Criteo Privacy & CCPA Compliance: How We Handle Data Protection
Explore and understand how Criteo handles personal data, how our services work, and what your rights are under the California Consumer Privacy Act (CCPA). It summarizes and guides you through key points of our full privacy information and keeps all useful links so you can learn more or take action.
Criteo acts as a joint controller together with its clients and partners when processing your personal data. To learn more, click here.
How Criteo’s Services Work?
No direct identification
Criteo does not use data that directly identifies you, such as:
First and last name
Postal address
Email address in plain text
Instead, we work with indirect identifiers (for example, cookie IDs or mobile advertising IDs).
When you visit an Advertiser’s site or app
When you browse an Advertiser’s website or mobile application that uses Criteo’s technologies, our technology collects a limited amount of browsing data, such as:
Products you viewed
Products you added to your cart
Products you purchased
This browsing data is linked to a unique identifier, such as:
A cookie ID
A mobile advertising ID
Other similar non-cookie technologies, depending on your device and browser
When you visit a Publisher’s site or app
When you browse a Publisher’s website or mobile application that uses Criteo’s technologies:
The Publisher (directly or via an ad exchange) tells us that an ad space is available
Criteo’s technology, working with our Advertisers, may decide to buy that ad space
If we buy it, we display a personalized ad that we believe may be relevant to you
Example of How We Show Personalized Ads
User visits an Advertiser’s website
A user with cookie ID 123f94d8-a745-4f8b-a1d0-bf6fbbd60058 (we’ll call this Criteo ID 123) views Product A on https://www.example-advertiser.com/ on 01/01/2018 at 13:37.
Criteo collects this browsing event:
Criteo ID 123
Viewed Product A
Date and time
Advertiser website URL
Criteo compares with aggregated data
Criteo’s technology compares this information with aggregated data from the Advertiser’s site, for example:
Users who purchased Product A on https://www.example-advertiser.com/ also often purchased Product B
Product C is popular on this website
User visits a Publisher’s website
Later, Criteo ID 123 visits https://www.example-publisher.com/
Criteo is notified that an ad space is available, with specific characteristics (size, visibility, etc.)
Criteo decides which ad to show
Criteo’s algorithms decide whether to buy this ad space and what to show. For example, we may:
Buy the ad space on https://www.example-publisher.com/
Show an ad featuring:
Product A (the user showed interest during a recent session)
Product B (users who like A often like B)
Product C (this product is popular overall)
How do our technologies work across different environments?
We require our partners to:
Provide you with complete and appropriate information, and
Obtain your consent where required by law before making your personal information available to us.
Our technologies can work in similar ways:
On web pages: Using cookies, supported by most web browsers
On mobile apps: Using mobile advertising IDs provided by operating system vendors (for example, Google, Apple)
On browsers with strict default settings (like Safari): Where third-party cookies and cross-site tracking are limited, we can operate only if you have provided consent allowing our services to work with those settings
Across environments: We can work in a cross-device / cross-environment way. Find out more about how our services work from one environment to another (“cross-device linking”).
Additional Data We May Receive from Trusted Partners
To provide ads that are better tailored to your interests, we may receive audience and segment information from trusted third‑party partners, based on data you agreed to share with them.
Examples of data we may receive:
Shopping interests (for example: interested in clothing, furniture, or electronics)
Points of interest near you, based on non‑precise geolocation (for example: stores near your general area)
Products you have purchased in a physical store (brick-and-mortar) of an advertiser that uses Criteo services for their online marketing
In all such cases:
Criteo only processes non-direct identifiers (such as cookie IDs and Mobile Advertising IDs) and non-precise geolocation information
We do not use data that tells us who you are directly
We believe that personalized ads benefit:
You, by showing more relevant ads instead of random ads
The Internet ecosystem, by helping Publishers monetize their content, supports a free and open Internet.
Our Privacy Pillars
We have built Criteo services with strong privacy protections from the start. Our privacy pillars are as follows:
Data minimization
We are committed to never using data that directly identifies you, such as:
First and last name
Postal address
Email address in plain text
Instead of this, our technologies:
Recognize your devices and/or browsers using an identifier made of a series of characters (such as a cookie ID or similar)
These identifiers, combined with browsing data, are classified as personal data under European law and personal information under Californian law
We treat this data with great care, with strong security and privacy measures
Privacy by Design
We apply Privacy by Design in all product development. This means privacy is built into our technologies from the start.
Key elements include:
A Data Privacy Officer (DPO) appointed since 2013, as required by GDPR
A team of privacy experts within our Product and R&D organization
Ongoing Privacy Impact Assessments to:
Identify potential privacy risks throughout the product lifecycle
Proactively mitigate those risks
A Data Privacy team that delivers company‑wide privacy training, enforces codes of conduct, and ensures we build best‑in‑class products and services.
Regular review and documentation of our internal policies, public privacy notices, and partner and vendor requirements.
Criteo’s Commitments: What We Do Not Collect
To serve our ads, we do not need and do not collect:
Data that allows us to identify you directly (such as your name, postal address, or email address in plain text)
Sensitive information to build segments or target ads, such as:
Religion
Political opinions
Health information
Sexual orientation
Irrevocable identifiers, such as Device hardware identifiers (e.g., UDID, MAC address)
Precise, real‑time geolocation data
Industry Initiatives and Certifications
Criteo supports and participates in several self‑regulatory and transparency initiatives for personalized advertising.
