Back to articles
GDPR Fines: Complete Breakdown of CNIL Sanctions and How to Avoid Them
GDPR CNIL Fines Sanctions Compliance Audit

GDPR Fines: Complete Breakdown of CNIL Sanctions and How to Avoid Them

DPLIANCESovereign Data & AI solutions provider
11 min read

€486.8 million in fines in 2025: the CNIL is hitting hard

The CNIL (France’s data protection authority) no longer warns. It sanctions.

In 2025, €486.8 million in fines. In 2024, 87 sanctions totalling €55 million. Year after year, amounts rise, procedures accelerate, and the scope of targeted businesses widens.

What changed is not the GDPR — it has been in force since 2018. It is the CNIL. The French authority shifted from an educational posture to an enforcement-first approach. The fast-track procedure, operational since 2022, allows it to sanction cases in weeks that previously took months. And automated online audits scan French websites to detect the most common violations without any human intervention.

No one is safe. Not tech giants, not SMEs, not public institutions.

Here is the full breakdown of CNIL sanctions, the landmark cases, the recurring violations — and above all, how to protect yourself.

Record CNIL sanctions: the landmark cases

Google: €325 million (September 2025)

The heaviest fine ever imposed by the CNIL. In September 2025, Google was fined €325 million for ads inserted between emails in Gmail and cookies deployed without valid consent.

The mechanism was simple and massive: advertising trackers were activated before the user could even interact with the consent banner. On Gmail, ads were displayed as emails without clear identification of their commercial nature. Millions of French users were affected.

This was not the first time. In December 2021, Google had already been fined €150 million for similar cookie violations. Over four years, Google has accumulated nearly half a billion euros in CNIL fines.

The lesson: Repeat offences are an aggravating factor. The CNIL explicitly referenced the 2021 sanction in its 2025 decision. If you have been warned and fail to correct, the amount skyrockets.

SHEIN: €150 million (2025)

The Chinese fast fashion giant was fined €150 million for advertising cookies deployed without consent. SHEIN’s French website loaded third-party trackers on page load, before any interaction with the cookie banner.

The lesson: Being based outside the EU does not protect you. The GDPR applies to any company targeting European residents. The CNIL can sanction a Chinese, American, or Singaporean website as long as it processes data of people in France.

FREE: €42 million (January 2026)

FREE Mobile and FREE were fined a combined €42 million following security breaches that exposed the personal data of 24 million subscribers. Compromised data included names, addresses, phone numbers, login credentials, and for some subscribers, bank details (IBAN).

The CNIL found that FREE’s security measures were insufficient given the sensitivity and volume of data processed. The intrusion detection system was deficient, and notification of affected individuals was deemed late.

The lesson: Data security is not optional. Article 32 of the GDPR requires “appropriate” technical and organisational measures in relation to the risks. “Appropriate” means proportionate to the volume and sensitivity of data. The more data you process, the higher your security obligations.

France Travail: €5 million (2025)

France Travail (formerly Pôle Emploi, the French public employment agency) was fined €5 million for security flaws that exposed the data of millions of jobseekers. The CNIL identified access control deficiencies allowing unauthorised third parties to access personal information.

The lesson: The public sector is not exempt. The CNIL sanctions government agencies just as it does private companies.

Criteo: €40 million (2023)

The French ad retargeting specialist was fined €40 million for collecting and processing browsing data from millions of users without valid consent. Criteo relied on partner websites to collect consent without verifying that it had actually been obtained.

The CNIL ruled that Criteo could not hide behind its partners: as a joint controller, the company had to ensure valid consent existed.

The lesson: Joint controllership does not dilute obligations. If you share data with a partner, you are co-responsible for compliance. Delegating consent collection does not exempt you.

Clearview AI: €20 million (2022)

Clearview AI, an American facial recognition company, was fined €20 million for scraping billions of photos from the internet (social networks, websites) to build a biometric database — without a legal basis, without informing individuals, and without allowing them to exercise their rights.

The CNIL added a penalty of €100,000 per day of delay to compel Clearview AI to delete data of French residents and stop collection.

