Solutions by High-Risk Vendor

Take Control of Criteo Tracking and Retarget Without Regret

Criteo’s retargeting tags reach over a billion users and drive revenue, but they also drew a €40M fine under GDPR. Vault helps you leverage Criteo’s platform in a compliant manner. We illuminate what Criteo collects on your site, enforce consent choices, and prevent unauthorized sale of user data.

Request a Demo
Criteo

Keep Your Retargeting Campaigns Compliant

Regulators are watching closely as Criteo’s trackers track your visitors and share data about their shopping habits. Vault shows you exactly where Criteo is present and what data it’s using to align with GDPR, CPRA, and other regulations. We also validate TCF 2.3 and GPP consent signals across Criteo and its downstream partners.

Icon

With 72% of Online Shoppers, Criteo Scales the Risks

Claiming “insights on over 1.4 billion active monthly shoppers”, Criteo offers both the reach and risk of a vast network, where one misstep can affect a huge base and cost you millions.

Icon

A €40 Million Fine for GDPR Violations

In 2023, France’s data protection authority (CNIL) accused Criteo of failing to obtain valid user consent for the data it processed and fined it €40 million for GDPR violations.

Icon

1 in 3 Shoppers Opt Out of Cookies

Industry reports (source) suggest that approximately 30% of users in some regions opt out of tracking cookies. Complaints and legal challenges are piling up against companies that ignore users’ choices.

Request a Demo

How Vault JS Supports Safe Data Handling with Criteo Retargeting

Icon

Criteo Tag Monitoring

Vault identifies all your Criteo tags, where they load, and their triggers.

Icon

Consent Compliance for GDPR and ePrivacy

Vault verifies that Criteo’s trackers don’t fire prior to user consent.

Icon

CCPA/CPRA “Do Not Sell/Share” Enforcement

Vault confirms that Criteo respects users’ cookie opt-outs.

Icon

Data Minimization

Trim excess data sharing without undermining your marketing goals.

Icon

Improved Transparency and Trust

Keep users and regulators happy by disclosing what Criteo is doing.

Key Criteo Governance Capabilities

How we manage risk in a changing environment

Cookie Audit (uid, opt-out, etc.)

For enterprises that deploy Adobe scripts via Adobe Launch or tag management solutions like Tealium, Vault reviews your tag manager rules for privacy alignment.
Vault will list Criteo cookies, any decipherable data they contain, and how long they persist. Vault can simulate a Criteo cookie opt-out scenario to ensure the choice is being honored. If it’s not, we send an alert along with troubleshooting instructions in case you need to honor opt-outs via code adjustments.

Network Request Inspection

Vault captures Criteo’s actual requests from your users’ browsers as they happen, and lists the request URL and parameters sent to Criteo’s servers. If we see what looks like product IDs, we can correlate with your site to say “User viewed Product X, Criteo was informed.” Emails or other PIIs in a request are highlighted as a severe issue.

Criteo OneTag and Events Tracking

Criteo monitors OneTag for the events it fires, such as viewHome, addtoCart, etc., and matches those events to what they likely contain (product IDs, cart values, e.g.) to ensure they aren’t oversharing. This keeps you aligned with data minimization principles.

Privacy Framework Signals

Vault is aware of industry frameworks, and we know if your site has an IAB TCF (Transparency & Consent Framework) string, so we can check if Criteo’s calls include the gdpr_consent parameter. For CCPA, we check for the us_privacy string in Criteo calls and alert you if it is missing, so your team can address it.

Benchmark and Suggestions

We compare your Criteo integration with best practices and make practical recommendations, such as implementing Criteo’s Safeguard tool if you’re in Europe or not retargeting users who immediately opt out. Our goal is to maintain your marketing benefit, but with a fraction of the privacy risk.

Vault JS Compliance Management Resources

Executive silhouette behind bars representing criminal risk under global privacy laws

The Privacy Laws That Can Send Executives to Prison

Executives face criminal liability under global privacy laws, including prison sentences in the U.S., EU, and beyond. This guide breaks down where the risk exists...

Read More
Server-side fingerprinting illustration showing anonymous user session linked through network connections and device signals

Server-Side Fingerprinting Explained: How Tracking Works Without Cookies

Server-side fingerprinting links user sessions even when browser signals change. This post explains how it works, why traditional defenses fail, and the risks it creates...

