RGPD
The CNIL is no longer a symbolic authority. In 2025 and 2026, its restricted committees imposed fines of several million euros on French companies of all sizes, including online commerce and retail players. A CNIL sanction can represen
Reading time:
13 min
The CNIL is no longer a symbolic authority. In 2025 and 2026, its restricted committees imposed fines of several million euros on French companies of all sizes, including online commerce and retail players. A CNIL sanction can represent up to 4% of worldwide annual turnover, amounts capable of durably weakening an SME or a startup. Yet, in the vast majority of cases, these sanctions are avoidable or, failing that, can be mitigated. One must still understand how the CNIL proceeds, what the most frequently sanctioned breaches are, and how to react quickly and effectively when proceedings are initiated.
This article gives you the keys to securing your digital activity, anticipating an inspection and, if necessary, managing sanction proceedings.
The Commission nationale de l'informatique et des libertés has several avenues to initiate an inspection. It can act on a complaint from an individual (customer, employee, competitor), on a referral from another European authority under the one-stop-shop mechanism, on its own initiative after monitoring websites and applications, or following a data breach notified by the company itself.
Once the decision to inspect has been made, the CNIL can intervene in several ways: online inspection (visiting the website, testing forms and cookies from an external workstation), on-site inspection at the organization's premises, or requests for documents and questionnaires sent by mail. In decision SAN-2025-017 of 30 December 2025, which led to a fine of 3.5 million euros, the CNIL carried out an online inspection on 5 January 2023 and an on-site inspection on 26 January 2023 at the premises of a retail company operating a loyalty program comprising more than 10.5 million members.
The procedure comprises two distinct phases that should not be confused.
The formal notice is an injunction addressed directly by the President of the CNIL, without going through the restricted committee. It sets a deadline to achieve compliance, generally between one and six months. If the organization complies within the deadline, the procedure is closed. If not, a rapporteur is appointed and the file is transmitted to the restricted committee, a collegial body that rules following an adversarial procedure and may impose one or more corrective measures.
These corrective measures include in particular: a warning, an injunction to comply (possibly accompanied by a penalty payment of up to 100,000 euros per day of delay), and an administrative fine. Under Article 83 of the GDPR and Article 20 of the French Data Protection Act of 6 January 1978, fines can reach 10 million euros or 2% of worldwide annual turnover for first-level violations, and 20 million euros or 4% of turnover for the most serious violations (notably breaches of the fundamental principles of processing and of individuals' rights).
Article 6 of the GDPR sets out the principle of lawfulness of processing: any collection or use of personal data must rest on one of the six legal bases provided for by the regulation (consent, performance of a contract, legal obligation, vital interests, public interest task or legitimate interest). Acting without a valid legal basis constitutes one of the most serious violations in the eyes of the CNIL.
In the SAN-2025-017 case, the company had transmitted the data of its 10.5 million loyalty program members to a social network in order to carry out targeted advertising, relying on the consent of those individuals. However, the restricted committee found that this consent was neither specific nor informed: the loyalty program enrollment form did not clearly mention the purpose of this transmission, and the relevant information was scattered across documents accessible only through links at the bottom of the page. Valid consent within the meaning of Article 4(11) of the GDPR must be free, specific, informed and unambiguous, and must be expressed through a clear affirmative action. It cannot be inferred from silence or from an agreement relating to a distinct purpose.
An analysis of decisions published since 2023 reveals a concentration of breaches around five broad categories.
CNIL inspections
Concrete examples observed during CNIL inspections.
In the same SAN-2025-017 case, the CNIL also found, in parallel: the breach of Article 13 (personal data policy not specifying the legal bases by purpose, absence of a retention period for the loyalty program, references to the Privacy Shield invalidated since the CJEU's Schrems II judgment of 16 July 2020), the breach of Article 32 (passwords accepted with an entropy of only 26 bits, storage of passwords via SHA256 deemed inadequate in light of ANSSI and CNIL recommendations), the breach of Article 35 (absence of an impact assessment for processing cross-referencing the data of more than 10.5 million people), and the breach of Article 82 (eleven cookies placed before any consent was collected, some of which were not deleted after the user's explicit refusal).
GDPR compliance is not a binary state (compliant or non-compliant) but a continuous improvement process. Here are the actions whose absence directly exposes you to a sanction.
