Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsent
Free plan · 10-min setup
Criteo is a French publicly listed adtech company (NASDAQ: CRTO) headquartered in Paris and the European leader in programmatic retargeting. Its OneTag pixel uses third party cookies to follow users across websites and serve personalised display advertising. Criteo was fined 40 million euros by the CNIL in June 2023 for breaches of GDPR consent obligations, making it one of the highest risk vendors to deploy without a fully compliant consent flow.
Criteo S.A. is a French publicly listed adtech company (NASDAQ: CRTO) founded in 2005 in Paris and a long standing European leader in personalised retargeting and commerce media. Its OneTag pixel is deployed on more than 20 000 retailers worldwide to recognise visitors across publishers and serve dynamic banner advertising tailored to recently viewed products. Criteo is a registered IAB TCF v2.2 vendor (vendor ID 91) and operates programmatic bidding through partners in the Open RTB ecosystem.
Criteo sets third party cookies on criteo.com and criteo.net: uid (12 months) is the cross site identifier, optout (5 years) stores the opt out signal, tid (1 month) the targeting context, and dyn_user_match (6 months) handles cookie syncing with bidding partners. Criteo also reads product browsing events (product ID, category, price, currency), search queries and conversion data, and combines them with publisher signals via cookie syncing. With the move toward cookieless tracking, Criteo also relies on its First Party Universal Token, on emails hashed with SHA256 and on Google Privacy Sandbox APIs.
In June 2023 the French data protection authority CNIL fined Criteo 40 million euros for failing to demonstrate the consent of data subjects, lack of transparency on the privacy notice, partial breach of data subjects rights (access, withdrawal, erasure) and incomplete data processing agreements with its retailer partners (deliberation SAN 2023 009). The decision applies the strict CNIL doctrine that the controller cannot rely on the IAB TCF chain alone to prove consent and must store its own evidence. Any site embedding the Criteo OneTag must therefore be able to demonstrate, on a per visitor basis, that consent was given before the tag fired.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The Criteo OneTag and the cookies it sets are strictly subject to Article 5(3) ePrivacy Directive and require prior explicit consent under Article 6(1)(a) GDPR. Legitimate interest under Article 6(1)(f) is not available for cross site behavioural advertising, as confirmed by the EDPB and the CNIL. The CMP must block the Criteo OneTag before consent, configure category advertising as opt in, store the consent proof for at least 13 months and forward the IAB TCF v2.2 string to Criteo. The reject button must have the same visual weight as the accept button.
Tag the Criteo OneTag through a CMP that blocks third party scripts before consent (CookieFirst, Didomi, Iubenda, Axeptio, Cookiebot, Usercentrics, Klaro). Activate IAB TCF v2.2 vendor 91 in the CMP, forward the TCF consent string to Criteo, store the proof of consent for at least 13 months, and document the legitimate interest balancing test in the record of processing activities. For server side deployments, use the Criteo Conversions API with explicit consent only and pass the consent signal in every event payload.
Websites using Criteo must obtain user consent under GDPR regulations.
DPIA considerations
Criteo retargeting is a high risk processing activity in the meaning of Article 35 GDPR and the EDPB list: large scale tracking of behaviour across websites, cross border data sharing within the programmatic ecosystem, and behavioural profiling that may affect data subjects. A DPIA is strongly recommended; document the legitimate interest balancing test (which does not apply for the cookie itself, only for the downstream profiling), the consent flow proof, the IAB TCF v2.2 vendor registration and the contract with Criteo S.A.
Sample consent text
We use Criteo to display personalised advertising based on your visit. Criteo, a Paris listed adtech company, sets third party cookies that identify your browser across websites and can build an advertising profile. Criteo only fires after you click accept on the advertising category and you can withdraw your consent at any time.
Third-party domains contacted
static.criteo.netsslwidget.criteo.comdis.criteo.comdis.eu.criteo.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| uid | third_party | 12 months | Unique cross site identifier assigned by Criteo. Used to recognise the browser across publishers in the programmatic ecosystem and to build the retargeting profile. |
| tid | third_party | 1 month | Targeting context cookie storing the latest browsed product and campaign signals to compute the optimal ad to display. |
| dyn_user_match | third_party | 6 months | Cookie syncing identifier shared with bidding partners (Open RTB) to align user IDs across DSPs and SSPs in real time auctions. |
| optout | third_party | 5 years | Stores the user opt out preference. Set when the visitor uses the IAB TCF opt out signal or the Criteo specific opt out page. |
Criteo places tracking cookies for advertising — comply with GDPR using FlowConsent.
Criteo sets third party cookies on criteo.com and criteo.net: uid (12 months) as cross site identifier, tid (1 month) as targeting context, dyn_user_match (6 months) for cookie syncing with bidding partners, and optout (5 years) for the opt out signal. Without these cookies, Criteo retargeting cannot function.
Yes, explicit prior consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy is required. Criteo cookies are pure advertising cookies for cross site retargeting and cannot rely on legitimate interest, as confirmed by the CNIL and the EDPB.
Only consent (Article 6(1)(a) GDPR). The CNIL deliberation SAN 2023 009 of June 2023 confirmed that Criteo retargeting requires explicit, demonstrable consent, and fined Criteo 40 million euros for failing to provide the proof of consent and to respect data subject rights.
Criteo is headquartered in Paris but operates a global programmatic infrastructure. Bid requests containing user signals can be processed by partners outside the EEA. Standard Contractual Clauses are signed and the EU US Data Privacy Framework is referenced where applicable, but a Schrems II transfer impact assessment is recommended.
Yes. Criteo retargeting is high risk processing (large scale behavioural tracking, profiling, cross border sharing) and a DPIA is strongly recommended by the CNIL and the EDPB. Document the consent flow, IAB TCF vendor 91 registration, contract with Criteo S.A. and the 13 month retention of consent proof.
Block the Criteo OneTag in a CMP, activate IAB TCF v2.2 vendor 91, transmit the TCF string to Criteo, store the consent proof for 13 months minimum, configure equal weight reject button, and use the Conversions API server side only when consent is given. Document the legitimate interest balancing test in the record of processing activities.
EU based programmatic alternatives include RTB House (Poland), AdUp (Germany, contextual), Smartclip (Germany), and contextual targeting platforms like Seedtag (Spain) and Outbrain Engage (Israel). Privacy first alternatives are server side first party retargeting via Customer Data Platforms (Snowflake, Twilio Segment) combined with email retargeting.
List Criteo explicitly as a third party advertising processor in your cookie policy, link to the Criteo privacy policy at https://www.criteo.com/privacy, declare the IAB TCF vendor 91 registration, document the third country transfer mechanism and update the policy whenever the Criteo cookie list or domains change.