Can the CNIL sanction a website headquartered outside France?

Yes. The CNIL is competent to sanction cookie-related operations on any website accessible from France, regardless of where the company is headquartered. This is the basis on which Google (US-based), Amazon, TikTok, Apple and Shein were sanctioned.

What is the maximum fine the CNIL can impose for cookie violations?

For violations of Article 82 of the French Data Protection Act (ePrivacy Directive), the fine can reach 2% of the company annual worldwide turnover or 10 million euros, whichever is higher. In practice, the CNIL has issued fines up to 325 million euros (Google, 2025).

Do small businesses risk CNIL cookie sanctions?

Yes. The CNIL uses its simplified procedure to sanction companies of all sizes, with fines capped at 20,000 euros. In 2024, 11 organisations were sanctioned through this procedure for cookie violations. These sanctions are not made public but include compliance injunctions.

Which cookie violations does the CNIL most commonly sanction?

The four most frequently sanctioned violations are: setting cookies before consent, no Reject button as visible as the Accept button, failure to inform users about tracker purposes, and not respecting refusal or consent withdrawal.

How do I know if my site risks a CNIL cookie sanction?

Run a cookie scan to check if trackers fire before consent. Verify that your banner offers a Reject button as visible as Accept. If third-party cookies fire before banner interaction or refusal is not as simple as acceptance, your site presents a non-compliance risk.

Does the CNIL proactively inspect cookie compliance?

Yes. The CNIL conducts proactive online inspections, in addition to inspections triggered by user complaints. Since 2021, cookies have been among the priority enforcement themes. The CNIL has adopted nearly 100 corrective measures (formal notices and sanctions) related to cookies since 31 March 2021.

CNIL cookie sanctions: real cases you should know

TL;DR

The CNIL (French data protection authority) regularly sanctions companies for non-compliance with cookie and tracker regulations. The most common violations are setting cookies without prior consent, failing to provide a Reject button as visible as the Accept button, and inadequate user information. In 2025, cookies were among the top reasons for sanctions with 21 decisions, including two major fines of 325 million euros (Google) and 150 million euros (Shein).

Why does the CNIL sanction cookie violations?

The CNIL is competent to control and sanction cookie-related operations under Article 82 of the French Data Protection Act, which transposes the ePrivacy Directive. This competence applies to any website accessible from France, including sites headquartered outside France.

Since 2020, the CNIL has made cookies a priority enforcement theme. In 2024, 11 organisations were sanctioned for cookie violations. In 2025, 21 sanctions were issued for a cumulative amount exceeding 475 million euros.

The most significant cookie sanctions

Google: 100 million euros (December 2020)

Sanctioned for setting advertising cookies without consent, failure to inform users, and defective opposition mechanism. Confirmed by the French Council of State in 2024.

Amazon: 35 million euros (December 2020)

Sanctioned for setting cookies without consent and failure to inform users. Confirmed by the Council of State in September 2024.

Google: 150 million euros (December 2021)

google.fr and youtube.com offered a button to accept cookies but no equivalent to refuse them (5 clicks needed). Facebook sanctioned the same day for 60 million euros.

Microsoft, Apple, TikTok (December 2022)

Microsoft (Bing): 60 million euros. Apple: 8 million euros for advertising cookies on iOS. TikTok: 5 million euros. All sanctioned for setting cookies without consent and/or lacking an equivalent refusal mechanism.

Google: 325 million euros (September 2025)

Highest cookie fine ever issued by the CNIL. Setting trackers without consent, refusal process more complex than acceptance, and commercial incentives conditioning service access on cookie acceptance.

Shein: 150 million euros (September 2025)

Advertising cookies without consent, lack of clarity in user information, and deliberately complex process for refusing advertising tracking.

Which violations are most commonly sanctioned?

Setting cookies before consent. The most common violation. A cookie audit detects this.

No Reject button as visible as Accept. Basis for Google's 150 million euro fine (2021). Refusal must be as simple as acceptance, in a single click.

Inadequate user information. Unclear banner or incomplete cookie policy.

Failure to respect refusal. User refuses but trackers continue to operate, or consent is abusively re-requested.

Sanctions are not limited to large corporations

The CNIL also sanctions companies of all sizes through its simplified procedure. Fines are capped at 20,000 euros but come with compliance injunctions. The risk of inspection exists for any site accessible from France, regardless of size.

How to avoid a CNIL cookie sanction?

Do not trigger any non-essential cookies before the visitor's choice.
Display a Reject button as visible as Accept at the first level.
Provide clear information about tracker purposes.
Respect refusal: actually block scripts when the visitor refuses.
Do not re-request consent on every visit (maximum 13 months).
Allow consent withdrawal at any time (footer link).
Run a regular scan of your site.
Use a CMP that blocks scripts and stores proof of consent.

Conclusion

CNIL cookie sanctions are not theoretical. They affect large corporations and mid-sized companies alike, and amounts increase every year (487 million euros cumulative in 2025). The sanctioned violations are concrete and avoidable. Compliance relies on a properly configured CMP and regular auditing.

Start with a free scan of your site to verify that your cookies do not fire before consent.