Criteo

Criteo operates a massive Shopper Graph analyzing 720M daily active users and 4.5B product SKUs. Their commerce AI correlates browsing patterns, purchase intent, and cross-device behavior to optimize ad placement. This creates attribution pollution: when Criteo claims credit for conversions, organizations cannot distinguish organic demand from Criteo-influenced behavior. The 17,000+ advertiser network means your customer intent data feeds into predictions benefiting competitors in the same verticals.

Criteo explicitly admits to selling and sharing personal information under CCPA. Their 100+ disclosed partners include SSPs, DSPs, data platforms, and identity resolution vendors. When Criteo fires on a prospect page, that demand signal flows to Google, Meta, Microsoft, Taboola, Outbrain, and dozens of others. Your high-intent visitors become retargeting fodder across the entire programmatic ecosystem. The cross-device linking (via Liveramp, ID5, Tapad partnerships) means this exposure persists across devices and sessions.

Criteo deploys extensive JavaScript on client sites for retargeting pixel functionality. Their technology collects browsing events, product views, cart contents, and purchase data. This creates supply chain risk: any compromise of Criteo infrastructure exposes client customer data. The 83.3% pre-consent firing rate suggests permissive deployment patterns that may not respect site-specific consent configurations, expanding attack surface beyond intended scope.

The gap between Criteo stated compliance (GDPR, CCPA, IAB TCF) and observed 83.3% pre-consent tracking rate creates direct regulatory exposure. Their CCPA policy explicitly acknowledges data sales, requiring proper disclosure to California consumers. The claim of no direct identification while partnering with identity resolution vendors creates material misrepresentation risk. Organizations deploying Criteo inherit these disclosure obligations and gaps.