ShieldPage
← All articles
Regulation Updates · · 7 min read

CNIL Enforcement in 2026: What the Latest Fines Mean for Your Website

A breakdown of recent CNIL enforcement actions and what they signal about the direction of cookie consent regulation in France and across Europe.

CNIL — France's data protection authority — has been the most aggressive regulator in Europe when it comes to cookie consent enforcement. Their actions in 2025-2026 have set precedents that every website operating in the EU should pay attention to.

The pattern in recent fines

  • Dark patterns in consent flows — Making "reject" harder to find than "accept" now carries heavy penalties
  • Pre-loaded trackers — Companies setting analytics cookies before consent is obtained
  • Inadequate consent records — Unable to prove when or how consent was collected
  • Cookie walls — Denying access unless users accept all cookies

Key decisions to know

Microsoft (€60M, December 2022 — upheld on appeal 2025): Bing.com deposited advertising cookies without consent. CNIL established that the scale of a site's audience is a factor in fine amounts.

Criteo (€40M, June 2023): The ad-tech giant failed to verify that users had given consent before processing their data for targeted advertising. This case established that the entire ad-tech chain — not just the website — bears responsibility.

TikTok (€5M, December 2022): The "reject" mechanism required multiple clicks while "accept" was a single click. CNIL ruled this violates the principle of equally easy acceptance and refusal.

What this means for your site

  • Symmetry is mandatory — Accept and reject must be equally prominent and require the same number of clicks
  • Consent must be granular — Users must be able to choose by category, not just "all or nothing"
  • Technical compliance matters — It's not enough to have a banner. The underlying tag management must actually block cookies until consent is given
  • 13-month maximum — Consent expires after 13 months in France. You must re-ask.

Preparing for the ePrivacy Regulation

CNIL has explicitly stated that their enforcement approach previews what the eventual ePrivacy Regulation will codify at the EU level. Companies that comply with CNIL's standards today will be well-positioned when the regulation passes. Those still using "consent by scrolling" or dark-pattern banners are accumulating risk every day they wait.