1. Maintain a record of processing activities. Under Article 30 of the GDPR, any organization processing personal data is required to document all of its processing operations: purposes, categories of data, retention periods, recipients, legal bases, any transfers outside the EU. This is the starting point of any compliance effort and the first document requested during an inspection.
2. Verify and document the legal bases of each processing operation. Each processing operation must be attached to a specific legal basis, clearly stated in the information documents. For electronic commercial prospecting, targeted advertising or behavioral analytics, the legal basis must generally be consent, collected before any collection, via an active and specific mechanism.
3. Bring the cookie policy into compliance. Article 82 of the French Data Protection Act prohibits any placement of non-essential trackers before the user has expressed their choice. The "Refuse" button must be as visible and accessible as the "Accept" button. Refused cookies must be effectively deleted.
4. Secure data in accordance with Article 32 of the GDPR. The CNIL recommends, for passwords, an entropy of at least 80 bits (i.e. a minimum of 12 characters including uppercase, lowercase, digits and special characters from among at least 37 possible characters) or 50 bits with an access restriction mechanism (captcha, lockout after repeated failures). For password storage, the recommended functions are Argon2, bcrypt, scrypt or PBKDF2. SHA256, even salted, is no longer considered adequate by ANSSI and the CNIL.
5. Carry out a DPIA before any high-risk processing. Article 35 of the GDPR requires a data protection impact assessment when a processing operation is likely to result in a high risk to individuals' rights and freedoms, particularly in the case of large-scale processing or data cross-referencing. A DPIA involves describing the processing, assessing the risks and defining mitigation measures.
6. Appoint and register a data protection officer (DPO). The appointment of a DPO is mandatory for public authorities, organizations carrying out regular and systematic large-scale monitoring, and those processing sensitive data on a large scale. In 2022, the CNIL issued public formal notices against 22 municipalities that had not appointed a DPO. For companies not subject to the obligation, the voluntary appointment of a DPO is a strong signal of seriousness in the event of an inspection.
Loyal cooperation is a mitigating factor expressly provided for in Article 83(2) of the GDPR. In the SAN-2025-017 case, the restricted committee took note of the compliance efforts made by the company during the procedure (strengthening of the password policy, replacement of SHA256 with Argon2, deletion of non-compliant cookies, updating of the personal data policy). These efforts did not exonerate the company from its liability for the past, but they avoided the imposition of an injunction and contributed to proportioning the amount of the fine.
In practice, this means: responding to CNIL requests within the deadlines, providing the requested documents, not concealing information and, above all, quickly undertaking corrective measures upon notification of the grievances.
The procedure before the restricted committee is strictly regulated. It takes place in several phases.
CNIL procedure
The stakes of the written observations in response are crucial. It is at this stage that the organization must develop its legal arguments (challenging the breaches found, the characterization of the facts, the proportionality of the envisaged sanction), but also document the compliance measures already carried out or in progress. Bringing into compliance during the procedure can avoid the imposition of an injunction and influence the amount of the fine.
Several legal levers can be mobilized.
Challenging the breaches themselves. The organization can challenge the legal characterization adopted by the rapporteur (for example, arguing that the processing rests on a valid legal basis, or that the security measures put in place met the state of the art at the time of the facts). In the SAN-2025-017 case, the company had notably argued that SHA256 hashing supplemented by a 480-bit salt met ANSSI's recommendations. The restricted committee rejected this argument, specifying that the salt, while it increases the number of possible hashes, has no impact on the attacker's computation speed, which remains the central issue.
The proportionality of the fine. Article 83 of the GDPR and CJEU case law (notably CJEU, 5 December 2023, Deutsche Wohnen, and CJEU, 13 February 2025, Ilva A/S) require the fine to be effective, proportionate and dissuasive, and to take into account the real economic capacity of the organization. The financial situation (turnover, net income, cash position, debt) can be an argument to reduce the amount.
The absence of recidivism and cooperation. The absence of prior history with the CNIL, spontaneous compliance and active cooperation constitute mitigating factors expressly provided for in Article 83(2)(e) and (f) of the GDPR.
The publication or not of the decision. The restricted committee may decide to make its decision public, specifying that the company will no longer be identifiable after a certain period (generally two years). The organization can request non-publication or, failing that, immediate anonymization by invoking the disproportionate risk to its commercial activity.
Anticipating a CNIL sanction requires a precise and up-to-date knowledge of the applicable obligations, the authority's inspection practices and the case law of the restricted committees. The Mirabile firm intervenes at every stage of this support.
