CNIL Formal Notice: What to Do in 30 Days?
You've just received a CNIL formal notice. The clock is ticking: 30 days to comply, or risk a public sanction. Here's exactly what to do, in what order, and the mistakes that turn a manageable procedure into a disaster.
What you're really risking
A CNIL formal notice is not a courtesy letter. It's the signal that your organization has been identified as non-compliant and that the CNIL has decided to act. In 2025, the CNIL issued 72 sanctions totaling €101 million — a 37% increase over 2024. The vast majority of financial sanctions started with a formal notice that was ignored or insufficiently addressed.
The mechanism is simple but brutal: you generally have 30 days (sometimes 15 or 60 depending on severity) to demonstrate compliance. If you don't, the case automatically goes to the CNIL's restricted formation, the chamber that issues sanctions. It can impose up to €20 million or 4% of global annual revenue — whichever is higher.
For an SME with €5 million in revenue, that's a theoretical maximum exposure of €200,000. In practice, CNIL sanctions for SMEs observed between 2022 and 2025 range from €20,000 to €150,000 — and come with a public naming on the CNIL website, visible to your customers, partners and investors.
The CNIL procedure: texts and mechanisms
The formal notice is governed by Article 20-I of the French Data Protection Act (LIL), amended to transpose the GDPR. Two types coexist:
- Simple formal notice (Art. 20-I-b LIL) — Most common. Sets a deadline (15 to 90 days) for compliance. Can remain confidential if the CNIL decides. Leads to sanction if not complied with.
- Public formal notice — The CNIL makes the formal notice public to send a sector signal. Used when the breach affects many organizations or a specific sector. Rarer but devastating for reputation.
The CNIL can issue a formal notice following: a complaint from an individual (most frequent source), an online check by its agents (automated monitoring), an on-site inspection, or cooperation with another European authority under the one-stop-shop mechanism.
The crucial difference from a sanction: the formal notice is a last chance to correct before the restricted formation is seized. It does not in itself carry a fine. It's the escalation that costs — provided you take it seriously.
Identify your breaches before responding to the CNIL
RGPDScan detects in 60 seconds illegal cookies, non-compliant banners and unframed non-EU transfers on your site.
Documented cases: what really happens
Formal notice not complied with for depositing advertising and analytics cookies without prior consent. CNIL noted the continuation of breaches after the deadline. Deliberation SAN-2022-016 published with names. Initial case: user complaints about an insufficient cookie banner.
Anonymized French SME sanctioned after formal notice for absence of compliant privacy policy and third-party cookies deposited without legal basis. The partial response provided within 30 days did not convince the CNIL. Lesson: an incomplete response is almost as damaging as no response.
Medical practice received a formal notice for storing patient records outside a certified HDS host. Within 30 days: migration to a certified HDS host, DPA updates, CNIL notification with evidence. Case closed. Example of exemplary response: fast, documented, complete.
Action plan: the 30 days hour by hour
Days 1–3: understand and mobilize
- Read the formal notice carefully: identify precisely the alleged breaches (violated article, concerned processing)
- Assemble a crisis team: management, DPO or external GDPR consultant, IT, possibly specialized lawyer
- Launch an immediate technical audit on the cited points: cookies, privacy policy, processing register, DPAs
- Archive the initial state (screenshots, logs) before any modification — evidence of your good faith
Days 4–20: correction and documentation
- Correct each identified breach, in order of severity: cookies before consent as top priority
- Document each correction: date, nature of modification, before/after screenshots, responsible person
- Update the processing register, sign missing DPAs with processors
- Check related points not cited in the notice: CNIL may raise them during the compliance check
Days 21–30: draft and send the response
- Draft a structured response: for each cited breach, description of correction made + attached proof
- Attach evidence: dated screenshots, technical logs, copies of signed DPAs, updated privacy policy
- Send by registered mail with acknowledgment AND by email to the address indicated in the notice
- Keep the acknowledgment of receipt — it proves you responded within the deadline
The 4 fatal mistakes to avoid at all costs
- Ignoring the formal notice — automatic escalation to sanction, recognized aggravating factor
- Responding without evidence — "we've corrected it" without documentation = response considered insufficient
- Partial correction — addressing only cited points without checking the global context gives CNIL grounds for a second procedure
- Contesting without complying — you can legally contest the notice, but in parallel, not instead of compliance
Going further
- CNIL Fines 2026: amounts, sectors and aggravating factors
- 7 cookie banner mistakes that trigger a formal notice
- GDPR compliance checklist 2026 — 42 control points
- Compliant privacy policy: the complete guide
- GDPR tools for SMEs: audit, CMP, processing register