A year marked by a targeted and intensified repressive policy
The year 2025 marks a turning point in the law enforcement action of the CNIL. The small panel imposed sanctions in 13 cases under ordinary procedure, for a total amount approaching 500 million euros, or ten times more than in 2024(54 million euros).
Beyond the record amounts, the thematic concentration of these sanctions is particularly striking. Cookies, data security and direct marketing account for the vast majority of sanctions, both in number and in value.
This focus is partly explained by targeted controls carried out between 2022 and 2024, particularly in the areas of direct marketing and user tracking via mobile applications, which resulted in sanctions issued in 2025, mainly relating to advertising cookies and marketing practices.
At the same time, several cases following personal data breaches led to significant sanctions based on failures in data security.
With fines ranging between €80,000 and 325 million euros, these decisions outline the contours of a targeted repressive policy.
Cookies, security, direct marketing at the core of enforcement
Cookies and consent: reinforced technical control
Sanctions relating to cookies have targeted major players:
· Google (€325M)
· Shein (€150M)
· Condé Nast publications (€750,000)
· American Express (€1.5M)
These decisions reflect a significant evolution in the control methodology of the CNIL, which is now conducting a in-depth technical analysis the effectiveness of user choices.
Concretely, the CNIL examines the HTTP requests exchanged between the user's browser and the servers (of the publisher or third parties), which allows it to establish factually:
· the deposit of cookies before consent,
· the automatic reading and transmission of cookies,
· the ineffectiveness of refusal mechanisms.
This approach turns the assessment of consent into a factual and binary control : either cookies are blocked before consent, or they are not. Either the refusal is effective instantly, or it is not.
In practice, non-compliance with the CNIL's cookie guidelines and recommendation has become one of the simpliest breaches for the authority to establish — and one of the most costly for businesses.
Through technical audits of consent interfaces, default settings and data flows, the CNIL can document infringements that are extremely difficult to challenge on substantive grounds.
Businesses are thus confronted with shortcomings demonstrated by screenshots, HTTP request logs and interface audits, which leave little room for legal debate on the interpretation of obligations.
Data security: towards an almost results-based obligation
The business Free and Free Mobile (€42M) — examined by the restricted group in December 2025 with decisions published in January 2026 — illustrate a increasingly extensive interpretation of the security obligation provided for in article 32 of GDPR.
This approach is based on the requirement of a ”defense in depth” which, in fact, is similar to a obligation of result. To avoid sanctions, it is necessary to establish a particularly high and well documented level of protection.
The emerging trend is concerning for data controllers: the mere occurrence of a data breach tends to be treated as evidence that security measures were insufficient.
Although the CNIL regularly states that a breach does not automatically constitute a violation of Article 32, in practice breaches almost systematically lead to sanctions, as inspections triggered by incidents nearly always uncover shortcomings when assessed against the CNIL’s very high standards.
Direct Marketing : data brokerage and data sharing in the spotlight
Sanctions aimed at SoLocal Marketing Services (€900,000) and Caloga (€80,000) have targeted direct marketing practices, particularly in the data brokerage sector.
These sanctions are part of the CNIL's priority control areas on direct marketing launched in 2022, which focused on the practices of professionals in the sector, in particular those who resell data and the numerous intermediaries in this ecosystem.
The sanctioned pattern :
1. Data collected via online competitions by primo-collecting companies
2. Transmitted to brokers who integrate them into their databases
3. To carry out marketing purpose operations or resell them to their advertising customers
The CNIL has sanctioned a double lack of consent :
→ No valid consent to canvass prospects : the competition forms did not allow free and unequivocal consent to be obtained (acceptance buttons highlighted, refusal drowned in small print).
→ No valid consent to transmit data to partners : the CNIL recalls that, in the data brokerage ecosystem, all processing must be based on consent, and not on legitimate interest.
Key issue : In the Canal+ case (CE, 5 May 2025, No. 490202), the French Conseil d’État referred to the CJEU the question of “cascade consent”: can consent given to a primary collector for transmission to a “category” of partners be sufficient, or must each recipient obtain separate consent?
This unresolved issue highlights that the legal framework governing data brokerage is far less clear-cut than CNIL decisions may suggest.
CNIL's enforcement strategy: focusing breaches that are straightforward to establish, based on online-accessible technical evidence
The concentration of CNIL sanctions on these three areas reveals a pragmatic logic: to give priority to breaches whose characterization is relatively simple both from a technical and legal point of view.
Contrary to concepts such as the proportionality of the processing or the legal basis assessments — which are subject to a contextual legal analysis — breaches in terms of cookies, security or direct marketing lend themselves to a factual demonstration.
