PROFILE
Mandate and constitution
The Commission Nationale de l'Informatique et des Libertés (CNIL) was established by the Loi Informatique et Libertés of 6 January 1978, making it the oldest data protection authority in Europe and one of the oldest in the world. It pre-dates by a wide margin the EU regime under Directive 95/46/EC and the subsequent GDPR. The 1978 statute, as amended (most recently by the Loi 2018-493 adapting French law to the GDPR), gives the CNIL supervisory authority status under Article 51 GDPR for the territory of France and lead authority status under Article 56 for any controller with its main EU establishment in France.
The CNIL is an Autorité Administrative Indépendante (Independent Administrative Authority) under French public law. Its 18-member College (commissioners) includes parliamentarians, judges, members of consultative bodies and qualified appointees, ensuring institutional independence from the executive. Sanctioning power is vested in a Restricted Committee separated from the College's investigative function, mirroring the procedural-separation requirements of the European Convention on Human Rights and EU institutional-independence law.
Fining philosophy
The CNIL has positioned itself as the EU's most-active enforcer on ePrivacy/cookie issues, on ad-tech infrastructure (consent-management platforms, analytics intermediaries, ID-graph vendors), and on Schrems II transfer arrangements. Its decision pace is notably faster than the Irish DPC's for comparable cases: complaint-to-decision timelines are often 12-24 months rather than three to five years. The CNIL also publishes detailed reasoned decisions in most cases (in French and often with English summaries), which makes its jurisprudence accessible to non-French practitioners.
The CNIL's fines tend to be substantial but well below the absolute upper end of Article 83(5). A €150 million fine (Google 2022) and €90 million fine (Google Ireland 2022) are the largest single sanctions, with €60 million fines against Meta (Facebook Ireland), Microsoft and several other major controllers. The CNIL's consistent practice is to pair financial sanctions with detailed injunctions and per-day penalties for non-compliance, ensuring that the corrective effect of the decision is operationalised quickly.
Headline cookie decisions
The cookie enforcement record begins in late 2020 with the Google (€60M) and Amazon (€35M) decisions on cookie placement without consent. The pivotal moment comes in January 2022, when the CNIL issues parallel sanctions of €150 million on Google LLC, €90 million on Google Ireland and €60 million on Facebook Ireland on the "refuse as easily as accept" standard. December 2022 brings the Microsoft €60 million decision applying the same standard to bing.com. December 2023 sees the Yahoo €10 million decision on cookie-consent governance. Throughout 2023-2025 the CNIL continues to apply the standard to smaller controllers, including major French media groups, retailers and adtech intermediaries.
Cumulative cookie fines under the Article 82 LIL framework exceed €470 million across the post-2020 enforcement window. The CNIL has signalled that cookie enforcement remains a priority, with annual programmes targeting specific sectors (publishers in 2023, ad-tech vendors in 2024, sports/media in 2025) to ensure systematic coverage.
Non-cookie GDPR decisions
Beyond cookies, the CNIL's GDPR enforcement covers transparency, security, data-subject rights, lawful basis, and international transfers. Notable decisions include Discord (€800k for retention policy failures, 2022), Clearview AI (€20M parallel to the Garante decision, 2022), Cityscoot (€100k for excessive geolocation, 2023), and several decisions against credit-reference agencies (Cofidis, Sopra Banking) on data-quality and right-to-rectification obligations.
The CNIL has also been at the forefront of Article 5 minimisation enforcement, particularly on telemetric and behavioural data in the connected-vehicle and smart-city contexts. The 2024 Google Analytics decisions (against multiple French website operators, not Google directly) established that the use of Google Analytics in its then-current configuration constituted a non-compliant Chapter V transfer to the US, leading to the rapid uptake of Plausible, Matomo and other EU-hosted analytics alternatives in the French market.
How to engage as a data subject
Data subjects can lodge complaints with the CNIL through the cnil.fr web portal. For complaints involving non-French-established controllers, the CNIL acts as the concerned authority and forwards the complaint to the lead authority through the one-stop-shop mechanism. The CNIL retains a role through the Article 60 cooperation procedure and through Article 65 escalation where consensus cannot be reached.
For cookies specifically, the CNIL accepts complaints on banner UX and on tracking placement without consent through a dedicated portal. The CNIL has published binding guidance (Délibération 2020-091, the "cookie recommendations") that operationalise the Article 82 LIL requirements and form the basis for the enforcement record described above.
Recent enforcement trends
The CNIL's 2025-2026 priorities, as set out in its annual Stratégie de contrôle, include AI systems and large language models (including web-scraped training data and inference data), connected vehicles and IoT, the health-data-hub and HDS (Health Data Hosting) compliance regime, and continued cookie enforcement focused on dark patterns and consent fatigue. The CNIL has issued guidance on the application of GDPR to LLM training, addressing the data subject rights of individuals whose personal data appears in training corpora.