Criteo SA (NASDAQ: Cheap AdTech Champion or evil Online Stalker ?
Criteo is one of the few Non-US success stories in the Tech sector. Criteo was founded in France in 2005 and quickly became one of the leading “Adtech” companies in the world. Criteo successfully IPOed 2013 on the NAsdaq and quickly reached a market cap of more than 3 bn USD.
Criteo is an “Adtech” company. What it does is the following: It is primarily a tech version of the classical Advertising Agencies: Clients use Criteo to maximise the value of their online ad dollars spent which should turn into as many clicks and sales dollars as possible.
This puts Criteo to a certain extent in direct competition with Online Juggernauts Google and Facebook. However Criteo survived and prospered because it seems to do some things better than the giants.
One special feature of Criteo is what they call “Retargeting”: Criteo is “tracking” the user across different websites (and devices !!) and redelivering ads that might be relevant for this specific user. So whenever you have looked up a potential Hotel room on Booking.com and then you move on to a different website, this is then the mechanism why you then get serves Booking.com ads on a different website.
Criteo claims to have 1,4 bn (!!) individual user profiles that it is tracking and bale to serve directed ads to.
For advertisers, the problem is very simple: Normal online advertising has become almost prohibitive expensive. Just bidding on Google search words doesn’t make a lot of sense, especially for smaller companies. IRRs on retargeting campaigns are clearly more effective.
Criteo has currently a market cap of ~1,6 bn USD (USD 24 pers share). Criteo had net income of around 80 mn in 2017 which is a trailing P/E of around 17. However with around 480 mn in Cash, the cash adjusted P/E is “only” around 12,4.
2017 Free Cash flow (their definition) was ~137 mn USD, so Price/FCF is less than 9x which is quite low for a still growing tech company.
Problems: Apple, Amazon, Short sellers & GDPR
Looking at the share price, It is pretty easy to see that Criteo has some issues:
The stock is below the IPO price from 5 years ago and has underperformed the tech sector dramatically despite high and growing profitability over the last years. So what happened ?
Well, several things and many of them not good:
Apple modified their Safari browser to make tracking and retargeting much more difficult on their devices. This is what Criteo itself was saying:
The release of Apple’s Intelligent Tracking Prevention feature in Apple’s Safari browser, or ITP, on September 19, 2017 had a net negative impact on our Revenue ex-TAC in the third and fourth quarters of 2017 of less than $1.0 million and $25 million, respectively. Given the iOS 11 roll out and our coverage of Safari users, we expect Safari’s ITP feature will continue to have a net negative impact on Revenue ex-TAC, as reflected in our 2018 projections. Refer to Part II Item 1A. “Risk Factors”.
This is clearly something to watch. Normally, the Adtech industry is quite creative in finding new ways to track users.
Amazon announced just a few days ago that they will also move into the retargeting space:
While the details are not entirely clear, Bloomberg asserts the new Amazon program will compete with similar offerings from Google and Criteo. It’s currently being tested and will be a PPC-auction product, according to the report. Recently, Amazon stopped buying product listing ads (PLAs) on Google.
Although it’s not clear to me that any retailer want to use its main competitor Amazon for retargeting, this is definitely something to keep an eye on. If Amazon gets in somewhere, caution is always a good strategy for the long-term.
“GDPR” is the new privacy standard that the EU implemented in late May. In summary, it provides guidelines how personal user data can be used. The new law/standard foresees pretty hefty fines for non-compliant companies.
One of the problems is that for the company itself, the standards are not clear yet. There is no rule book what exactly companies have to do to comply.
I have talked with a couple of people in the online advertising area and a lot of them were telling me that for the time being they will not use retargeting as long as the situation is unclear.
“Short attack” from Gotham Research
There seem to be generally some issues about Adtech and retargeting. This is for instance a specialized blog that shows that there seems to be some serious “ad fraud” from Adtech companies going on.
In a well-timed attack last year, short seller Gotham research targeted Criteo with such kind of “ad fraud” accusations:
The Gotham posts are actually well written and I learned a lot about how Criteo and Adtech works just by reading it. Some of the accusations are clearly warranted, others maybe less so.
