CNIL: The 20 Biggest GDPR Fines in France (and What They Teach Us)

On January 4, 2022, the CNIL published three decisions simultaneously: 150 million euros against Google, 60 million against Facebook, 60 million against Microsoft. A total of 270 million euros in a single day. The issue? Cookie buttons. Not a spectacular data breach, not an international hack - poorly configured buttons on websites.

That moment marked a turning point. Since GDPR came into force in May 2018, the CNIL has issued over 500 million euros in fines. And contrary to what many executives assume, sanctions are not limited to Big Tech. Dedalus Biologie, a medical subcontracting lab, was fined 1.5 million euros for a health data breach. Doctissimo, a health information website, 380,000 euros. Darty, 100,000 euros for a poorly secured web form. The range spans from California giants to French companies with 200 employees.

This article reviews the 20 largest CNIL fines issued in France, explains which GDPR articles were violated in each case, and most importantly identifies the recurring patterns. Because if you run a French SMB, these 20 cases tell a very clear story about what the CNIL is looking for - and what you need to fix first.

Summary Table of the 20 Largest CNIL Fines

Before diving into the details, here is the full overview. Each case is analyzed individually in the sections that follow.

#	Company	Amount	Date	Main Ground	Articles Violated
1	Google Ireland	150,000,000	Jan. 2022	Cookies: refusal not as easy as acceptance	Art. 82 French DPA
2	Microsoft Ireland	60,000,000	Jan. 2022	Cookies: set without valid consent	Art. 82 French DPA
3	Facebook Ireland (Meta)	60,000,000	Jan. 2022	Cookies: refusal not as easy as acceptance	Art. 82 French DPA
4	Criteo	40,000,000	June 2023	Ad targeting without valid consent	Art. 7, 13, 15, 17, 26 GDPR
5	Amazon France Logistique	35,000,000	Jan. 2024	Video surveillance and cookies	Art. 5, 6, 13 GDPR + Art. 82 French DPA
6	Clearview AI	20,000,000	Oct. 2022	Biometric data collection without legal basis	Art. 6, 9, 12, 13, 15, 17 GDPR
7	Uber B.V. and Uber France	10,000,000	Dec. 2024	Inadequate driver data security	Art. 32 GDPR
8	TikTok	5,000,000	Dec. 2022	Cookies: insufficient information, complex refusal	Art. 82 French DPA
9	Voodoo	3,000,000	Jan. 2024	Mobile ad tracking without consent	Art. 82 French DPA + Art. 5, 13 GDPR
10	Carrefour France + Carrefour Banque	3,000,000	Nov. 2020	Information, retention, cookies, rights	Art. 5, 6, 13, 17, 21, 32 GDPR
11	RATP	2,000,000	Oct. 2024	Unlawful union activity tracking files	Art. 5, 9, 32 GDPR
12	Dedalus Biologie	1,500,000	April 2022	Medical data breach of 500,000 patients	Art. 28, 29, 32 GDPR
13	Discord Inc.	800,000	Nov. 2022	Excessive retention, security, information	Art. 5, 13, 32 GDPR
14	Accor	600,000	Aug. 2022	Commercial solicitation without consent	Art. 82 French DPA + Art. 12, 21 GDPR
15	Doctissimo	380,000	May 2023	Cookie consent, sharing with data brokers	Art. 5, 6, 7, 13 GDPR + Art. 82 French DPA
16	Sephora	250,000	Jan. 2023	Cookies set before consent	Art. 82 French DPA
17	Optical Center	250,000	June 2018	Customer invoices accessible without authentication	Art. 32 GDPR (pre-GDPR equivalent)
18	TOTAL Energies (ex-Direct Energie)	200,000	Nov. 2022	Telemarketing and Linky meter data	Art. 5, 21 GDPR + Art. 82 French DPA
19	Infogreffe	250,000	Sept. 2022	Excessive retention and weak passwords	Art. 5, 32 GDPR
20	Darty	100,000	Jan. 2018	Contact form accessible without restriction	Art. 34 French DPA (pre-GDPR)

Combined total of these 20 sanctions: 391,330,000 euros.

Three observations stand out before even analyzing individual cases: cookies and consent account for 8 of the 20 largest fines; the heaviest sanctions do not punish data breaches but consent failures; and the CNIL does not hesitate to go after French companies (Criteo, Carrefour, Dedalus, RATP, Accor, Doctissimo, Voodoo).

The Three Record Fines of January 4, 2022: The Cookie Turning Point

1. Google Ireland - 150 Million Euros

Decision date: December 31, 2021 (published January 6, 2022) Amount: 150,000,000 euros Articles violated: Article 82 of the French Data Protection Act (transposing Article 5.3 of the ePrivacy Directive)

When a user arrived on google.fr, youtube.com, or other Google services, a cookie banner displayed a prominently visible "Accept All" button. But to refuse non-essential cookies, the user had to navigate a sub-menu, understand the options, and click multiple times. This asymmetry between accepting (one click) and refusing (multiple clicks) constituted what the CNIL deemed an illegitimate pressure on consent.

The CNIL also found that advertising cookies were set before any user action on certain Google services, amounting to cookie placement without prior consent.

What Google did after: Google deployed a new banner with a "Reject All" button equally visible as "Accept All" within weeks of the decision. The CNIL confirmed compliance in April 2022.

Key takeaway: a "Reject All" button must be as accessible and visible as the "Accept All" button. Period. No dark patterns, no extra dropdown menus, no grayed-out colors to discourage refusal.

2. Microsoft Ireland - 60 Million Euros

Decision date: December 19, 2022 Amount: 60,000,000 euros Articles violated: Article 82 of the French Data Protection Act

The Microsoft case is nearly a copy of Google's, with one twist. When a user arrived on bing.com, Microsoft placed advertising cookies without any consent mechanism. No banner, no popup, no choice. Cookies were simply set on page load.