The lesson: Scraping publicly available data does not make its processing legal. Publicly accessible data remains personal data protected by the GDPR.

Amazon France Logistique: €32 million (2024)

Amazon was fined for excessive surveillance of employees in its French warehouses. The system recorded scanner idle times used by order pickers, enabling real-time individual productivity tracking — deemed disproportionate by the CNIL.

The lesson: The GDPR also protects employees. Workplace surveillance must be proportionate, transparent, and based on a solid legal basis.

The 5 most common grounds for sanctions

Analysis of CNIL sanctions since 2021 reveals five recurring grounds. Knowing them means knowing where to focus your compliance efforts.

The leading ground by cumulative fine amount. Google (€325M + €150M), SHEIN (€150M), Microsoft (€60M), Criteo (€40M), TikTok (€5M) — the vast majority of major sanctions involve cookies deployed before consent or reject mechanisms made harder than acceptance.

Sanctioned practices:

  • Trackers deployed before any banner interaction
  • “Reject” button absent or hidden in a second layer
  • “Accept” button visually emphasised (dark patterns)
  • Consent inferred from continued browsing
  • Cookies deployed despite explicit refusal

How to protect yourself: Deploy a compliant CMP that blocks all non-essential trackers until the user consents. Cookilio blocks third-party scripts by default and presents rejection at the same level as acceptance, in line with CNIL requirements.

2. Insufficient data security

FREE (€42M), France Travail (€5M), and numerous fast-track sanctions. Security breaches represent the second most frequent ground, and the one with the most visible consequences for individuals.

Common failings:

  • No encryption of sensitive data
  • Passwords stored in plain text or insufficiently protected
  • Unrestricted database access
  • No intrusion detection system
  • Late breach notification

How to protect yourself: Implement access monitoring, encrypt sensitive data, regularly test system security. Above all: have a documented and tested incident response plan.

3. Lack of information and transparency

Failing to inform individuals about data collection, or doing so incompletely or incomprehensibly, constitutes a standalone ground for sanctions. A privacy policy is not an optional legal document — it is a legal obligation (Articles 13 and 14 of the GDPR).

How to protect yourself: Write a complete privacy policy specific to your activity, in plain language. Complio automatically audits your website and identifies gaps in your user information.

4. Unregulated data transfers outside the EU

The Schrems I (2015) and Schrems II (2020) rulings created lasting legal uncertainty around transfers to the United States. The Data Privacy Framework (2023) partially resolved the issue, but its longevity remains uncertain.

The risks:

  • Using Google Analytics, AWS, Mailchimp, or any US service potentially transfers data outside the EU
  • Google Fonts, CDNs, and advertising pixels create invisible transfers
  • A “Schrems III” could invalidate the DPF at any time

How to protect yourself: Map all data flows to third countries. Prefer solutions hosted in Europe. Mirage Analytics is hosted on Scaleway in France — no data leaves the EU.

5. Failure to respect data subject rights

Right of access, rectification, deletion, portability — data subjects have rights, and businesses must respond within one month. The absence of a procedure to handle these requests leads to individual complaints, which trigger audits.

How to protect yourself: Set up a dedicated email address, a documented procedure, and a request tracking register.

The fast-track procedure: the CNIL’s weapon against SMEs

Since 2022, the CNIL has a fast-track sanction procedure allowing it to impose fines up to €20,000 without a public hearing, based on a written file. This procedure targets the most common and straightforward violations.

In practice, this is a major shift. Before 2022, a CNIL sanction took months and required a rapporteur and a restricted panel. The fast-track procedure settles cases in weeks.

Who is targeted? Primarily small businesses and associations whose websites show obvious violations: cookies without consent, missing privacy policy, contact forms without data processing information.

How does the CNIL detect violations? Two main channels:

  • Individual complaints: Anyone can report a non-compliant website on cnil.fr. This is the main driver of audits.
  • Automated online audits: The CNIL uses bots that scan websites and detect visible violations (non-compliant cookies, missing legal notices). No human intervention needed.

