CNIL: France's Privacy Watchdog Since 1978
The CNIL - Commission Nationale de l'Informatique et des Libertes - is France's independent data protection authority. Established on 6 January 1978 under the Loi Informatique et Libertes (Law No. 78-17), it predates the GDPR by four decades. France was, alongside Germany and Sweden, one of the first countries in the world to create a dedicated data protection body.
The origin story is worth knowing. In 1974, a French newspaper revealed the government's SAFARI project - a plan to assign every citizen a unique identifier and cross-reference all administrative databases. The public backlash was immediate. Four years later, the French parliament passed the Informatique et Libertes law, creating both a legal framework for data protection and an independent authority to enforce it.
That authority was the CNIL.
Today, chaired by Marie-Laure Denis (reappointed for a second five-year term in January 2024), the CNIL operates as an independent administrative body with a college of 18 members. Twelve of those members are elected or appointed by national courts and parliamentary assemblies. The French government cannot overrule its decisions - ministers, public authorities, and company directors alike are bound by its actions.
What Does the CNIL Actually Do?
The CNIL wears several hats. It is the designated supervisory authority under the GDPR (Regulation (EU) 2016/679) for France, but it also enforces the national Loi Informatique et Libertes and Article 82 of that law, which transposes Article 5(3) of the ePrivacy Directive into French law. That article governs cookie consent.
Its core functions break down into four areas:
| Function | What It Means for You |
|---|---|
| Enforcement | Conducting inspections, issuing fines (up to 4% of global turnover under GDPR, or 6% under the Digital Services Act), ordering compliance changes, and publishing decisions |
| Guidance | Publishing guidelines on cookies, AI, data security, mobile apps, and sector-specific topics. These guidelines shape how French courts interpret the law |
| Advisory | Reviewing draft legislation and advising the French government and parliament on privacy implications of new laws and public policies |
| Public education | Running awareness campaigns for citizens, schools, and businesses - including a dedicated CookieViz browser extension that lets users see which cookies a site drops |
Since May 2024, France's Law No. 2024-449 also granted the CNIL expanded powers. It can now seize documents during on-site inspections (previously it could only copy them), record witness statements, and enforce certain provisions of the EU Digital Services Act and the Data Governance Act. These are significant additions that place the CNIL among the most powerful digital regulators in Europe.
CNIL's Enforcement Record: The Numbers Tell the Story
The CNIL is not a paper tiger. Its enforcement record over the past three years paints a clear picture of an authority that is getting both busier and bolder.
In 2023, the CNIL issued 42 sanctions totalling roughly 89 million euros. In 2024, that number doubled to 87 sanctions, though the total fines dropped to around 55.2 million euros - reflecting a deliberate shift toward sanctioning more organisations, including smaller ones, through a simplified procedure introduced in 2022. The CNIL also received 17,772 complaints in 2024 and adopted 303 corrective measures overall.
Then came 2025.
In 2025, the CNIL issued 83 sanctions with cumulative fines of 486.8 million euros - nearly nine times the financial total of the previous year, despite issuing four fewer sanctions. Two penalties alone accounted for the bulk of that figure: a 325-million-euro fine against Google and a 150-million-euro fine against Shein, both for cookie consent violations. The CNIL also fined Conde Nast 750,000 euros for dropping cookies on visitors to its Vanity Fair France website without consent.
The pattern is unmistakable. The CNIL has moved from high-volume corrective signalling to high-impact financial deterrence.
Why Cookie Compliance Is a CNIL Priority
Cookies have been a persistent focus of the CNIL's enforcement work since 2019, when it launched a dedicated action plan on targeted advertising and tracking. That plan produced updated guidelines and a final recommendation published on 1 October 2020, with enforcement beginning on 1 April 2021.
The CNIL's cookie rules derive from Article 82 of the Loi Informatique et Libertes, which transposes Article 5(3) of the ePrivacy Directive. The core principle is simple: before you store or read any non-essential cookie on a user's device, you need their informed, freely given, specific, and unambiguous consent.
Between December 2022 and December 2024, the CNIL issued combined fines exceeding 139 million euros specifically for breaches of this Article 82. The common violations are remarkably consistent across decisions:
- Dropping cookies before consent - placing advertising or analytics cookies the moment a user lands on the page, before the consent banner has even loaded
- Making refusal harder than acceptance - requiring more clicks to reject cookies than to accept them, or burying the "Refuse all" button on a secondary screen
- Vague purpose descriptions - using labels like "improve your experience" instead of clearly stating that cookies are used for targeted advertising
- Failing to honour consent withdrawal - continuing to read cookies after a user revokes consent, or not actually deleting expired cookies from the browser
- Incomplete information on banners - not disclosing the identity of third parties who receive cookie data
The CNIL has been explicit about what valid withdrawal looks like. In one 2024 decision (SAN-2024-019), it specified that websites must implement technical measures to actually expire or delete cookies when consent is withdrawn - for instance, by returning a Set-Cookie header with an expiry date in the past.