The CNIL noted that even where a banner existed (on other Microsoft services), the refusal option required more steps than acceptance.

Penalty for delay: 60,000 euros per day if compliance was not achieved within three months.

Key takeaway: a website that places advertising or analytics cookies before user consent violates the law, full stop. This is the most binary rule of French GDPR enforcement.

3. Facebook Ireland (Meta) - 60 Million Euros

Decision date: December 31, 2021 (published January 6, 2022) Amount: 60,000,000 euros Articles violated: Article 82 of the French Data Protection Act

Same logic as Google: on facebook.com, an "Accept Cookies" button was immediately visible. To refuse, the user had to click "Accept Only Essential Cookies," which redirected to a settings page. The CNIL ruled that this architecture made refusal more complex than acceptance and that the discrepancy was unjustified.

Key takeaway: the CNIL evaluates the user journey, not just the presence of a choice. If accepting takes one click and refusing takes three, that is a dark pattern. And it costs 60 million euros.

The Ad Targeting Battle

4. Criteo - 40 Million Euros

Decision date: June 15, 2023 Amount: 40,000,000 euros Articles violated: Articles 7, 13, 15, 17, 26 of the GDPR

This sanction is particularly instructive because Criteo is a French company, listed on Nasdaq, specializing in retargeting advertising. Its business involves tracking users across websites to display personalized ads. The CNIL identified five distinct violations:

1. No proof of consent (Art. 7) - Criteo collected browsing data through its partners (websites), but did not verify that those partners had actually obtained valid consent. In practice, Criteo processed data from millions of users who had never consented to ad tracking.

2. Inadequate information (Art. 13) - Individuals whose data Criteo processed were not clearly informed of the processing activities. The privacy policy was deemed insufficient.

3. Failure to honor access requests (Art. 15) - Individuals who asked Criteo what data it held on them did not receive complete responses.

4. Failure to honor deletion requests (Art. 17) - Deletion requests were not properly executed.

5. No joint controller agreement (Art. 26) - Criteo and its partners were jointly processing data without having formalized their respective roles.

Key takeaway: if your business model relies on personal data obtained through third parties, you must be able to prove that consent was obtained upstream. "My partner told me they had consent" is not enough. You must verify it, document it, and create an audit trail. The Criteo case established this principle at a cost of 40 million euros.

5. Amazon France Logistique - 35 Million Euros

Decision date: January 23, 2024 Amount: 35,000,000 euros Articles violated: Articles 5, 6, 13 of the GDPR + Article 82 of the French Data Protection Act

This sanction covers two distinct issues. First, the CNIL found that amazon.fr placed advertising cookies without prior user consent - the same complaint as for Google, Microsoft, and Facebook two years earlier. Second, and more unusually, the CNIL sanctioned Amazon's video surveillance system in its French warehouses.

On the surveillance front, the findings were serious:

• Scanners used by employees in warehouses recorded activity in real time, enabling measurement of idle time, breaks, and individual productivity.
• This continuous employee monitoring system was deemed disproportionate (violation of Article 5 GDPR - minimization principle).
• Employees were not adequately informed of the scope of surveillance (violation of Article 13 GDPR).

Key takeaway: the CNIL goes beyond cookies. Employee surveillance is an expanding area of enforcement. Any company using productivity monitoring tools (tracking software, badge systems, timekeeping) must ensure the system is proportionate and that employees are properly informed.

6. Clearview AI - 20 Million Euros

Decision date: October 20, 2022 Amount: 20,000,000 euros Articles violated: Articles 6, 9, 12, 13, 15, 17 of the GDPR

Clearview AI is an American company that scraped billions of photos from social media, news sites, and other public sources to build a facial recognition database. Without consent, without information, and without any legal basis under European law.

The CNIL ruled that:

• Collecting biometric data (faces) without consent violated Articles 6 and 9 of the GDPR (biometric data being sensitive data under Article 9).
• Individuals were neither informed nor able to exercise their access, rectification, or deletion rights.
• Clearview AI had ignored a CNIL formal notice from December 2021.

The 20-million-euro fine corresponds to the regulatory ceiling for this type of violation. The CNIL also ordered cessation of collection and deletion rights for French residents, with a penalty of 100,000 euros per day of delay.

The catch: Clearview AI is based in the United States with no establishment in France. Enforcing the decision remains a practical challenge. This case illustrates a GDPR limitation: against foreign companies with no physical presence in Europe, collecting fines is complicated.

Key takeaway: biometric data (face, fingerprints, voice) receives enhanced protection under Article 9 of the GDPR. Any collection without explicit consent is sanctioned at the maximum.

Security and Data Protection: When Technology Falls Short

7. Uber B.V. and Uber France - 10 Million Euros

Decision date: December 17, 2024 Amount: 10,000,000 euros Articles violated: Article 32 of the GDPR (security of processing)

The CNIL sanctioned Uber for security failures in protecting the data of VTC (ride-hailing) drivers using the platform in France. The investigation revealed that the API used for driver account management had flaws allowing unauthorized access to personal data: identity documents, driver's licenses, trip records, and geolocation data.

Identified failings:

• Inadequate security measures on API endpoints (weak authentication, no rate limiting).
• Missing encryption for certain categories of sensitive data in transit.
• Late notification to the CNIL after discovering an incident in 2023.

This was not Uber's first sanction in France. In 2018, the CNIL had already imposed 400,000 euros for the 2016 data breach (57 million global users, including 1.4 million in France) that Uber had concealed for a year. The repeat offense clearly factored into the 2024 amount.

Key takeaway: Article 32 of the GDPR requires security measures "appropriate to the risk." The CNIL evaluates security based on data volume and sensitivity. For a platform managing millions of identity documents, a simple username/password on an API does not pass muster. And repeat offenses increase the penalty.