Upstream, the firm's lawyers carry out a GDPR compliance audit tailored to your digital or commercial activity: analysis of the record of processing activities, verification of legal bases, examination of information documents (privacy policy, legal notices, T&C, GTC), audit of cookie management, and review of contracts with your processors and technical providers (which must contain the clauses required by Article 28 of the GDPR). This audit leads to a prioritized action plan, taking into account the risks specific to your sector and the size of your organization.
The firm also supports companies in the drafting and securing of their digital and commercial contracts: GDPR processing agreements, joint controllership agreements, general terms of sale and use compliant with consumer law and digital law, clauses relating to intellectual property and data protection in distribution and franchise contracts.
Finally, the firm provides continuous regulatory monitoring, notably on the recommendations and guidelines of the European Data Protection Board and the CNIL's new decisions, to adapt your compliance in real time.
When proceedings are initiated, time is a decisive factor. Every missed deadline, every poorly formulated argument can worsen the situation. The Mirabile firm provides full representation before the CNIL, from the response to the inspection delegation's first requests through to the hearing before the restricted committee.
In this context, the firm handles the drafting of the written observations in response to the sanction report, the compilation of the compliance evidence file, the defense strategy on the substantive and proportionality arguments, and if necessary, the appeal before the Conseil d'État within two months of the decision. Decision SAN-2025-017 expressly mentions this avenue of appeal.
The firm also intervenes in the event of a data breach, to support you in the mandatory notification to the CNIL within 72 hours (Article 33 of the GDPR) and the communication to the affected individuals, while limiting exposure to subsequent proceedings.
The risk of a CNIL sanction is not the preserve of large groups. SMEs, e-merchants and startups are equally exposed, often with fewer resources to deal with it. Three practical lessons emerge from the analysis of recent decisions.
Consent is not a formality. It must be specific to each purpose, formulated in clear terms, collected before any collection or placement of cookies, and revocable at any time without loss of service. A poorly designed form or an ambiguous user journey is enough to characterize a breach of Article 6 or Article 82.
Technical security is an objective criterion. The CNIL and ANSSI publish precise recommendations on the standards expected for passwords, encryption and data storage. Deviating from them without valid justification is an aggravating factor.
Bringing into compliance during the procedure has value. It does not eliminate liability for past facts, but it can avoid an injunction and weigh on the amount of the fine. The earlier it occurs, the more credible it is in the eyes of the restricted committee.
Mirabile Avocat supports the directors of micro-businesses/SMEs, e-merchants, startups and retail players in all the legal aspects of their digital and commercial activity: GDPR compliance, contract drafting, dispute management and defense before supervisory authorities. For any question on your exposure to CNIL risk or for an initial analysis of your situation, do not hesitate to contact our teams.
To learn more
A CNIL sanction is a measure imposed by the data protection authority in the event of a breach of the GDPR. It can reach up to 4% of worldwide annual turnover, amounts capable of durably weakening an SME or a startup.
Proceedings can be triggered following an inspection, a complaint or a data breach. The CNIL investigates the file and, in the event of a breach, may initiate sanction proceedings. Understanding this mechanism makes it possible to anticipate and react effectively.
A CNIL sanction can represent up to 4% of the company's worldwide annual turnover. Such amounts can durably weaken an SME or a startup, which underscores the importance of preventing breaches.
In the vast majority of cases, sanctions are avoidable or, failing that, can be mitigated. One must still understand how the CNIL proceeds, which breaches are frequently sanctioned and how to react quickly when proceedings are initiated.
Frequently sanctioned breaches concern the absence of a legal basis, the lack of information, insufficient data security and the failure to respect individuals' rights. Knowing these points of vigilance helps reduce the risk of sanction.
Prevention requires rigorous compliance: a valid legal basis, information of individuals, data security, an up-to-date record and respect for rights. Anticipating an inspection and correcting breaches strongly reduces the risk of sanction.
You must react quickly: analyze the grievances, gather the compliance evidence, cooperate with the CNIL and structure your defense. An effective and well-prepared reaction often makes it possible to mitigate, or even avoid, the sanction.
A lawyer helps reduce the risk of sanction by securing compliance, anticipating an inspection and managing sanction proceedings. This support makes it possible to defend the company and mitigate the consequences of CNIL proceedings.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin