Sanctions and corrective measures: CNIL’s actions in 2025

Sanctions issued

In 2025, 83 sanctions were issued by the CNIL, for a total amount of €486,839,500. Among these penalties, 16 were imposed by the restricted committee, the CNIL body responsible for issuing sanctionss under the ordinary procedure, and 67 by its chair alone or by a member of this committee, under the simplified procedure introduced in 2022.

These sanctions include 78 fines (including 27 with injunctions under penalty payments), three decisions to impose penalties (i.e. the payment of a sum for failure to comply with an order given by the CNIL in its sanction decision) and two warnings. Ten of these decisions have been made public.

Of the sixteen penalty decisions adopted by the restricted panel under the ordinary procedure, four were adopted in cooperation with the CNIL's European counterparts, as part of the one-stop shop procedure provided for by the GDPR. At the same time, the CNIL examined nine draft decisions by European counterparts relating to processing operations concerning, in particular, persons residing in France.

Cookies and other trackers: rules that can no longer be ignored

Five years after publishing its guidelines and recommendations, the CNIL has continued its action plan on cookies and other trackers. The investigations carried out have revealed situations of non-compliance.

Twenty-one entities were sanctioned by the restricted committee or under the simplified sanction procedure for various breaches of the rules on trackers: storage without the user's consent, insufficient information of individuals (leading the consent not to be considered as “informed”) or failure to effectively take into account the user's refusal or withdrawal of consent.

These decisions emphasise the impact of these practices on internet users, whose data is sometimes processed without their knowledge, and the fact that the sanctioned parties could not have been unaware of the applicable rules, as the CNIL has widely communicated these rules for several years. It was in light of these factors that the restricted commitee imposed fines of €325 million and €150 million on two major players.

Enforcing the framework applicable to the video surveillance of employees 

In 2025, 16 organisations were sanctioned for non-compliance with the rules applicable to video surveillance of employees.

In the absence of exceptional circumstances related, for example, to specific security or anti-theft issues, permanent video surveillance of employees constitutes a breach of personal data protection.

Devices that continuously film employees at cash registers or in offices are therefore contrary to these rules. Similarly, hidden cameras may only be installed in exceptional circumstances, and on condition that a fair balance is struck between the objective pursued (the protection of property and individuals) and the protection of employees' privacy. 

Penalising breaches of subcontractors' obligations

In addition to the decisions adopted on cookies and video surveillance, the restricted committee also sanctionned non-compliance with the obligations incumbent on subcontractors with regard to the data entrusted to them. It thus reiterated that subcontractors must:

• implement appropriate technical and organisational measures to ensure an adequate level of security;
• process data only on the instructions of the data controller;
• and delete the data at the end of their contractual relationship with the data controller.

Simplified sanctioning procedure: recurrent breaches sanctioned

In 2025, insufficient security of personal data, failure to cooperate with the CNIL and failure to respect individuals' rights are the three main grounds for sanctions under the simplified procedure.

A breach relating to personal data security was found against 14 organisations that had not implemented all the necessary measures to ensure data security and confidentiality, such as the use of insufficiently robust passwords or the use of accounts shared between users.

Similarly, 14 organisations (companies, independent professionals) were sanctionned for failing to respond to requests from the CNIL.

Finally, 14 decisions were taken for failing to comply with requests for erasure, objection or access.

Prospecting, whether commercial or political, was also the subject of 10 penalty decisions. The CNIL reiterated that in order to carry out commercial prospecting operations by electronic means, the consent of individuals is mandatory for direct prospecting or the transmission of their data to commercial partners. The CNIL also sanctioned five candidates in the 2024 European and legislative elections, reminding them in particular of their obligation to be able to justify the lawfulness of sending political prospecting messages.

Compliance orders

In 2025, the CNIL issued 143 compliance orders.

Several concerned the child welfare sector for the following breaches: lack of a rigorous data retention policy for minors' files, information for individuals, policy for managing authorisations and passwords, keeping a processing register and carrying out a data protection impact assessment.

Other orders were issued to websites that allowed cookies and other trackers to be placed without obtaining the consent of individuals, either by not allowing them to easily refuse the placement of cookies or by not taking into account the withdrawal of users' consent.

Finally, several mobile applications and online games, a significant proportion of whose users are minors, were ordered to strengthen user age verification and improve transparency in order to better protect minors' data.