8. TikTok - 5 Million Euros

Decision date: December 29, 2022 Amount: 5,000,000 euros Articles violated: Article 82 of the French Data Protection Act

Cookies again. On tiktok.com, the CNIL found two problems:

1. Information provided to users about cookie purposes was insufficient and written only in English for French users.
2. Refusing cookies required more clicks than accepting - the same recurring complaint.

The amount may seem modest compared to Google's 150 million. The difference is explained by TikTok France's revenue at the time, significantly lower than Google France's. The CNIL calibrates fines proportionally to the sanctioned entity's revenue.

Key takeaway: cookie information must be written in the user's language. An English-only banner on a site accessible from France does not meet the information obligation. This also applies to terms of service, privacy policies, and any document subject to GDPR transparency requirements.

9. Voodoo - 3 Million Euros

Decision date: January 17, 2024 Amount: 3,000,000 euros Articles violated: Article 82 of the French Data Protection Act + Articles 5 and 13 of the GDPR

Voodoo is a French mobile game publisher (over 6 billion cumulative downloads). The CNIL sanctioned the company for how its apps collected users' advertising identifiers (IDFA on iOS, GAID on Android) and transmitted them to advertising partners before obtaining user consent.

In practice, when a player opened a Voodoo app, the integrated advertising SDKs began collecting and transmitting tracking data before the consent popup even appeared. The window between app opening and consent display - mere seconds - was enough for trackers to be activated.

The CNIL also noted an information failure: users were not clearly informed about the identity of partners receiving their data or the specific purposes of each processing activity.

Key takeaway: on mobile, the same rules apply as on the web. The mobile advertising identifier is a tracker under Article 82 of the French Data Protection Act. Advertising SDKs must be configured to transmit nothing before consent. If your developers load the SDK at app startup "for performance reasons," that is a violation.

The Overlooked Sanctions: SMBs and French Companies

10. Carrefour France + Carrefour Banque - 3 Million Euros (2.25M + 800K)

Decision date: November 18, 2020 Amount: 2,250,000 euros (Carrefour France) + 800,000 euros (Carrefour Banque) = 3,050,000 euros Articles violated: Articles 5, 6, 13, 17, 21, and 32 of the GDPR

Carrefour accumulated an unusually high number of violations in a single proceeding:

• Inadequate information (Art. 13) - The privacy policy on carrefour.fr and the loyalty program was incomprehensible, overly long, and failed to clearly state data recipients or retention periods.

• Excessive retention (Art. 5) - Data from over 28 million customers inactive for 5 to 10 years was still stored. Carrefour Banque retained data from customers who had closed their accounts years earlier.

• Cookies without consent (Art. 82 French DPA) - Advertising cookies were placed before any user action on carrefour.fr.

• Obstacles to exercising rights (Art. 17 and 21) - To exercise the right to erasure or object, a customer had to provide an ID copy, which the CNIL deemed disproportionate for this type of request.

• Security (Art. 32) - Customer account passwords were stored using an obsolete hashing algorithm (MD5).

Key takeaway: Carrefour is a textbook case of accumulation. No individual violation would have justified 3 million euros on its own. But the combination of six distinct violations, affecting millions of people, led to that total. The lesson for SMBs: a comprehensive audit is better than piecemeal fixes. When the CNIL opens an investigation, they examine everything.

11. RATP - 2 Million Euros

Decision date: October 16, 2024 Amount: 2,000,000 euros Articles violated: Articles 5, 9, and 32 of the GDPR

The RATP (Paris public transit authority) was sanctioned for including in employee evaluation files the number of strike days in which employees had participated. This information, which relates to union activity and therefore constitutes sensitive data under Article 9 of the GDPR, was used as a criterion in the career advancement and promotion process.

The CNIL found that:

• Strike day information appeared in the evaluation files of over 7,000 employees over several years.
• This data was processed without legal basis and constituted prohibited sensitive data processing under Article 9 of the GDPR.
• The HR information system had security shortcomings (overly broad access to personnel files).

Key takeaway: data related to union membership, political opinions, health, and religious beliefs are sensitive data under Article 9 of the GDPR. Even an indirect mention - such as the number of strike days, which reveals union activity - is enough to constitute unlawful processing. Companies must purge their HR files of any such information.

12. Dedalus Biologie - 1.5 Million Euros

Decision date: April 15, 2022 Amount: 1,500,000 euros Articles violated: Articles 28, 29, and 32 of the GDPR

This case is one of the most severe in terms of human impact. In February 2021, a file containing medical data of 491,840 patients appeared on a hacking forum. Names, Social Security numbers, treating physician names, exam dates, and crucially biological test results (HIV serology, hepatitis, tumor markers, pregnancy data, medications). Medical data of extreme sensitivity.

The source: Dedalus Biologie, a medical laboratory software vendor. During a software migration for a client (a laboratory group), an extraction file containing this data was left accessible on an unsecured FTP server. No encryption, no access control, no deletion after the migration.

The CNIL identified three violations:

1. Failure to govern subcontracting (Art. 28) - Dedalus was acting as a processor for the laboratories but had not met its contractual security obligations.

2. Processing outside the controller's instructions (Art. 29) - The extraction file had been created for a technical purpose (migration) but was never deleted or reported to the laboratory client.

3. Inadequate security (Art. 32) - An FTP server without authentication, without encryption, containing health data. The CNIL described the failing as "particularly serious."

Key takeaway: if your company is a processor under GDPR (you handle data on behalf of a client), Article 28 imposes specific security obligations on you. Temporary files, migration extractions, test exports - all of it must be tracked, secured, and deleted after use. Dedalus paid 1.5 million, but the 491,840 patients whose HIV status or tumor markers were published online paid a far higher price.

For a deeper look at the consequences of health data breaches in France, see our analysis of the 50 largest data breaches.

13. Discord Inc. - 800,000 Euros

Decision date: November 17, 2022 Amount: 800,000 euros Articles violated: Articles 5, 13, and 32 of the GDPR

Discord, the messaging platform used by 150 million monthly active users (with a significant proportion of minors in France), was sanctioned on three points:

1. Excessive data retention (Art. 5) - Discord retained accounts and data of millions of users who had not logged in for over three years. 2.4 million French user accounts fell into this category. No automatic deletion policy was in place.