For instance the Apple Https “Super Cookie” weakness was well-known for some years and Apple was very slow to close it. Also the fact that some advertisers maybe overpay for online advertising is nothing specific to Criteo. Actually, I think a significant part of Google’s and Facebook’s Ad revenues are “overpaid” by advertisers that are not able to track the effectiveness of their expenses.
Nevertheless, the Gotham research clearly identified many of the weaknesses of the retargeting business model.
CEO change – founder back
Criteo defended itself vigorously but at some point it looks like that the pressure got to high. Maybe it was a coincidence but I guess that the fact that the CEO was kicked out some weeks ago and the founder came back is a clear sign that not everything was great.
Founders coming back to startups sometimes works very well, with Steve Jobs being the best example but of course there are alos negative examples.
Q1 Results 2018
Q1 results of Criteo were still pretty good despite all the issues /revenue +8%, EBITDA +22%) but they mentioned that GDPR will clearly have an impact already in Q2.
Criteo in my opinion is both, a very interesting stock and an interesting business model. During my Criteo research I learned a lot about online advertising and Adtech.
It is pretty clear that although “retargeting”” looks maybe a little bit like “Online stalking” and in conflict with data privacy. But on the other hand, normal online advertising (Google, Facebook) has become so expensive and difficult to track, that companies who are interested in cost efficient online advertising need this kind of tools.
In the short-term, especially the GDPR discussion will things difficult for Criteo and “Independent” retargeting, but on the other hand I think more and more people are worried that the large players like Google and Facebook become too dominant.
Take booking.com for example, which is a client of Criteo. If you only advertise on Google and Facebook and these guys try to become your competitor, you might think twice in directing all your ad efforts to these guys because then they exactly know how the business works and can easily copy and take over.
I am also a little bit sceptical on some projections about online advertising. Yes, it is still growing strongly, but in my opinion this is also the result of a lot of money wasted by unsophisticated players that are not able to track the efficiency of their ad spending.
Nevertheless, for the time being, I wil stay on the sideline and watch Criteo from the outside. Due to GDPR it is pretty clear that the next quarters will be more difficult and I am not sure if everything is already priced in. Also, in the past, the Adtech industry always came up with some creative new ways to achieve their goals and one could speculate that this could happen again.
So despite the current headwinds. the stock could become clearly more interesting in the future as a potential deeply contrarian play. I also think that Criteo could be an interesting take over target.
P.S.: A “link dump” from my research:
HSTS Super Cookies
HTTP Strict Transport Security (HSTS) is a security feature that allows websites to signify that they should always be accessed via a secure connection. The first time a user visits a website, it sends a bit value (true or false) which the browser stores to remember whether it should connect via HTTPS. This is a security enhancement as it ensures the browser always connects via HTTPS even if the user types or clicks a link for HTTP.
Ironically, this security enhancement has become a privacy flaw as Sam Greenhalgh of RadicalResearch has developed a method of using these flags to create a Super Cookie. The technique involves sending a request to 32 URLs which each return a true or false value that is stored by the browser. Combining these 32 values gives a binary number that can uniquely identify up to 2 billion browsers. This number can also be read by any website, not just the issuing site, and will also work in private browsing mode on some browsers.
Internet Explorer is immune to this technique as it doesn’t currently support HSTS, although it is in development. Chrome, Firefox and Opera will delete these Cookies if Standard Cookies are cleared and the latest version of Firefox does not pass the same Cookies from normal to private browsing modes and vice versa. Chrome does pass the Cookies from normal to Incognito mode but not in the other direction. Safari does not provide any way of clearing these cookies and does pass the same values between normal and browsing modes. Even more worryingly, the cookies are also uploaded to iCloud so will be sync’d with other devices.
The HSTS Cookie technique was developed recently but was actually highlighted as a potential issue by Mikhail Davidov back in 2012. For more information on HSTS Cookies read Sam’s article at http://www.radicalresearch.co.uk/lab/hstssupercookies