CNIL Cookie Consent Requirements: What Your Website Needs
If your website targets or receives visitors from France, you fall under the CNIL's jurisdiction regardless of where your company is based. The requirements are granular and prescriptive. Here is what the CNIL expects:
Consent must be prior and affirmative
No cookies (other than strictly necessary ones) may be dropped until the user actively clicks an accept button. Scrolling, continued browsing, or inaction do not constitute consent. Pre-ticked boxes are not valid. The CNIL made this explicit in its 2020 guidelines, overturning earlier practices where some sites treated page scrolling as implied consent.
Refusing must be as easy as accepting
A prominent "Accept all" button paired with a tiny "Manage settings" link is not compliant. The CNIL requires a "Refuse all" or equivalent option at the same level of the interface as the accept button - same screen, comparable visual weight. In 2024 alone, 11 organisations were penalised specifically for violating this requirement.
Consent must be granular
Bundling all cookie purposes into a single "I agree" is invalid. Visitors must be able to accept cookies for analytics while refusing advertising cookies, or vice versa. Each purpose needs its own toggle or selection mechanism.
Cookie lifespan and consent duration
The CNIL recommends a maximum cookie lifespan of 13 months. Consent choices - whether accepted or refused - should be retained for at least 6 months to avoid re-prompting returning visitors on every page load. Consent itself should be renewed at least every 13 months.
The analytics cookie exemption
The CNIL recognises a limited consent exemption for audience measurement cookies, but the conditions are strict. The analytics tool must be used solely for producing anonymous or aggregate statistics on behalf of the website publisher. The data must not be combined with other processing, must not be shared with third parties, and the cookie must have a maximum data retention period of 25 months. Google Analytics, in its standard configuration, does not qualify for this exemption.
Cookie walls
The CNIL does not impose an outright ban on cookie walls (interfaces that block content until cookies are accepted). However, it treats them with suspicion. A cookie wall is only permissible if: (a) alternative sources for the same content exist, (b) the wall only requires consent for purposes directly tied to fair service compensation (such as targeted advertising revenue), and (c) the publisher can justify the practice. Dominant service providers with no viable alternatives cannot use cookie walls at all.
How the CNIL Differs from Other European DPAs
Not all data protection authorities enforce with the same intensity. The CNIL stands out in several respects.
First, it has been unusually aggressive on cookies specifically. While the Irish DPC and ICO have focused more heavily on cross-border GDPR cases involving tech headquarters, the CNIL has carved out a distinct niche as the leading European enforcer on ePrivacy cookie rules. This is partly structural: Article 82 of the French law allows the CNIL to act unilaterally on cookie matters without triggering the GDPR's one-stop-shop mechanism, even against companies headquartered elsewhere in the EU.
Second, the CNIL conducts a high volume of inspections. It performs 300 to 400 inspections per year, a figure it considers the appropriate balance between thoroughness and enforcement quality. Many of these are online checks - the CNIL simply visits your website, records what cookies are dropped and when, and compares the result against its guidelines.
Third, the CNIL publishes detailed, prescriptive guidance. Its 2020 cookie recommendations include mock-ups of compliant banner designs, specific wording suggestions, and technical implementation details. This is useful for website owners because it removes ambiguity - but it also means ignorance is difficult to claim as a defence.
What Happens During a CNIL Investigation
CNIL investigations typically follow one of three paths: a complaint from an individual or organisation (such as the privacy advocacy group NOYB, which triggered the Conde Nast case), a report linked to a data breach or news event, or a proactive check as part of the CNIL's annual priority themes.
For cookie compliance, the process often starts with an online investigation. CNIL staff visit the website, document what cookies are set before and after interacting with the consent banner, and assess whether the banner meets the guidelines. If violations are found, the CNIL may issue a compliance order giving the organisation a deadline to fix the issue. If the organisation fails to comply - or if the violation is serious enough - the restricted committee (a panel of five members plus a chair, separate from the CNIL president) can impose a fine.
Fines under the GDPR can reach up to 20 million euros or 4% of global annual turnover, whichever is higher. For cookie-specific violations under Article 82 of the French law, there is no separate cap - the GDPR maximum applies. Under the Digital Services Act, fines can reach 6% of worldwide turnover, with daily penalties of up to 5% of average daily global turnover for non-compliance with orders.
Decisions can be appealed directly to the Conseil d'Etat, France's highest administrative court. There is no intermediate appeal step.
CNIL's Current Priorities: 2025-2028
The CNIL does not only look backward. Its strategic plan for 2025-2028 signals where enforcement attention is heading next.
Artificial intelligence is front and centre. The CNIL published its first AI recommendations in 2024, including 12 practical guidance sheets covering how GDPR principles apply to AI training data, model deployment, and automated decision-making. With the EU AI Act entering staged implementation through to August 2027, the CNIL is positioning itself as a candidate for market surveillance authority under that regulation.