2. Inadequate information (Art. 13) - The privacy policy, written in English, was not translated into French. Retention periods were not specified.

3. Security (Art. 32) - The password policy was insufficient: Discord accepted passwords of only 6 characters, with no complexity requirement. For a service handling private communications of millions of people, including minors, the CNIL deemed this security level inadequate.

Key takeaway: unlimited retention of inactive accounts is a recurring grounds for sanctions. If you manage a user database, you must define retention periods and delete inactive accounts beyond them. The CNIL generally recommends 3 years of inactivity for customer accounts, 13 months for cookies.

14. Accor - 600,000 Euros

Decision date: August 3, 2022 Amount: 600,000 euros Articles violated: Article 82 of the French Data Protection Act + Articles 12 and 21 of the GDPR

The hotel group Accor was sanctioned for two distinct practices:

1. Commercial email solicitation without consent (Art. 82 French DPA) - Promotional emails were sent to customers who had explicitly refused commercial solicitation. The preference management system was malfunctioning: customer unsubscription choices were not propagated to all of Accor's marketing systems.

2. Obstruction of the right to object (Art. 21 GDPR) - Even after clicking the unsubscribe link in emails, some customers continued receiving promotional communications. The unsubscription process took several weeks to propagate across different systems.

Key takeaway: when a customer says "stop," it must be immediate and total. Not "stop in 15 days after CRM sync." If your marketing tools do not handle consent revocation in real time, that is both a legal and a technical problem. Accor did not have a bad-faith problem; it had a technical architecture problem - its different systems did not communicate consent preferences. The outcome is the same: 600,000 euros.

15. Doctissimo - 380,000 Euros

Decision date: May 11, 2023 Amount: 380,000 euros Articles violated: Articles 5, 6, 7, 13 of the GDPR + Article 82 of the French Data Protection Act

Doctissimo, one of the most visited health information sites in France (over 50 million monthly visits), was sanctioned for how it collected and shared user data.

The CNIL's findings:

• Cookies without consent (Art. 82 French DPA) - Advertising trackers were set before consent was collected. Standard issue.

• Sharing data with data brokers without valid legal basis (Art. 6) - Doctissimo transmitted browsing data from its users (including data related to health searches - symptoms, diseases, treatments) to advertising partners without valid consent. The site used health questionnaires ("Are you depressed?", "Test your anxiety level") whose results were shared with third parties.

• Excessive retention (Art. 5) - Inactive user account data was retained beyond declared periods.

• Failure to prove consent (Art. 7) - Doctissimo could not demonstrate that collected consent was valid and informed.

Key takeaway: health-related data, even when self-declared (quiz responses, site searches), is sensitive data. Sharing it with advertising brokers without explicit consent is a clear-cut violation. If your site collects information that could reveal visitors' health status (online pharmacies, health sites, insurance companies), the compliance bar is higher.

The Pioneers: Early CNIL Sanctions

16. Sephora - 250,000 Euros

Decision date: January 20, 2023 Amount: 250,000 euros Articles violated: Article 82 of the French Data Protection Act

Sephora was caught in the CNIL's 2021-2022 wave of checks on website cookie compliance. During an online check in June 2021, CNIL agents found that sephora.fr placed advertising cookies on page load, before any user action.

After an initial reminder in July 2021, the CNIL verified in January 2022 that the violations persisted. Sephora still had not implemented a compliant consent mechanism. The CNIL initiated the sanction procedure.

Key takeaway: the CNIL conducts systematic online checks. Its agents visit websites, analyze network traffic, and verify whether cookies are placed before consent. This is an automatable check, and the CNIL has industrialized it since 2021. Any website is potentially in scope. Check yours - it takes five minutes with a tool like CookieBot or the Cookie Quick Manager browser extension.

17. Optical Center - 250,000 Euros

Decision date: June 7, 2018 Amount: 250,000 euros Articles violated: French Data Protection Act (pre-GDPR, equivalent to Article 32 GDPR)

The Optical Center case is one of the CNIL's earliest major sanctions and remains a textbook example of web security failure. The Optical Center website allowed customers to view their invoices online. The problem: by modifying the identifier in the URL (e.g., changing facture_id=1234 to facture_id=1235), anyone could access other customers' invoices. No verification that the logged-in user was the invoice owner.

This vulnerability, known as IDOR (Insecure Direct Object Reference), is one of the most basic in web security. It has been in the OWASP Top 10 since its first edition. The invoices contained names, addresses, phone numbers, ophthalmological prescriptions, and reimbursement amounts - health data under GDPR.

This was also not Optical Center's first offense: in 2015, the chain had already received a public warning for a similar security flaw.

Key takeaway: IDOR vulnerabilities are trivial to exploit and to fix. If your site allows users to access resources via a URL identifier (invoices, orders, files), each access must verify that the user has the right to view that specific resource. This is access control 101.

18. TOTAL Energies (ex-Direct Energie) - 200,000 Euros

Decision date: November 24, 2022 Amount: 200,000 euros Articles violated: Articles 5 and 21 of the GDPR + Article 82 of the French Data Protection Act

TOTAL Energies was sanctioned for two reasons:

1. Telemarketing people registered on Bloctel (Art. 82 French DPA + Art. L. 223-1 of the Consumer Code) - TOTAL Energies cold-called people who had registered their number on the Bloctel do-not-call list. The company had not updated its prospecting database against the Bloctel list before its campaigns.

2. Collecting hourly energy consumption data from Linky smart meters without specific consent (Art. 5 GDPR) - TOTAL Energies collected hourly consumption data from its customers' Linky meters without clearly informing them or obtaining their consent. This granular data allows inference of lifestyle habits (wake and sleep times, absences from home).