In 2025, over 60% of sanctions targeted SMEs. The myth that the CNIL only cares about Big Tech is definitively buried.

How to avoid a CNIL fine: the checklist

GDPR compliance is not a one-time project. It is continuous hygiene. But certain actions immediately and significantly reduce risk.

Level 1: urgencies (< 1 week)

  • Audit your website — Check cookies, trackers, forms, and privacy policy. Complio performs this audit in minutes and produces an actionable report with a compliance score.
  • Deploy a compliant CMP — Block all non-essential trackers before consent. Offer rejection at the same level as acceptance. Cookilio is compliant with CNIL requirements and consent-exempt in analytics mode.
  • Replace Google Analytics — If you use GA without consent, you are in violation. Mirage Analytics is eligible for CNIL consent exemption, hosted in France, and drops no cookies.
  • Publish a privacy policy — Specific to your activity, in plain language, detailing each processing activity.

Level 2: structural compliance (< 1 month)

  • Maintain a processing register — Mandatory for virtually all businesses (Article 30 GDPR).
  • Manage processors — Verify DPAs (Data Processing Agreements) with every provider that accesses personal data.
  • Define retention periods — For each data category, in line with regulatory guidelines.
  • Set up a rights management process — Dedicated address, documented procedure, request tracking.

Level 3: proactive compliance (ongoing)

  • Train your teams — The GDPR applies to anyone handling personal data in the organisation.
  • Conduct a Data Protection Impact Assessment (DPIA) — Mandatory for high-risk processing activities.
  • Monitor regulatory developments — AI Act, ePrivacy, potential Schrems III: the regulatory landscape evolves constantly.
  • Plan regular audits — Compliance degrades over time (new tools, new practices, staff turnover).

The real cost of non-compliance

Fines are just the tip of the iceberg. CNIL sanctions are published by name on the CNIL website and picked up by the press. For an SME, the reputational risk is disproportionate to the fine amount.

The maths is simple:

  • A fast-track sanction: up to €20,000 + public naming
  • A website audit with Complio: €89 in 10 minutes
  • A compliant CMP with Cookilio: deployed in 5 minutes
  • Sovereign analytics with Mirage Analytics: €19/month

Compliance is not a cost. It is insurance.

FAQ

What is the maximum GDPR fine?

The GDPR provides for fines of up to €20 million or 4% of annual global turnover, whichever is higher. In practice, CNIL fines in France have reached €325 million (Google, 2025). The fast-track procedure is capped at €20,000.

Does the CNIL fine small businesses?

Yes. The fast-track procedure specifically targets common violations by small and medium businesses. In 2025, over 60% of sanctions targeted SMEs. The CNIL uses automated online bots that scan websites regardless of company size.

Which sectors are most sanctioned by the CNIL?

No sector is spared. Recent sanctions cover tech (Google, Criteo, TikTok), e-commerce (SHEIN, Amazon), telecoms (FREE), the public sector (France Travail), and numerous SMEs across all industries. The common denominator is not the sector — it is having an online presence and processing personal data.

How do I know if my website is GDPR-compliant?

A compliance audit identifies visible shortcomings: cookies deployed without consent, missing or incomplete privacy policy, undeclared third-party trackers, non-compliant forms. Complio performs this audit automatically and provides a detailed report with a compliance score and prioritised recommendations.

Can a CNIL sanction be challenged?

Yes. CNIL decisions can be appealed before the Conseil d’État (France’s highest administrative court). However, appeals rarely result in full annulment. The most effective strategy remains prevention: achieving compliance before an audit costs infinitely less than litigation after a sanction.

Also readThe 10 Most Common GDPR Mistakes Made by Businesses | GDPR Website Checklist: 15 Essential Points | GDPR Website Audit: Complete 2026 Guide

Sources: CNIL — 2025 Sanctions Report, CNIL — 2024 Sanctions and Corrective Measures, CNIL — Google Sanction (€325M), CNIL — FREE Sanction, CNIL — France Travail Sanction, CNIL — Criteo Sanction, CNIL — Amazon Sanction. Published 30 March 2026.

Write to us

contact@dpliance.com
Contact us