Criteo has always been something of an ad tech enigma. That French retargeting virtuoso, the golden child of Wall St. as the markets soured on advertising technology.
But nothing gold can stay. And now Criteo has its work cut out to convince investors that the company can grow in the face of browser anti-tracking updates, namely Intelligent Tracking Prevention (ITP) for Apple’s Safari, as well as GDPR implementation in the European Union.
Criteo’s market value has halved since last October, when Apple first published details on ITP, with most of the losses coming after Criteo disclosed in November that it had underestimated the potential revenue losses from Safari – bumping its worst-case projection from about 13% to 22%.
The potential revenue impact of GDPR isn’t so easily quantified, but the EU regulation has also cast a shadow over Criteo.
Earlier this week, BMO Capital Markets downgraded its outlook on Criteo from “Outperform” to “Market Perform,” due to uncertainty around how GDPR enforcement could affect the business.
The downgrade wasn’t due to Criteo’s performance or projected earnings, wrote Dan Salmon, BMO’s media and internet analyst. But conversations within the industry “reflect concern and continued confusion in the ecosystem about GDPR implementation, and Criteo is highlighted as one of the companies most at risk.”
Retargeters like AdRoll and Criteo have attracted attention for placing notices on European merchant sites that opt users into first-party cookie collection and track as long as people click on the page or continue using the site, even if they ignore the message.
Critics think Criteo will face a challenge to its first-party data collection practices.
CEO Eric Eichmann said he’s confident in Criteo’s interpretation of the law. He said the French data protection authority established its standards in part based on Criteo’s privacy practice, and the Spanish regulatory body issued guidance supporting Criteo’s view of first-party consent and nonsensitive data.
GDPR law allows consent to be given by “ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.”
Publisher cookie notices have established the idea that, by continuing browsing a site, a user is accepting the exchange of data for content, and Criteo claims the same standards.
On the other hand, GDPR dictates that “silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
It may come down to how the EU’s courts will slice definitions of words like “silence” and “inactivity.”
In some ways, GDPR could be a relative advantage for Criteo.
Criteo is working on ways to secure an opt-in on one site and recognize that user across its network without requiring consent for every site or merchant, because the person has opted in to the Criteo program, Eichmann said.
This is a key plank of Criteo’s value prop, because it connects browsing across the web and not just on siloed properties.
An EU legislative working party updated GDPR guidelines late last year, however, determining consent for multiple purposes can’t be bundled into a single request. A retailer can’t acquire consent for targeted email marketing and for data sharing in the same request, since both use cases must be explicitly approved by the individual.
“In a given case, several consents may be warranted to start offering a service, pursuant to the GDPR,” according to the EU legislative group.
“We realize for people with sensitive data, it’s a bit touchy,” Eichmann said, also referencing retailers – which, unlike Criteo, store transaction data, home addresses and sometimes even credit histories for people in their loyalty or credit financing programs. By restricting its data collection to anonymized browser histories, he said, Criteo falls outside enforcement over what the EU defines as sensitive data – like race, gender, political views, religious beliefs or health info.
Apple Of Discord
If Criteo claims GDPR is a manageable problem, ITP’s “laser-guided missile against click-based revenue models” is a bigger threat, said Elgin Thompson, managing director at the tech investment firm Digital Capital Advisors.
ITP is a particular challenge to Criteo because “it’s not necessarily within their control,” said Gartner research VP Marty Kihn.
Even if EU regulators challenge Criteo’s tracking and data collection, it would be a lengthy process wherein Criteo could adjust policies and establish firm ground.
Apple, on the other hand, is liable to make policy changes or algorithm tweaks impacting Criteo’s business without so much as a heads-up.
Though Criteo’s risk from ITP may be overblown, Thompson said, because Safari accounts for relatively little traffic.
A more serious problem might be tech in-sourcing, he said, because ecommerce merchants and sites are doing more of their own retargeting – or just offloading that capability to a platform like Google or Amazon.
Criteo will see less data due to ITP and GDPR, Thompson said, but the company has developed data co-op products between retailers and product manufacturers that could help inject targeting without data collection.
“The wick on the retargeting candle has been burning down for years,” Kihn said, and the old retargeting specialists have mostly reshaped their businesses or faded after an acquisition, like with Rubicon Project’s deal for Chango.
Criteo describes itself more now as a marketing tech vendor, as opposed to a retargeting specialist, Kihn said.
“But it’s hard to pivot like that in a public environment,” he said. “They’re going to need trust and patience from the market, which is not a reliable bet.”