Key takeaway: data from smart meters (electricity, water, gas) is personal data. Granular collection (not just the monthly reading, but hourly load curves) allows inference of private behaviors and requires specific consent. Any company in the energy sector must take this seriously.

19. Infogreffe - 250,000 Euros

Decision date: September 8, 2022 Amount: 250,000 euros Articles violated: Articles 5 and 32 of the GDPR

Infogreffe, the site providing access to French corporate legal information (Kbis extracts, annual accounts), was sanctioned on two points:

1. Excessive data retention (Art. 5) - User account data was retained well beyond necessary periods. Over 946,000 user accounts inactive for more than 36 months were still in the database.

2. Insufficiently secured passwords (Art. 32) - Infogreffe stored user passwords using the MD5 hashing function, known to be vulnerable since the 2000s. Additionally, the site accepted passwords of only 8 characters with no complexity requirement, and sent passwords in plaintext via email during account creation.

Key takeaway: MD5 for password hashing is unacceptable in 2022. The CNIL recommends bcrypt, scrypt, or Argon2 with sufficient computational cost. And sending passwords in plaintext via email is an immediate red flag - if your service sends the password in plaintext during registration, it is not hashing it properly (or at all).

20. Darty - 100,000 Euros

Decision date: January 8, 2018 Amount: 100,000 euros Articles violated: Article 34 of the French Data Protection Act (equivalent to Article 32 GDPR)

The Darty case is historically one of the CNIL's first significant data security sanctions. A contact form on Darty's website, intended for after-sales service requests, was accessible without any restrictions from a web browser. By modifying the URL, anyone could view requests submitted by other customers: names, addresses, phone numbers, problem descriptions (sometimes with banking information or ID copies that customers had attached).

What makes this case notable is that the form was not developed by Darty itself but by an external provider. Darty raised this argument in its defense. The CNIL responded that the data controller (Darty) remains responsible for data security, even when processing is outsourced. The provider had delivered an unsecured form, but Darty had not verified its compliance before putting it into production.

Key takeaway: the data controller's responsibility cannot be delegated. Whether the code was written by a provider, a freelancer, or an agency, the company that puts it into production bears responsibility before the CNIL. Any web form collecting personal data should be preceded by a security test - even a basic one.

For SMBs looking to check their email security, our free email diagnostic tool tests SPF, DKIM, and DMARC in seconds.

Recurring Patterns: What 20 Sanctions Tell Us

Analyzing these 20 cases, five clear patterns emerge.

Cookie Consent: 8 of 20 Fines

Google, Microsoft, Facebook, TikTok, Amazon, Sephora, Carrefour, Doctissimo - eight companies sanctioned for cookie and tracker violations. The total: over 325 million euros out of 391 million cumulative. Cookie consent is by far the leading grounds for sanctions in financial terms.

The common denominator:

• Advertising cookies placed before consent.
• An "Accept All" button more visible or accessible than a "Reject All" button.
• Insufficient information about cookie purposes.

The CNIL launched three waves of checks in 2021, 2022, and 2023, specifically targeting cookie compliance. Checks are conducted online: a CNIL agent visits the site with a browser configured to detect cookie placement. It is fast, low-cost for the CNIL, and difficult to contest.

For SMBs: check your site now. Open your site in private browsing, clear cookies, and observe. If your analytics tool or advertising trackers load before you click "Accept," you are in violation. Solutions like Axeptio, Didomi, or Tarteaucitron (open source) enable compliant consent management.

Data Security: Article 32 Lurking in the Shadows

Uber, Discord, Dedalus, Darty, Optical Center, Infogreffe, Carrefour - seven companies sanctioned for security flaws. The most frequent failings:

• Passwords hashed with MD5 or stored in plaintext
• APIs without authentication or with weak authentication
• Missing access controls on documents (IDOR)
• Servers containing sensitive data accessible without restriction
• The system accepting overly weak user passwords

Article 32 of the GDPR does not require absolute security. It requires measures proportionate to the risk. The more sensitive the data (health, biometric, financial), the more demanding the measures must be. The CNIL evaluates on a case-by-case basis, but certain practices are systematically sanctioned: MD5, no MFA on admin access, IDOR, passwords under 8 characters.

The CNIL published updated data security recommendations in 2024, with a detailed practical guide. If you have not read it, find it here.

Excessive Retention: The Ghost in the Closet

Discord, Carrefour, Infogreffe, Doctissimo - four companies sanctioned for retaining data beyond necessity. This is a "silent" violation: nobody complains, no incident occurs, but during an audit the CNIL discovers millions of accounts inactive for years, never purged.

Article 5(1)(e) of the GDPR (storage limitation principle) requires that personal data be kept only "for no longer than is necessary for the purposes for which it is processed." In practice, the CNIL expects every data controller to define retention periods per data category and implement automatic purge mechanisms.

Reference periods per CNIL guidelines:

• Prospect data with no response: 3 years after the last contact
• Inactive customer accounts: 3 years after the end of the relationship
• Cookies and trackers: 13 months maximum
• Logging data: 6 months to 1 year
• Employee data: 5 years after departure (excluding longer statutory retention obligations)

Health Data: Zero Tolerance

Dedalus Biologie (laboratory data), Doctissimo (health questionnaires), Clearview AI (biometric data) - when health or biometric data is involved, the CNIL strikes hard, even when amounts appear "modest" compared to cookie fines.

Dedalus received 1.5 million euros for a breach affecting 491,840 people. Proportionally to Dedalus France's revenue, that is a much higher percentage than the 150 million imposed on Google. And the consequences for patients whose HIV status was published on a hacking forum are incomparable with a misconfigured cookie.

Article 9 of the GDPR grants special protection to health data, biometric data, genetic data, political opinions, religious beliefs, and sexual orientation. Any processing of these data without a valid legal basis (explicit consent, healthcare necessity, public interest) is sanctioned at the maximum.

