Since the GDPR came into effect in May 2018, the CNIL (France’s data protection authority) has significantly ramped up its enforcement activity. By 2026, the numbers speak for themselves: hundreds of millions of euros in fines have been issued against companies of all sizes, from multinationals to SMEs. Understanding these sanctions, their grounds, and the amounts at stake is essential for any data controller looking to protect their business.
The Most Significant CNIL Sanctions
Since the GDPR, the CNIL has considerably strengthened enforcement powers: fines can reach €20 million or 4% of annual global turnover, whichever is higher. Here are the 15 most significant sanctions issued in France.
Record Fines (Over €10 Million)
The heaviest sanctions have targeted major tech companies. The CNIL issued a €150 million fine against a leading online advertising company for cookie management violations. A search engine was fined €50 million for lack of transparency and legal basis in processing data for advertising personalisation. A social media platform was sanctioned €60 million for non-compliant cookie practices.
In the e-commerce sector, several platforms received fines ranging from €10 to €30 million for data security failures or inadequate user information. A telecommunications operator was fined €10 million for security vulnerabilities that exposed millions of customers’ data.
Mid-Range Fines (€100,000 to €10 Million)
This segment is particularly instructive, as it concerns medium-sized businesses and illustrates the most common mistakes. The CNIL has regularly sanctioned:
- Real estate companies for excessive retention of tenant data (fines of €400,000 to €600,000)
- E-commerce businesses for customer data security failures (fines of €150,000 to €500,000)
- Healthcare organisations for insufficient patient data protection (fines of €200,000 to €1.5 million)
- Digital marketing companies for unsolicited commercial communications (fines of €100,000 to €300,000)
Fines Affecting SMEs and Small Businesses (€1,000 to €100,000)
Contrary to popular belief, the CNIL does not only sanction large corporations. Many SMEs have been fined amounts ranging from a few thousand to tens of thousands of euros. These sanctions typically involve basic violations: absence of a privacy policy, lack of a processing register, or non-compliant employee video surveillance.
A private medical practitioner was sanctioned for inadequate protection of patient health data. Housing associations and property managers have been formally warned over non-compliant surveillance systems. These cases demonstrate that no organisation is immune.
The 5 Most Common Grounds for Sanctions
Analysis of CNIL decisions reveals the recurring grounds that trigger enforcement action.
1. Lack of Cookie Consent
Since the CNIL’s cookie guidelines (2020), prior consent is mandatory before placing any non-essential tracker. Companies that deploy advertising or analytics cookies without first obtaining consent face heavy sanctions. This ground alone accounts for a significant share of the highest fines issued since 2021.
2. Data Security Failures (Article 32 GDPR)
Article 32 of the GDPR requires appropriate technical and organisational measures to ensure data security. The most commonly sanctioned vulnerabilities include: storing passwords in plain text, lack of encryption for sensitive data, unrestricted database access, and absence of data breach management procedures.
3. Failure to Inform Data Subjects (Articles 13 and 14 GDPR)
Articles 13 and 14 of the GDPR require clear, complete, and accessible information for data subjects. This includes the controller’s identity, purposes, legal basis, recipients, retention periods, and individuals’ rights. The absence or inadequacy of this information — often manifested through a missing or incomplete privacy policy — is one of the most common grounds for sanctions. To find out if your business is affected, see our guide on GDPR scope.
4. Excessive Data Retention
The GDPR requires personal data to be kept only for as long as strictly necessary for its purpose. The CNIL regularly sanctions businesses that retain customer data for years without justification or that lack any automatic data purging policy.
5. Non-Compliance with Data Subject Rights
The right of access (Article 15), the right to erasure (Article 17), and the right to object (Article 21) must be effectively guaranteed. Several companies have been sanctioned for ignoring or belatedly handling requests for data deletion or removal from commercial mailing lists.
How Does the CNIL Calculate Fine Amounts?
The calculation of CNIL fines takes into account several criteria defined in Article 83 of the GDPR:
- Nature and severity of the violation: a security breach leading to data exposure will be more heavily fined than a delayed response to an access request
- Number of affected individuals: the more people affected, the higher the fine
- Intentional or negligent character: clear negligence will be more severely punished
- Corrective measures taken: the company’s responsiveness after discovering the violation is considered a mitigating factor
- Cooperation with the CNIL: active cooperation during the investigation can reduce the fine
- Prior record: repeat offenders face increased sanctions
The CNIL also applies the principle of proportionality: an SME with a modest turnover will receive a proportionally lower fine than a multinational, but it will not escape sanctions altogether.
Recent Trends: What Has Changed Since 2023
Since 2023, the CNIL has evolved its enforcement and investigation strategy:
Simplified procedure: for less complex cases, the CNIL uses a fast-track procedure allowing fines of up to €20,000. This procedure mainly targets SMEs and significantly accelerates complaint processing.
Priority themes: each year, the CNIL defines sectors and practices it will audit as a priority. Recent themes include minors’ data management, mobile application compliance, and commercial prospecting rules.
European cooperation: through the one-stop-shop mechanism, the CNIL collaborates with other European data protection authorities. Some record-breaking sanctions result from coordinated procedures involving multiple countries.
How to Protect Your Business from CNIL Sanctions
Given these risks, compliance is not optional but essential. Here are the priority actions:
Hire a specialised lawyer (€500–2,000 for a full audit): a digital law specialist will conduct a thorough audit of your practices and draft the necessary documents. This is the most comprehensive solution but also the most expensive and time-consuming.
Do it yourself with online templates (€0 but risky): privacy policy and processing register templates exist, but they often fail to cover all your specific obligations. The risk of gaps is high.
Use a generic AI (ChatGPT, Claude) (€0 + lawyer review €150–300): these tools can produce drafts, but the legal specifics of the GDPR require expertise that generalist AIs don’t always master. Professional review remains necessary.
Use a specialised legal AI (€14.90-19.90): solutions like WebLegal.ai generate all your mandatory legal documents — privacy policy, cookie policy, terms of use, terms of sale — in minutes, GDPR-compliant and tailored to your business.
Conclusion
CNIL sanctions are no longer theoretical threats: they affect hundreds of businesses in France every year, from multinationals to sole traders. Amounts continue to rise, and grounds for sanctions often cover basic failings — missing privacy policy, non-compliant cookies, insufficient security. To assess the specific risks your website faces, see our guide on non-compliant websites and their penalties. In 2026, the question is no longer whether you’ll be audited, but when. Act now to protect your business.