This approach reflects a form of rationalization of the means of control: faced with the magnitude of the challenges and the multiplicity of actors, the authority focuses its resources on the breaches that are most simply characterized and the most likely to set a precedent.
Practical difficulty for businesses : to characterize these breaches, the CNIL relies heavily on soft law — its own guidelines and recommendations (in particular with regard to cookies), but also very specialized technical references, such as some recommendations from ANSSI in terms of security.
However, these texts, which have no binding value in the strict sense, are particularly numerous, evolving and dense.
The use of evolving technical standards raises a practical difficulty: businesses, even mature and structured, struggle to benefit from a consolidated vision of the expected technical measures.
However, at the operational level, this strategy is extremely effective : by relying on precise and documented standards, the CNIL makes its decisions difficult to challenge from a factual point of view.
Businesses are thus faced with the following choice: challenge these requirements at the risk of a long and expensive litigation or comply with them as a precautionary principle. In fact, the second option is most often required, making soft law from the CNIL quasi-hard law in practice.
GDPR 2026 compliance: three priority areas for businesses
Faced with the CNIL's repressive strategy, it would be relevant for companies to focus their efforts on technical and documented compliance in three high-risk areas.
First task : technical governance of cookies and consent
Compliance with cookies can no longer be limited to the display of a standardized cookie banner.
Concrete actions :
→ Identify and map all cookies comprehensively deposited, read or transmitted, via an audit of HTTP flows, including third-party trackers that are not actively exploited.
→ Guarantee immediate effectiveness Choices Of the user: the refusal or withdrawal of consent must result in the instantaneous blocking of all reading or writing of non-essential cookies, as well as the stopping of associated transmissions.
→ Conform the interfaces To obtain consent to the guidelines of the CNIL: refusal as simple as acceptance, granular consent by purpose, clear information on recipients.
→ Document each cookie in detail (purpose, duration, recipients, legal basis) in order to demonstrate compliance in the event of verification by the supervisory authority.
Point of attention : the use of the IAB TCF does not exempt from strict control of the quality and effectiveness of the information provided.
Second task: “defence in depth” and security documentation
The almost absolute safety requirement imposes a multi-layered strategy And a full traceability of the measures deployed.
Concrete actions :
→ Deploy a defense in depth combining multiple independent security mechanisms, distributed at different levels of a system and designed as additional bulwarks in the event of a failure of another security layer.
→ Compile comprehensive technical documentation the security measures implemented, their level of protection and their compliance with state of the art standards (ANSSI recommendations, ISO27001 standards, etc.).
→ Formalize a procedure for managing data breaches allowing for rapid detection, risk assessment, notification within regulatory deadlines (72 hours), and comprehensive documentation of the incident and corrective actions.
Key point : this documentation will be decisive in the event of a data breach to demonstrate the appropriateness of the measures taken.
Third task: validity and traceability of consents in terms of direct marketing
Marketing purpose operations, particularly in the context of pooling or brokerage, call for a increased vigilance on legality and transparency.
Concrete actions :
→ Map all customer data flows, by precisely identifying the sources, recipients, purposes and legal bases of each marketing purpose operation. This map must be updated regularly, especially in the event of new commercial partnerships.
→ Systematically check the legality of each marketing campaign : explicit consent for direct marketing by electronic means (e-mail, SMS), legitimate interest with a documented balance of interests for direct marketing by post or telephone, respect for the right to object.
→ For data brokers and recipients, concretely check the validity of the consents invoked at each link in the chain : the data controller cannot rely on simple contractual commitments from its partners, but must ensure that the persons concerned have validly consented, both to be prospected and, where applicable, to the transmission of their data to identified or clearly identifiable third parties. This involves auditing the forms used by first-time collectors, ensuring the conformity of the consent collection interfaces and documenting these verifications.
→ Secure collection forms and information interfaces, by ensuring that the choices offered are not ambiguous or misleading, that the purposes of direct marketing and the categories of recipients are clearly stated at the time of collection, and that the presentation of options does not bias the expression of consent through inductive or unbalanced design mechanisms.
Anticipating 2026: an operational compliance imperative
The CNIL will soon publish priority control areas for the year 2026.
In the meantime, companies have every interest in considering that cookies, security and direct marketing will remain at the heart of the law enforcement action of the authority.
The message to businesses is unequivocal : the triptych of CNIL 2025 sanctions outlines a law enforcement strategy based on breaches that are relatively simple to establish via an online check, not requiring complex and time-consuming on-site investigations.