The Subcontracting Gap: The Invisible Link

Dedalus (processor for laboratories), Darty (provider of the form), Criteo (partners supposed to collect consent) - in three of twenty cases, the problem came from a third party. But the sanction hit the main company.

Article 28 of the GDPR requires the data controller to "use only processors providing sufficient guarantees." This means:

• A written processing agreement (mandatory under Article 28.3)
• Security verifications before going into production
• Monitoring of the processor's practices
• Clauses on what happens to data at contract end

If your IT provider loses your data, the CNIL will sanction you. Not them (or not only them).

How the CNIL Determines Fine Amounts

The CNIL does not pick a number at random. Article 83 of the GDPR lists the criteria every data protection authority must consider:

Aggravating factors:

• The violation is deliberate (Clearview AI knew exactly what it was doing)
• A large number of people is affected (43 million for France Travail, 491,840 for Dedalus)
• The data is sensitive (health, biometric)
• The company has already been sanctioned or formally noticed (Uber in 2018 then 2024, Optical Center in 2015 then 2018)
• The company did not cooperate with the CNIL
• The company attempted to conceal the incident (Uber paid hackers to keep quiet in 2016)

Mitigating factors:

• The company quickly corrected the violation
• The company self-reported the incident
• The company fully cooperated with the CNIL
• Security measures in place were substantial, even if insufficient

The ceiling: 20 million euros or 4% of annual global revenue, whichever is higher. For Google (2021 revenue of $257.6 billion), 4% would represent over 10 billion euros. The 150 million is therefore well below the theoretical ceiling - showing that the CNIL remains measured, even in its largest sanctions.

The Simplified Procedure: The CNIL Accelerates Since 2022

Since the January 24, 2022 law on ransomware and digital life, the CNIL has a simplified procedure enabling faster sanctions for "common" violations. This procedure, operational since March 2022, has these characteristics:

• Fine capped at 20,000 euros (vs. 20 million for the standard procedure)
• Decision made by the restricted committee president alone (not the full board)
• Accelerated procedure in a few weeks (vs. several months for the standard procedure)
• No public hearing

In 2023, the CNIL issued 24 sanctions via the simplified procedure in the first half alone, mainly for violations related to data security (weak passwords, missing HTTPS), failure to inform, and excessive retention.

For SMBs, this simplified procedure is a game changer. Before 2022, the CNIL lacked bandwidth to process small company cases - Google and Facebook cases monopolized resources. Now, a 50-employee SMB with a non-compliant website can receive a 5,000 to 20,000 euro sanction in a matter of weeks. The risk is no longer theoretical.

If you receive a CNIL formal notice, our guide on the NIS2 directive and its implications for SMBs will help you understand the broader regulatory framework.

CNIL Enforcement Priorities for 2025-2026

The CNIL publishes its priority inspection themes annually. For 2025-2026, four areas stand out:

Minors' Data

The CNIL announced in late 2024 that protecting minors' data would be a priority for 2025. This covers:

• Social media platforms (age verification, parental consent mechanisms)
• Educational applications (EdTech) used in schools
• Online video games and mobile apps targeting children
• Ad targeting mechanisms aimed at minors

The 2022 TikTok fine (5 million euros) was a precursor. The next wave of sanctions in this area will likely be heavier, especially as the Digital Services Act (DSA) and the EU AI Act add complementary obligations.

Artificial Intelligence and Training Data

The CNIL created a dedicated AI unit in 2024 and published its first recommendations on using personal data for training language models. Inspections will focus on:

• The legal basis used to collect training data (is legitimate interest sufficient?)
• Exercise of objection and deletion rights (can data be "deleted" from an already-trained model?)
• Transparency toward individuals whose data is used
• Chatbots and AI assistants that process users' personal data

OpenAI, Google DeepMind, and European AI solution providers are in the crosshairs. But companies deploying AI internally (customer service chatbots, automated CV screening) are also concerned.

Cybersecurity and Data Breaches

The number of breach notifications received by the CNIL reached 4,668 in 2023 (up 14% year-over-year). The CNIL announced strengthened security inspections, with emphasis on:

• Encryption of data at rest and in transit
• Access management and multi-factor authentication
• API security (Uber's weak point)
• Processor and digital supply chain management

Companies that have suffered a data breach and notified the CNIL face systematic inspection. The CNIL verifies whether security measures were proportionate to the risk. If not, a sanction can be added on top of the breach consequences.

For SMBs, employee phishing training remains the most cost-effective way to reduce breach risk, as phishing is the initial access vector in 74% of breaches (Verizon DBIR 2025).

Data Brokers

The Criteo (40 million euros) and Doctissimo (380,000 euros) sanctions highlighted the opaque workings of the data brokerage industry. The CNIL indicated this sector will remain under surveillance, with particular attention to:

• Companies reselling personal data for advertising purposes
• Programmatic platforms processing browsing data without verified consent
• Mobile apps transmitting IDFA/GAID to advertising partners (the Voodoo case)

Practical Guide: How an SMB Can Avoid a CNIL Fine

You do not have Google's legal budget, but GDPR rules apply equally. Here is a 10-point action plan calibrated for an SMB of 20 to 250 employees.

1. Audit Your Cookies (Urgency: This Week)

Open your site in private browsing. Before clicking anything on the cookie banner, check which scripts are loading. Use your browser's "Network" tab (F12) or a tool like CookieBot Scanner to identify placed cookies.

What to verify:

• No non-essential cookies should be placed before consent.
• The "Reject All" button must be as visible as "Accept All."
• Each cookie's purpose must be clearly described.
• No cookie's retention period should exceed 13 months.

If you use Google Analytics, Meta Pixel, or advertising tools, these trackers must wait for the user's click before activating. Check your CMP (consent management platform) configuration.

