How much does a CNIL fine cost for an e-commerce site?
Between €0 (simple formal notice) and €32 million (Amazon France 2023). Amount depends on size, severity, and especially cooperation. Real data, ranges by size, and strategies to reduce risk.
Documented e-commerce sanctions in France
CNIL publishes all sanctions on its website. Here are the most important French e-commerce sanctions of the decade:
Employee surveillance via productivity scanners without clear information or legal basis. Quantum reflects Amazon size (€514B global revenue). Deliberation SAN-2023-021.
Multiple violations: customer information, cookies, retention periods, data subject rights. Non-compliant loyalty program. Deliberation SAN-2020-008.
Security violation (6,000 rental candidate files publicly accessible) + retention periods not respected. Often cited precedent. Deliberation SAN-2019-005.
Cookies deposited before consent, refuse button hard to find on banner. First sanction post-CNIL 2020 cookie guidelines. Deliberation SAN-2022-016.
Customer data retention periods not respected for inactive accounts, no automatic purge. Deliberation SAN-2021-001.
Are you in CNIL's sights?
The 5 Cdiscount sanction reasons are verifiable in 60 seconds. RGPDScan detects pre-consent cookies, dark patterns, retention.
How CNIL calculates the amount
Article 83 GDPR sets the criteria. The amount is not a math calculation but a weighted assessment:
- Nature and severity — cookie violation = 1x base, data leak = 3-5x base, sensitive data (health, children) = 5-10x base.
- Duration — violation persisting 3 years = 2-3x multiplier vs one-off.
- Intent — negligence (unaware) = reduced amount; deliberate (knew and did nothing) = doubled amount.
- Cooperation — highly valued. Spontaneous corrective measures before audit = formal notice rather than sanction.
- Size and revenue — VSE/SMEs don't pay like Amazon. Systematic adaptation.
Observed ranges by size
| E-commerce size | Annual revenue | Formal notice | Observed sanction |
|---|---|---|---|
| TPE | < 500 k€ | Very likely | 5 - 20 k€ |
| PME | 500 k - 50 M€ | Likely | 20 - 150 k€ |
| ETI | 50 M - 1,5 Md€ | Possible | 100 k - 2 M€ |
| Large group | > 1,5 Md€ | Rare | 1 M - 32 M€+ |
Source: analysis of 87 CNIL deliberations 2018-2024 in e-commerce and retail sector.
How to avoid a sanction
Probability of CNIL audit for a French e-commerce site is about 1 in 200 per year. But upon complaint (consumer, ex-employee, competitor), it rises to 80%. The 5 actions that reduce risk to near-zero:
- 1. CNIL-compliant cookie banner
Refuse button as visible as Accept. No analytics/advertising cookies before click. Per-purpose granularity. Choice memorized 6-13 months.
- 2. Updated privacy policy
All sub-processors named (Stripe, Mailchimp, Klaviyo, HubSpot…), precise retention periods, exercisable rights, DPO or responsible contact.
- 3. Documented DSAR procedure
Any access, deletion, opposition request handled < 1 month. Dedicated email (dpo@…), online form, requests registry.
- 4. Processing register
Simplified CNIL template for SMEs. List: customer management, marketing, payroll, video surveillance, prospecting. Updated annually.
- 5. Quarterly automated GDPR audit
Each new Shopify app or WordPress plugin can break compliance. Automatic audit 4x/year minimum (RGPDScan, Cookiebot scanner). Report archived.
Going further
- Complete GDPR guide for e-commerce
- Shopify and GDPR: full analysis
- CNIL Fines 2026: complete panorama
- Google Analytics legal France 2026?
- GDPR compliance checklist: 30 points