Critics think Criteo will face a challenge to its first-party data collection practices.
CEO Eric Eichmann said he’s confident in Criteo’s interpretation of the law. He said the French data protection authority established its standards in part based on Criteo’s privacy practice, and the Spanish regulatory body issued guidance supporting Criteo’s view of first-party consent and nonsensitive data.
GDPR law allows consent to be given by “ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.”
Publisher cookie notices have established the idea that, by continuing browsing a site, a user is accepting the exchange of data for content, and Criteo claims the same standards.
On the other hand, GDPR dictates that “silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
It may come down to how the EU’s courts will slice definitions of words like “silence” and “inactivity.”
In some ways, GDPR could be a relative advantage for Criteo.
Criteo is working on ways to secure an opt-in on one site and recognize that user across its network without requiring consent for every site or merchant, because the person has opted in to the Criteo program, Eichmann said.
This is a key plank of Criteo’s value prop, because it connects browsing across the web and not just on siloed properties.
If Criteo claims GDPR is a manageable problem, ITP’s “laser-guided missile against click-based revenue models” is a bigger threat, said Elgin Thompson, managing director at the tech investment firm Digital Capital Advisors.
ITP is a particular challenge to Criteo because “it’s not necessarily within their control,” said Gartner research VP Marty Kihn.
Even if EU regulators challenge Criteo’s tracking and data collection, it would be a lengthy process wherein Criteo could adjust policies and establish firm ground.
Apple, on the other hand, is liable to make policy changes or algorithm tweaks impacting Criteo’s business without so much as a heads-up.
Though Criteo’s risk from ITP may be overblown, Thompson said, because Safari accounts for relatively little traffic.
A more serious problem might be tech in-sourcing, he said, because ecommerce merchants and sites are doing more of their own retargeting – or just offloading that capability to a platform like Google or Amazon.
Criteo will see less data due to ITP and GDPR, Thompson said, but the company has developed data co-op products between retailers and product manufacturers that could help inject targeting without data collection.
“The wick on the retargeting candle has been burning down for years,” Kihn said, and the old retargeting specialists have mostly reshaped their businesses or faded after an acquisition, like with Rubicon Project’s deal for Chango.
Criteo describes itself more now as a marketing tech vendor, as opposed to a retargeting specialist, Kihn said.
“But it’s hard to pivot like that in a public environment,” he said. “They’re going to need trust and patience from the market, which is not a reliable bet.”