2. Clean Your Database (Urgency: This Month)

Identify accounts inactive for over 3 years and delete or anonymize them. Verify retention periods by category:

• Unconverted prospects: deletion after 3 years without contact
• Inactive customers: deletion 3 years after the end of the relationship
• Former employees: 5 years after departure (except statutory obligations)
• Access logs: 6 months to 1 year
• Video surveillance data: 30 days maximum

Concrete action: set up an automated task (cron job, monthly script) to purge expired data. Do not rely on a manual process - it will be forgotten.

3. Secure Your Passwords

If your application stores passwords using MD5, SHA1, or SHA256 without salt, you are violating Article 32. The CNIL recommends:

• Hashing algorithm: bcrypt (cost >= 12) or Argon2id
• Minimum password length: 12 characters (CNIL 2024 recommendation)
• No plaintext password transmission via email - only reset links with expiration
• MFA (multi-factor authentication) for administrator accounts and sensitive access

4. Control Your Access (Article 32)

IDOR (accessing resources by modifying the URL) cost Optical Center 250,000 euros and Darty 100,000 euros. For each endpoint in your application:

• Verify that the authenticated user has the right to access the requested resource
• Do not use predictable sequential identifiers in URLs (prefer UUIDs)
• Test your forms and APIs with a vulnerability scanner (OWASP ZAP is free)

5. Govern Your Processors (Article 28)

Every provider accessing your personal data must have a processing agreement compliant with Article 28.3 of the GDPR. This agreement must specify:

• The subject and duration of processing
• Categories of data processed
• Required security measures
• Breach notification obligations (notification within 48 hours)
• What happens to data at contract end (return or destruction)

If your IT provider has not signed this agreement, regularize the situation immediately. The Dedalus case shows that the consequences of a negligent processor fall on the data controller.

6. Train Your Employees

The CNIL examines whether the company has taken organizational measures - not just technical ones - to protect data. Employee training is part of this. Topics to cover:

• Recognizing a phishing email (the number one vector for data breaches)
• Knowing whom to report an incident or suspicious email to
• Understanding basic GDPR rules (not sending personal data via unencrypted email, not using unauthorized tools)
• Knowing the company's data retention policy

Regular phishing simulations reduce malicious email click rates from 33% to under 5% in six months (KnowBe4 Phishing by Industry Benchmarking Report 2024). It is also a demonstrable due diligence measure in case of a CNIL audit.

7. Appoint a GDPR Point Person

Appointing a DPO (Data Protection Officer) is mandatory for public bodies, companies whose core business involves systematic large-scale monitoring, and companies processing sensitive data at scale. For other SMBs, it is recommended but not required.

If you do not appoint a DPO, designate an internal GDPR point person - someone who coordinates compliance, maintains the records of processing activities, and responds to data subject requests. This is not a full-time role for a 50-employee SMB, but it must be formally assigned.

8. Maintain Your Records of Processing Activities (Article 30)

The records of processing activities are mandatory for any company with over 250 employees, and for any company whose processing is likely to involve a risk to individuals' rights and freedoms (which effectively includes virtually all companies).

The CNIL provides a free downloadable template. For each processing activity, you must document: the purpose, data categories, recipients, retention periods, and security measures.

9. Prepare Your Response to Rights Requests

Articles 15 through 22 of the GDPR give individuals the right to access, rectify, erase, restrict, port, and object to the processing of their data. Criteo was sanctioned (among other things) for failing to properly respond to access and deletion requests.

Put in place:

• A dedicated email address (dpo@your-company.com or gdpr@...)
• A documented internal process for handling requests within the legal 1-month deadline
• A response template for each type of request
• A log of requests received and responses provided

10. Run a Phishing Test

Phishing is the leading initial access vector in data breaches (Verizon DBIR 2025: 74% of breaches involve the human factor). The CNIL, during its inspections, evaluates whether the company has taken preventive measures. A phishing simulation campaign is a concrete, measurable, and documentable step.

If you have never run a phishing simulation in your company, check our benchmarks by industry to know what to expect, and our complete phishing simulation guide to set up your first campaign.

CNIL Sanctions and Cyber Insurance: A Direct Link

A point many executives overlook: CNIL fines are not insurable under French law. Your professional liability insurance, your cyber insurance - none will cover the amount of an administrative sanction. Fines are penal or quasi-penal sanctions; insuring them would amount to letting the offender escape responsibility, which is contrary to public policy.

However, the following costs can be covered by cyber insurance:

• Notification costs for affected individuals
• Forensics (technical investigation) costs
• Legal fees to challenge the sanction
• Public relations and crisis management costs
• Business interruption costs related to an incident

Our article on cyber insurance and proof of employee training details insurer expectations regarding prevention - including proof that you train your employees against phishing.

The Domino Effect: CNIL Fine + Reputation Damage + Lost Customers

The CNIL fine is only the visible part. For an SMB, the indirect consequences can be more severe than the fine itself.

Publicity of the sanction: since 2022, all CNIL sanctions are public, naming the sanctioned company. They appear in Google search results. If a prospect types your company name and finds "sanctioned by the CNIL for data violation," the commercial impact is immediate.

Loss of customer trust: a Cisco Data Privacy Benchmark 2024 study indicates that 94% of consumers say they would not buy from a company that does not properly protect their data. This figure is probably exaggerated (stated intentions do not always translate into action), but the trend is real.

Lost contracts: an increasing number of public and private tenders include GDPR compliance clauses. A CNIL sanction effectively disqualifies the company from these contracts.

The total cost: for an SMB, a 50,000-euro CNIL fine can lead to indirect costs of 200,000 to 500,000 euros when you add legal fees, compliance remediation, lost customers, and management time spent handling the crisis. Our analysis of the cost of a cyberattack for a 50-employee SMB details these cost cascades.

French GDPR vs. European GDPR: Is the CNIL Stricter?

France ranks among the European countries that sanction the most. According to the EDPB (European Data Protection Board), the CNIL is the second European authority by fine volume, behind the Irish DPC (which handles Meta, Apple, and Google cases for the EU) and ahead of the German BfDI and the Spanish AEPD.

