplore Lokker
Each product links to its full details so you can explore features, view a demo, and understand how it applies to your Criteo deployment.
Validation
Validates whether Criteo fires in pre-consent, reject, and GPC states against the regulatory consent standard.
Explore Consent ValidatorIntelligence
Detects Criteo across all properties and scores retargeting tracker risk.
Explore Privacy EdgeMarketing and Analytics
Next step
Lokker runs automated browser-level consent flows and scans the network layer to confirm whether Criteo fires in states where it should not.