pl ua

12.03.2026

Criteo, Cookies and Customer Data – What an Online Store Should Check Before Implementation

Online stores increasingly rely on advanced marketing and analytics tools. Retargeting, ad personalization, and automated offer matching have become standard in e-commerce. The challenge is that implementing these solutions is not only a technical or marketing decision. Very often, it also involves the processing of personal data.

And this is where an important legal question arises: what actually happens to user data when such a tool is implemented?

Before You Implement a Marketing Tool – Check How It Works

In practice, the situation often looks like this: an online store decides to implement a marketing solution recommended by an agency or a technology partner. The implementation usually involves adding a tag or script to the website.

From a marketing perspective, this is a quick and effective way to boost sales. From a data protection perspective, however, it is only the beginning of the analysis.

It is important to determine, among other things:

  • what data is collected by the tool,

  • who acts as the data controller,

  • whether the data is shared with other entities,

  • whether data is transferred outside the European Economic Area,

  • and what the appropriate legal basis for processing is.

Without this analysis, it is easy to assume that if a user has consented to cookies, everything is compliant. In practice, however, that is often only one element of a much more complex picture.

Example: How Criteo Retargeting Works

A good example is the popular retargeting tool Criteo.

In the basic model, part of the user data is collected through Criteo cookies, which allow the identification of users across the web and enable advertising to be tailored to their previous activity.

However, analysis of the documentation and the way the tool operates shows that in some configurations additional user data may also be transferred.

This may include, for example:

  • hashed email addresses,

  • hashed phone numbers,

  • user identifiers from the online store’s CRM system.

Such data can be shared with advertising systems in order to match users and enable even more precise ad targeting.

And this is where the real legal analysis begins.

Cookie Consent Is Not Always Enough

Many organizations assume that if a user has consented to marketing cookies in a cookie banner, all retargeting activities can rely on that consent.

However, cookie consent is derived from rules concerning storing and accessing information on a user’s device, regulated in Poland by the Electronic Communications Law. These rules implement Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC).

In other words, this consent primarily concerns the use of cookies as a technology.

If, however, a marketing tool also involves additional transfers of personal data beyond what is collected via cookies, such as:

  • hashed email addresses,

  • phone numbers,

  • CRM identifiers,

this may constitute a separate personal data processing operation, which requires an independent legal basis under the GDPR.

What Do Data Protection Authorities Say?

In recent years, European data protection authorities have increasingly scrutinized user-matching mechanisms used in advertising systems.

Criteo itself provides a good example. In 2023, the French data protection authority (CNIL) imposed a €40 million fine on the company. According to the authority, Criteo was unable to demonstrate that it had a valid legal basis for processing user data used in its advertising system, including data collected through retargeting mechanisms. CNIL also identified issues related to the exercise of data subject rights and insufficient transparency regarding data processing. The case shows that this type of technology is already under close regulatory scrutiny, which means its implementation should be preceded by a thorough legal and technical assessment.

Another widely discussed case concerns Facebook Custom Audiences. The German data protection authority concluded that uploading customer lists containing email addresses or phone numbers to Facebook – even in hashed form – requires prior user consent.

Importantly, an administrative court upheld this position, noting that hashing does not eliminate the personal data nature of the information, because the platform can still match it to specific users.

The mechanism behind such tools is relatively straightforward: an advertiser uploads a list of customers (for example, email addresses or phone numbers), and the advertising platform matches them with its users to create a targeted advertising audience.

In practice, this means that personal data from an online store’s customer database is shared with an advertising system.

What Are the Risks for E-Commerce?

Failing to conduct a proper legal analysis before implementing a marketing tool can lead to several serious risks.

The most common ones include:

Data Transfers Without a Legal Basis

If a store shares, for example, hashed email addresses or phone numbers of its customers with an advertising system without an appropriate legal basis, this may be considered an unlawful disclosure of personal data under the GDPR.

Lack of Transparency for Users

Users should be informed not only about cookies but also about the possibility that their data may be used in advertising systems for profiling or targeted advertising.

Transfers of Data Outside the EEA

With global advertising platforms, there is often also the issue of data transfers to third countries.

What About GDPR Fines?

The GDPR provides for significant sanctions for violations of data protection rules.

For serious infringements, administrative fines can reach up to €20 million or 4% of a company’s annual global turnover, whichever is higher.

Supervisory authorities are increasingly focusing on digital marketing and advertising technologies, as these areas involve some of the most complex data flows.

Summary

Modern marketing tools can significantly increase the effectiveness of sales in e-commerce. At the same time, their implementation almost always involves the processing of personal data.

Instead of assuming that “the cookie banner solves the problem,” it is worth verifying:

  • what data is actually being processed,

  • whether identifiers from the store’s systems (such as email, phone number, or CRM ID) are being shared,

  • who is responsible for the processing,

  • whether data transfers outside the EEA take place,

  • and whether an additional legal basis for processing is required.

A proper analysis can help avoid many potential problems while also ensuring that documentation and user communication remain clear and compliant.

👉 If you are planning to implement a marketing tool or want to verify whether the solutions used in your online store comply with the GDPR, feel free to contact us. We will be happy to analyze how these tools operate and help you implement them safely.

You might be also interested in...

News
No category

05.03.2026

🔐 NIS2 becomes reality in Poland

🔐 NIS2 becomes reality in Poland The President has signed the amendment to the National Cybersecurity System Act implementing the NIS2 Directive into Polish law. The new regulations significantly expand cybersecurity obligations for many organisations – as well as the responsibilities of management boards. What does this mean in practice? Among other things, organisations may … Continue reading “🔐 NIS2 becomes reality in Poland”

Read more >>

News
No category

03.03.2026

The Standard That Defines Our Practice

It’s not only about what we do. It’s also about the standard we work to. Based on client feedback, Legal 500 has recognised JLSW for Billing & Efficiency and NPS® – a measure of trust and willingness to recommend. Behind this recognition is a philosophy we believe in: clarity, accountability and solutions grounded in real … Continue reading “The Standard That Defines Our Practice”

Read more >>

See all

Adres Poznań
ul. 28 czerwca 1956 r. 406
61-441 Poznań
woj. wielkopolskie
Tel.: +48616734520

Adres Warszawa
Rondo Daszyńskiego 2b
00-843 Warszawa
woj. mazowieckie
Tel.: +48221189227

NIP: 7781465914
REGON: 301219323


Pozycjonowanie: SEMPIRE

Manage your cookie settings

Change your consent  |  Canceling consent