Some useful comparisons:

Authority	Country	Largest Fine	Cumulative Total (2018-2025)
DPC	Ireland	1.2 billion euros (Meta, 2023)	~4 billion euros
CNIL	France	150 million euros (Google, 2022)	~600 million euros
BfDI	Germany	35.3 million euros (H&M, 2020)	~200 million euros
AEPD	Spain	10 million euros (CaixaBank, 2021)	~150 million euros
ICO	United Kingdom	20.4 million euros (British Airways, 2020)	~120 million euros

The CNIL's specialty: it developed specific expertise on cookies and ad targeting, hence the concentration of sanctions in that area. The Irish DPC focuses on international data transfers (hence the record 1.2-billion-euro fine against Meta in 2023). Each authority has its "hobby horse."

For French SMBs, the CNIL is the direct point of contact. And it is far more active on field inspections (online checks, on-site checks) than some of its European counterparts.

What to Do If You Receive a Letter from the CNIL

Three types of correspondence can arrive:

The Information Request

The CNIL asks you for details about your processing activities. This is not a sanction, but do not disregard it. Respond within the given deadline (usually 1 month). Be transparent. Lying or omitting information will make things worse if an inspection follows.

The Formal Notice

The CNIL has identified a violation and gives you a deadline (usually 1 to 3 months) to become compliant. Formal notices are not public by default, but the CNIL can decide to make them public. This is what happened to Clearview AI (public formal notice in December 2021, before the 20 million euro sanction in 2022).

Action: engage a lawyer specializing in data protection. Correct the violations within the deadline. Document all corrective actions. Submit a compliance report to the CNIL before the deadline expires.

The Inspection Notice

The CNIL informs you that an on-site inspection will take place on a given date. You may also receive an online check (without warning) or a document-based check (request for documents).

Action: do not panic. Designate an internal point of contact (DPO or GDPR point person). Assemble your records of processing activities, processor agreements, privacy policy, and security procedures. Cooperate fully - cooperation is an explicitly mentioned mitigating factor in Article 83 of the GDPR.

Lessons for 2026 and Beyond

Looking at these 20 sanctions in hindsight, three trends emerge for the years ahead.

Consent will remain the central battleground. The ePrivacy Regulation, under discussion since 2017, will eventually be adopted. Meanwhile, the ePrivacy Directive (transposed in France by Article 82 of the Data Protection Act) remains the basis for cookie sanctions. The CNIL has no reason to ease the pressure - online checks are low-cost and violations are easy to establish.

AI will generate a new wave of sanctions. Companies using personal data to train AI models, deploying chatbots without adequate notice, or automating decisions (recruitment, scoring, pricing) without transparency are the next targets.

Data security will be judged more harshly. With the proliferation of data breaches in France (over 50 major breaches between 2020 and 2026), the CNIL will tighten its Article 32 requirements. MFA will likely become a minimum standard, and companies storing sensitive data without encryption will have a hard time pleading good faith.

For SMBs, the message is clear: GDPR compliance is not a luxury reserved for large corporations. It is an investment costing a few thousand euros per year (a CMP for cookies, a database cleanup, employee training, a processing agreement drafted by a lawyer) that avoids sanctions of tens or hundreds of thousands of euros.

The highest-ROI first step? Training your employees to recognize phishing, because 74% of data breaches start with human error. And because that is exactly the type of measure the CNIL checks during inspections.

FAQ

What is the largest CNIL fine ever imposed in France?

The largest fine issued by the CNIL is 150 million euros, imposed on Google Ireland on December 31, 2021 (confirmed in early 2022) for non-compliance with cookie consent rules. Users on google.fr could not refuse cookies as easily as they could accept them, in violation of Article 82 of the French Data Protection Act. Microsoft and Facebook each received 60 million euros for similar violations the same day.

Which GDPR articles are most frequently sanctioned by the CNIL?

The most frequently cited articles in CNIL sanctions are: Article 6 (legal basis for processing, particularly consent), Article 5 (minimization and storage limitation principles), Article 13 (obligation to inform individuals), Article 32 (security of processing), and Article 28 (processor oversight). Article 82 of the French Data Protection Act, transposing the ePrivacy directive on cookies, is also highly prevalent in major sanctions.

Do SMBs face CNIL fines as large as those for big corporations?

CNIL fines are proportional to revenue and the severity of the violation. For SMBs, sanctions typically range from 5,000 to 500,000 euros. The CNIL has imposed fines of 380,000 euros (Doctissimo), 100,000 euros (Darty), and 250,000 euros (Optical Center) on mid-sized companies. Since 2022, the simplified procedure allows the CNIL to process SMB cases more quickly, with fines capped at 20,000 euros under that framework. The direct financial risk is lower, but reputational damage can be devastating.

How many fines does the CNIL issue per year?

The CNIL issued 42 sanctions in 2023 totaling 89.2 million euros, and 31 sanctions in 2022 totaling 101 million euros. With the simplified procedure introduced in late 2022, the pace is accelerating. In 2024, the CNIL continued at this rate with 87 formal notices and approximately 40 sanctions.

How does the CNIL calculate the amount of a fine?

The CNIL considers several criteria defined in Article 83 of the GDPR: the nature, severity, and duration of the violation; the number of people affected; whether the violation was intentional or negligent; measures taken to mitigate damage; prior history; cooperation with the authority; categories of data affected; and the company's revenue. The legal ceiling is 20 million euros or 4% of annual global revenue, whichever is higher.

Can you challenge a CNIL fine?

Yes. Any CNIL sanction can be appealed before the Conseil d'Etat (France's highest administrative court) within two months. Several companies have exercised this right: Google challenged its 150 million euro fine (dismissed by the Conseil d'Etat in 2023), Criteo challenged its 40 million euro fine (proceedings ongoing in 2025). The success rate for appeals is low: the Conseil d'Etat upholds the vast majority of sanctions, sometimes slightly reducing the amount.