Digital Advertising Alliance (DAA)
Criteo complies with the Digital Advertising Alliance’s (DAA) self-regulatory principles for online behavioural advertising and is integrated on the DAA’s “YourAdChoices” unsubscription platform, which allows you to express your online advertising choices to all its participants, including your desire to disable their services.
European Digital Advertising Alliance (EDAA)
Criteo complies with the self-regulatory principles of the European Digital Advertising Alliance (EDAA). The Criteo Dynamic Retargeting service has been independently certified by the EDAA for data protection.
Digital Advertising Alliance of Canada
Criteo respects the self-regulatory principles of the Digital Advertising Alliance of Canada (DAAC)and is present on the DAAC’s unsubscribe platform “YourOnlineChoices”, which offers you the opportunity to express your choices regarding online advertising to all its stakeholders, and in particular your desire to disable their services.
Network Advertising Initiative (NAI)
Criteo adheres to the NAI Self-Regulatory Framework, which allows you to express your choices regarding online advertising to all the players involved, including your desire to disable their services.
IAB Europe Transparency & Consent Framework
Criteo participates in the IAB Europe Transparency & Consent Framework and complies with its Specifications and Policies. Criteo’s identification number within the framework is 91.
Requirements We Place on Our Partners
We impose high requirements on the Advertisers and Publishers we work with. We contractually require that they comply with Criteo’s Advertising Guidelines, Supply Partner Guidelines, and all applicable data protection regulations, including the GDPR
Additionally, when required by law, we need them to:
Include appropriate notice and information on their websites and apps about Criteo’s services and how to object
Collect user consent before placing cookies or similar technologies for personalized advertising purposes
Criteo regularly shares industry best practices with partners to help them meet these legal and contractual obligations.
Your Data, Your Choice
You stay in control of your data. You can:
Learn more about how we use your data
Exercise your privacy rights
If you have any questions about this privacy notice or our privacy practices, or if you want to contact our Data Protection Officer (DPO):
By post: Data Protection Officer
32 rue Blanche, 75009 Paris, FRANCE
By email: dpo@criteo.com
If you have any questions about privacy or the use of your data in connection with our services, you can also contact our US‑based dispute resolution service provider free of charge here.
Changes to This Privacy Policy
We may update or change this privacy policy from time to time. If we revise our privacy policy:
We will post changes to this privacy statement and other appropriate places
You will be able to see:
What information we collect
How we use it
Under what circumstances, if any, do we disclose it
If we make material changes, we will notify you by posting a notice on this site before the changes become effective.
Additional Information for California Residents (CCPA)
This section is aimed solely at California residents to provide information under the California Consumer Privacy Act (CCPA). It should be read in addition to (and not instead of) Criteo’s full Privacy Policy.
If you are a California resident, the CCPA grants you several rights.
Right to Know
You have the right to request that we disclose what personal information we collect, use, disclose, share, or sell.
To get a copy of the personal information we may currently hold about you, send us an email at dpo@criteo.com.
Right to Delete
You have the right to request that Criteo delete the personal information we currently hold about you.
To exercise this right, complete our contact form here.
Right to Correct
You have the right to request that Criteo correct inaccurate personal information.
To exercise this right, complete our contact form here.
Right to Opt Out of “Sales” or “Sharing” of Personal Information
If you are a California resident, the CCPA allows you to request that Criteo no longer “sells” or “shares” your personal information.
To opt out of these “sales” or “sharing” and more generally disable all Criteo services, follow the instructions available here.
Right to Non‑Discrimination
You have the right not to receive discriminatory treatment from Criteo for exercising any of your CCPA privacy rights.
Personal Information We Collect and How We Use It (CCPA)
Criteo collects the following categories of personal information for the purpose of displaying personalized ads:
Identifiers, such as:
Cookie IDs
Mobile Advertising IDs
Hashed email addresses
IP addresses
User Agent, etc.
Internet or other electronic network activity information, such as:
Browsing history (for example, URLs of websites browsed, app names opened)
Interactions with websites, apps, or ads (for example, ads seen, ads clicked)
Commercial information, such as:
Records of products or services purchased, obtained, or considered
For example: products seen, added to cart, or bought
In the preceding twelve (12) months, we have shared and/or sold the above categories of personal information:
For the commercial purpose of providing cross‑context behavioral advertising
With the categories of third parties described in “The categories of recipients of your data” in how we use your data.
We collect data primarily for:
Marketing and advertising, including cross‑context behavioral advertising
Analytical services
We also use collected data for:
Auditing:
Counting ad impressions
Verifying quality using unique IDs
Debugging:
Finding and fixing errors to keep services functional
Security:
Detecting and protecting against threats
Research & Development:
Improving technology and service performance
Quality & Safety:
Improving overall quality and safety of our services
We disclose personal data for business purposes as described above, and with the categories of third parties listed under “The categories of recipients of your data” here.
To learn more about:
The categories of personal information we collect
The sources from which personal information is collected
The categories of third parties with whom we may share personal information, please refer to this link
The explanations above reflect our practices today and over the preceding 12 months.