France’s data protection regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), issued €486.8 million in fines in 2025, highlighting a year marked by intensified enforcement against cookie violations, employee surveillance practices and data security failures.

According to the CNIL’s annual enforcement summary released Feb. 9, 2026, the authority adopted 259 corrective decisions during the year, including 83 sanctions, 143 compliance orders, 31 reminders of legal obligations and two warnings. Of the sanctions issued, 78 involved financial penalties, with several accompanied by injunctions requiring organizations to correct compliance shortcomings.

Cookies and online trackers were among the regulator’s top enforcement priorities. Five years after publishing guidance on cookie consent requirements, the CNIL sanctioned 21 organizations for violations such as storing trackers without valid user consent, providing insufficient information to users, or failing to respect withdrawals of consent. The regulator said these practices undermined transparency and processed personal data without users’ knowledge. Two major enforcement actions alone resulted in fines of €325 million and €150 million, underscoring the scale of non-compliance in the digital advertising ecosystem.

Workplace monitoring was another major focus. Sixteen organizations were penalized for unlawful video surveillance of employees, including continuous monitoring in offices and retail settings. The CNIL reiterated that permanent surveillance is generally prohibited unless justified by exceptional circumstances, such as specific security threats, and warned that hidden cameras must remain strictly limited and proportionate.

The regulator also targeted data processors that failed to meet contractual obligations, including implementing adequate technical safeguards, following instructions from data controllers and deleting data at the end of service agreements. Under its simplified sanctions procedure, the CNIL frequently cited weak data security, lack of cooperation with investigations and failures to honor individuals’ rights to access or erase personal data.

Beyond sanctions, the authority issued 143 compliance orders, including several aimed at child welfare organizations and digital platforms used by minors. These orders required stronger age verification, improved transparency and better data governance practices.

The CNIL said its enforcement actions are designed to drive lasting compliance, emphasizing that fines collected are transferred to the French state budget and that organizations should treat data protection obligations as a core operational responsibility rather than an afterthought.

Need Help?

If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.