France GDPR Fine: Criteo Appeal Rejected by Conseil d'État

According to noyb.eu, France's highest administrative court, the Conseil d'État, rejected an appeal by advertising technology company Criteo in March 2026 and confirmed a €40 million GDPR fine originally issued by the French data protection authority, the CNIL.

What happened?

According to noyb.eu, the CNIL found that Criteo had committed several serious violations of the GDPR. The company reportedly could not prove it had obtained valid consent from users, lacked transparency in how it handled personal data, failed to comply with users' right to erasure and right to access, and did not give users a proper way to withdraw their consent. The CNIL's investigation reportedly covered data relating to about 370 million people in Europe.

Criteo challenged the fine before the Conseil d'État, but according to noyb.eu, the court rejected that appeal in March 2026 and confirmed the CNIL's original decision.

Why does this matter for cookie consent?

This case is a reminder that consent for tracking and advertising cookies must be real and verifiable. It is not enough to place a cookie banner on your website. Under the GDPR, you need to be able to demonstrate that users genuinely agreed, that they were clearly informed, and that they had a straightforward way to withdraw their consent at any time.

The violations found in this case, including a lack of transparency and failure to respect user rights, are not unique to large ad-tech companies. Any website that uses tracking cookies or third-party advertising tools can face scrutiny over the same issues.

If you are unsure whether your cookie setup meets the requirements, our guides on cookie banner requirements, cookie warnings and whether you need a cookie banner at all are a good place to start.

What does this mean for your website?

If your website uses advertising or tracking cookies, this ruling is a signal that regulators take consent seriously and that courts are willing to uphold significant fines. Make sure your cookie banner gives visitors a genuine choice, explains clearly what you are doing with their data, and makes it just as easy to say no as to say yes. Reviewing your cookie setup now is a practical step you can take without needing a legal background.