Criteo

Overview

Criteo is a global commerce media company specializing in retargeting — delivering personalized product ads to users who have previously browsed or purchased from retail and e-commerce sites. Founded in Paris in 2005 and listed on NASDAQ, Criteo operates one of the largest retargeting networks globally, processing billions of shopping signals daily across more than 22,000 advertiser clients. Its script — the Criteo OneTag — fires on product detail, cart, and order confirmation pages to capture browsing and purchase intent signals that fuel its cross-site product recommendation engine. Criteo's demand-side platform (DSP) then serves personalized carousel ads displaying the exact products a user viewed, on thousands of publisher sites.

What This Script Does

Script Files and Domains

The Criteo OneTag loads from static.criteo.net/js/ld/publishertag.prebid.js or sslwidget.criteo.com/p. Tracking beacons fire to dis.eu.criteo.com (EU data endpoint), dis.us.criteo.com (US data endpoint), and gum.criteo.com (cookie sync). RTB bid requests originate from bidder.criteo.com.

Cookies Set

• uid — Criteo's primary cross-site user identifier. Persistent, 13-month expiry. Third-party cookie set on criteo.com domain. The backbone of Criteo's retargeting system — this cookie links browsing sessions across all Criteo partner sites.
• optout — Stores user opt-out preference if the user has opted out via privacy.criteo.com.
• gcuid — Google Click User ID, set when Criteo integrates with Google's cookie matching infrastructure.
• cto_bundle — Criteo's publisher-side user sync token, used to maintain user identity in environments where third-party cookies are blocked (e.g., Safari ITP). Set as a first-party cookie on the publisher's domain.
• cto_tld_test — A temporary test cookie used to determine the highest-level domain on which first-party cookies can be set.

OneTag Events

The OneTag fires structured events on key pages:

• viewHome — Homepage visits
• viewList — Category/search results pages (with category and keyword data)
• viewItem — Product detail pages (with product ID, price, availability)
• viewCart — Shopping cart pages (with item list, quantities, values)
• trackTransaction — Order confirmation pages (with order ID, items, revenue)

Each event includes the retailer's product catalog identifiers, enabling Criteo to match viewed products against its cached product feed and render accurate carousel ads.

Identifier Sync and Identity Graph

Criteo participates in cookie syncing with Google (DoubleClick), Amazon, The Trade Desk, and other major ad platforms via gum.criteo.com, exchanging user identifiers to expand its retargeting reach. Criteo also maintains a Universal Login Graph built from hashed email addresses captured from retailer login events, enabling cross-device retargeting even when third-party cookies are unavailable.

Header Bidding

Criteo participates in Prebid.js header bidding auctions via the criteo_fastbid adapter. The script evaluates publisher ad inventory and submits real-time bids containing Criteo's retargeting user ID.

Consent & Compliance

Category: Marketing

Criteo is a registered IAB TCF 2.2 vendor (Vendor ID 91). TCF purposes exercised: Purpose 1 (Store/access information on device), Purpose 2 (Select basic ads), Purpose 3 (Create personalised ads profile), Purpose 4 (Select personalised ads), Purpose 5 (Create personalised content profile), Purpose 6 (Select personalised content), Purpose 7 (Measure ad performance). Special Purpose 1 (security, fraud prevention) and Special Feature 1 (precise geolocation) are also declared.

Under GDPR, Criteo requires explicit consent for all tracking and retargeting operations. The French CNIL fined Criteo €40 million in June 2023 for violations including collecting behavioral data without valid consent and failing to verify that consent signals received from publishers were freely given and informed. This is one of the largest CNIL enforcement actions against an ad tech company and directly confirms the GDPR status of Criteo's tracking operations.

Criteo is headquartered in Paris (EU) with major operations in the US. EU data is processed on dis.eu.criteo.com endpoints. Criteo is registered under the EU-US Data Privacy Framework for transatlantic transfers.

Under CCPA/CPRA, Criteo's behavioral data sharing with demand partners constitutes sale or sharing of personal information.

Should You Block This Without Consent?

Yes. Criteo is an advertising retargeting platform that sets persistent third-party cookies, builds cross-site behavioral profiles from browsing and purchase data, and syncs identifiers with dozens of ad partners. The CNIL's €40 million fine in 2023 confirms regulators' view that Criteo tracking without valid consent is unlawful. Block the OneTag entirely until explicit marketing consent is obtained.