France’s Data Protection Authority Reports €486.8 Million in Fines During 2025

Key Takeaways

• Fines Reached Nearly $530 Million: The CNIL imposed €486.8 million in cumulative fines in 2025, underscoring an unusually active year for enforcement.
• Cookie Compliance Remains a Pain Point: Despite years of guidance, tracker violations continued to drive some of the largest penalties, including €325 million and €150 million fines against two major players.
• Employee Monitoring Drew Firm Lines: Sixteen organizations were sanctioned for unlawful video surveillance, with the CNIL reiterating that continuous monitoring of staff is rarely permissible.
• Security and Processor Failures Persisted: Weak data security measures and subcontractor non-compliance featured prominently, particularly under the simplified sanctioning procedure.
• Children’s Data Stayed in Focus: Compliance orders emphasized stronger safeguards for minors, including improved age verification and data governance in sensitive sectors.

Deep Dive

Over the course of the last year, the France’s data protection authority, the Commission nationale de l'informatique et des libertés (CNIL), issued 259 decisions, ranging from sanctions and compliance orders to reminders of legal obligations and warnings. Together, those actions translated into €486,839,500 in cumulative fines, or roughly $530 million, with cookies, employee monitoring, and data security emerging as the most common fault lines.

Sanctions made up a significant share of that activity. The authority imposed 83 sanctions in total, most of them financial. Sixteen were adopted by the CNIL’s restricted committee under the ordinary procedure, while 67 were issued through the simplified procedure introduced in 2022. In practice, that meant 78 fines, including 27 accompanied by injunctions and penalty payments designed to force corrective action, alongside three penalty-payment decisions for failures to comply with earlier orders and two warnings. Ten of those decisions were made public. Cross-border enforcement also featured during the year, with four sanctions adopted in cooperation with other European regulators under the GDPR’s one-stop-shop mechanism, and nine draft decisions from EU counterparts examined by the CNIL where processing affected individuals in France.

Cookies and other tracking technologies continued to dominate the enforcement agenda, five years after the CNIL first set out its guidelines and recommendations. Investigations throughout 2025 showed that non-compliance remains stubbornly common. Twenty-one entities were sanctioned for breaches including storing trackers without user consent, providing insufficient information that undermined the validity of consent, or failing to properly respect refusals or withdrawals. In its decisions, the CNIL stressed the real-world impact of these practices on internet users, whose data may be processed without their knowledge, and pointedly noted that the organizations involved could not plausibly claim ignorance of rules that have been repeatedly and publicly explained. Against that backdrop, the restricted committee imposed €325 million and €150 million fines on two major players.

Workplace monitoring was another area where the authority drew firm lines. In 16 cases, organizations were sanctioned for unlawful video surveillance of employees. The CNIL reiterated that, outside exceptional circumstances linked to specific security or anti-theft concerns, permanent monitoring of staff is incompatible with data protection rules. Continuous filming of employees at cash registers or in office settings was cited as particularly problematic. Hidden cameras, the authority added, may only be justified in rare situations and only where a careful balance is struck between the aim pursued and employees’ right to privacy.

Beyond cookies and cameras, the CNIL also turned its attention to the role of subcontractors. Several sanctions targeted failures by processors to meet their obligations in relation to the data entrusted to them. In doing so, the restricted committee restated familiar but often overlooked requirements: processors must implement appropriate technical and organizational security measures, act solely on the instructions of the data controller, and delete data once their contractual relationship ends.

Many of the year’s cases were handled through the simplified sanctioning procedure, reflecting what the CNIL described as recurrent breaches. Insufficient data security featured prominently, with 14 organizations sanctioned for issues such as weak passwords or the use of shared user accounts. Another 14 organizations, including companies and independent professionals, were penalized for failing to cooperate with the authority, while 14 decisions addressed failures to respect individuals’ rights to access, erasure, or objection.

Prospecting practices also remained under scrutiny. Ten sanctions concerned unlawful commercial or political electronic marketing, with the CNIL reiterating that consent is mandatory for electronic prospecting and for sharing personal data with commercial partners. The authority also sanctioned five candidates involved in the 2024 European and legislative elections, reminding them of their obligation to be able to demonstrate the lawful basis for sending political campaign messages. As with other penalties, all fines imposed by the CNIL, on both public and private bodies, are collected by the Treasury and paid into the state budget.

Enforcement in 2025 was not limited to punishment. The CNIL issued 143 compliance orders, many of them aimed at correcting structural weaknesses rather than penalizing past conduct. Several orders focused on the child welfare sector, citing shortcomings such as inadequate data retention policies for minors’ files, weak access and password management, missing processing registers, and the absence of data protection impact assessments. Others targeted websites that placed cookies or trackers without valid consent mechanisms, including failures to allow users to easily refuse cookies or to respect withdrawals of consent. Mobile applications and online games with large numbers of minor users were also ordered to strengthen age verification and improve transparency to better protect children’s data.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.