Read More
MSPA 2026 update showing progression of amendments from 2023 to advertiser provisions

IAB Multi-State Privacy Agreement (MSPA) Update 2026: What Advertisers Need to Know

A report out of Carnegie Mellon’s School of Public Policy found that “87% (216 million of 248 million) of the population in the United States...

Read More
Read all Insights

Frequently Asked Questions

Criteo typically collects pseudonymous identifiers such as cookie IDs, mobile advertising IDs, IP addresses, device and browser information, and behavioral data related to page views, product interactions, and purchases. Depending on implementation, event parameters may include product IDs, cart values, or transaction details used for retargeting and ad optimization. While Criteo states that it does not require directly identifiable information such as names or email addresses, improper configuration can result in personal data being transmitted.

France’s data protection authority (CNIL) found that Criteo breached several GDPR obligations when operating its tracking technology. The regulator ruled that Criteo failed to obtain or demonstrate valid user consent before processing personal data, lacked adequate transparency and information for users, did not fully honor access and erasure rights, and failed to establish proper joint controller agreements with its partners. These infringements formed the basis of the €40 million GDPR fine.

Not necessarily. An opt-out on your site typically applies only to data collection and processing tied to your domain and consent framework. Because Criteo operates across a broad advertising ecosystem, users may still be tracked or targeted based on interactions with other sites unless they exercise a broader, network-level opt-out through Criteo directly or via industry mechanisms such as TCF or GPP signals.

Retail media programs often involve sharing purchase or conversion data with platforms like Criteo in order to power off-site targeting and measurement. While typically pseudonymized, this data can still qualify as personal information under GDPR or CPRA if it is linkable to an individual or device. Risk increases if consent, opt-out signals, or contractual controls are misaligned. Organizations should validate that data sharing aligns with disclosed purposes and complies with applicable consent and “Do Not Sell/Share” requirements.

In most cases, yes. If Criteo processes personal data on your behalf under GDPR or similar laws, a Data Processing Agreement (DPA) is required to define roles, permitted uses, security obligations, and data subject rights handling. The agreement should also clarify whether Criteo acts as a processor, controller, or joint controller in specific contexts. A clear contractual allocation of responsibility is essential for managing regulatory exposure and cross-border data transfers.

Criteo states that it honors the Global Privacy Control (GPC) opt-out signal, meaning it will respect a user’s browser-level indication that they do not want their data sold or shared for advertising purposes. However, GPC compliance depends on how the signal is received, passed through your tag manager or consent tool, and honored across Criteo’s ecosystem. Simply sending the header is not sufficient unless downstream partners also respect it.

Vault primarily detects and alerts on noncompliant Criteo behavior by identifying unauthorized data flows, consent violations, or misconfigured signals. Through integrations with tag managers, consent platforms, or security controls, organizations can automate suppression or disable Criteo tags when risk conditions are detected. This allows teams to move from visibility to enforcement while maintaining operational control over their ad stack.

Vault simulates user sessions under different consent states and inspects outbound bid requests, network calls, and consent strings to confirm that TCF 2.3 and GPP signals are correctly formatted and transmitted. It verifies whether Criteo reads and enforces those signals, and whether consent parameters are preserved when data is passed to downstream partners. By correlating consent status with observed data flows, Vault helps ensure opt-out and restriction signals are technically honored across the advertising chain.

Yes. Vault inspects network requests, event payloads, and server-side transmissions to identify whether emails, user IDs, transaction details, health indicators, or other sensitive data are being sent to Criteo. It analyzes both structured fields and inferred context to flag unintended disclosures. This helps organizations detect misconfigurations, over-collection, or policy violations before they create regulatory or contractual risk.

Vault analyzes server-side network traffic, API calls, and data payloads associated with Criteo integrations to identify what identifiers and transaction data are transmitted. It evaluates Retail Media feeds, offline conversion uploads, and backend event forwarding against declared consent states and policy rules. By correlating backend transmissions with user sessions and opt-out signals, Vault helps detect unauthorized sharing, over-collection, or misaligned data use.

Retarget confidently – earn clicks, not fines.