Youth data protection remains a standing priority. The CNIL conducted 84 in-person actions targeting minors in 2024 and has expanded partnerships with schools and the French Ministry of Education. Under French law, the digital age of consent is set at 15 - below that age, parental consent is required for data processing related to online services.
Data security is a growing focus. One-third of the CNIL's 2024 sanctions concerned security failings, and the number of reported data breaches affecting over one million people doubled that year. The CNIL has increased collaboration with France's cybersecurity agency (ANSSI) and the Paris cyber prosecutor.
Cookies and tracking remain on the enforcement agenda. The CNIL's 2025 fines against Google and Shein confirm that cookie enforcement is not winding down - it is escalating. The CNIL also launched a public consultation on session replay technologies in February 2026, signalling that newer tracking methods beyond traditional cookies are coming under scrutiny.
How to Prepare Your Website for CNIL Compliance
Compliance with the CNIL's requirements does not need to be overwhelming, but it does need to be taken seriously. A methodical approach works best.
Audit every cookie on your site
You cannot manage what you do not know about. Run a full cookie scan to identify every first-party and third-party cookie your site sets, when each cookie is dropped relative to consent, what purpose it serves, and how long it persists. Kukie.io's cookie scanner automates this detection and categorisation process.
Implement a compliant consent banner
Your banner must present accept and refuse options with equal prominence on the first layer. Purpose descriptions should be specific ("targeted advertising" rather than "improving your experience"). Third-party identities must be disclosed. The banner must load before any non-essential cookies are set - not alongside them or after. A consent management platform handles the technical blocking so scripts cannot fire until a choice is made.
Block scripts until consent is granted
This is the technical step many sites get wrong. Simply displaying a banner is not enough. Your tag manager or consent management platform must actually prevent tracking scripts from firing until the user has made an affirmative choice. If a user lands on your page and _ga, _fbp, or any advertising cookie appears in the browser before they click accept, you have a problem the CNIL can detect in seconds.
Provide a persistent opt-out mechanism
The CNIL recommends a visible icon or link (typically at the bottom-left of the screen) that lets visitors revisit and change their cookie preferences at any time. Consent withdrawal must be as easy as giving consent in the first place. For more on how different cookie types affect your compliance obligations, see the Kukie.io blog.
Document everything
The CNIL expects data controllers to demonstrate that valid consent was obtained. Maintain timestamped consent records showing what the user was told, what they chose, and when. This is not optional - it is a legal requirement under Article 7(1) of the GDPR.
Frequently Asked Questions
Does the CNIL apply to websites based outside France?
Yes. If your website targets French users or processes personal data of people located in France, the CNIL can investigate and sanction you regardless of where your company is registered. The Google and Shein fines in 2025 both involved non-French entities.
What is the maximum fine the CNIL can impose for cookie violations?
Cookie violations fall under both the GDPR (up to 20 million euros or 4% of global annual turnover) and Article 82 of the French Data Protection Act. The largest single cookie-related fine to date was 325 million euros, issued against Google in September 2025.
Does the CNIL allow the use of Google Analytics without consent?
Google Analytics in its standard configuration does not qualify for the CNIL's limited consent exemption for audience measurement cookies. The exemption requires that analytics data be used solely for anonymous statistics, not combined with other processing, and not shared with third parties - conditions Google Analytics does not meet by default.
How often does the CNIL inspect websites for cookie compliance?
The CNIL conducts 300 to 400 inspections per year across all enforcement areas. Many cookie checks are performed remotely by visiting sites and recording cookie behaviour. The CNIL also responds to individual complaints - the Conde Nast case originated from a complaint by the privacy group NOYB in 2019.
Can I use a cookie wall on my French website?
Possibly, but with significant restrictions. The CNIL does not impose a blanket ban on cookie walls, but the practice must be justified. You must ensure alternative content sources exist, only require consent for purposes directly tied to revenue compensation, and be able to demonstrate the arrangement is fair. Dominant or essential service providers cannot use cookie walls.
How long should cookie consent last before I need to ask again?
The CNIL recommends renewing consent at least every 13 months. Cookie lifespan should also be capped at 13 months. Consent refusals should be stored for at least 6 months so returning visitors are not re-prompted on every visit.
What is Article 82 of the French Data Protection Act?
Article 82 of the Loi Informatique et Libertes transposes Article 5(3) of the EU ePrivacy Directive into French law. It requires informed consent before any operation that stores or reads data on a user's device - which includes cookies, pixels, fingerprinting, and similar tracking technologies. Most of the CNIL's cookie enforcement actions cite this article.
Get Your Cookie Compliance Right
If your website attracts visitors from France, the CNIL's rules apply to you. A free scan can reveal whether your site drops cookies before consent, uses non-compliant banner designs, or fails to block third-party scripts properly. Kukie.io detects and categorises cookies across your entire site and helps you build a
