CNIL Sanctions 9 min·

How much does a CNIL fine cost for an e-commerce site?

Between €0 (simple formal notice) and €32 million (Amazon France 2023). Amount depends on size, severity, and especially cooperation. Real data, ranges by size, and strategies to reduce risk.

Documented e-commerce sanctions in France

CNIL publishes all sanctions on its website. Here are the most important French e-commerce sanctions of the decade:

32 M€
2023
Amazon France Logistique

Employee surveillance via productivity scanners without clear information or legal basis. Quantum reflects Amazon size (€514B global revenue). Deliberation SAN-2023-021.

2,25 M€
2020
Carrefour France

Multiple violations: customer information, cookies, retention periods, data subject rights. Non-compliant loyalty program. Deliberation SAN-2020-008.

400 000 €
2019
SERGIC (immobilier)

Security violation (6,000 rental candidate files publicly accessible) + retention periods not respected. Often cited precedent. Deliberation SAN-2019-005.

100 000 €
2022
Cdiscount

Cookies deposited before consent, refuse button hard to find on banner. First sanction post-CNIL 2020 cookie guidelines. Deliberation SAN-2022-016.

60 000 €
2021
eBay France

Customer data retention periods not respected for inactive accounts, no automatic purge. Deliberation SAN-2021-001.

Are you in CNIL's sights?

The 5 Cdiscount sanction reasons are verifiable in 60 seconds. RGPDScan detects pre-consent cookies, dark patterns, retention.

How CNIL calculates the amount

Article 83 GDPR sets the criteria. The amount is not a math calculation but a weighted assessment:

  • Nature and severitycookie violation = 1x base, data leak = 3-5x base, sensitive data (health, children) = 5-10x base.
  • Durationviolation persisting 3 years = 2-3x multiplier vs one-off.
  • Intentnegligence (unaware) = reduced amount; deliberate (knew and did nothing) = doubled amount.
  • Cooperationhighly valued. Spontaneous corrective measures before audit = formal notice rather than sanction.
  • Size and revenueVSE/SMEs don't pay like Amazon. Systematic adaptation.

Observed ranges by size

E-commerce sizeAnnual revenueFormal noticeObserved sanction
TPE< 500 k€Very likely5 - 20 k€
PME500 k - 50 M€Likely20 - 150 k€
ETI50 M - 1,5 Md€Possible100 k - 2 M€
Large group> 1,5 Md€Rare1 M - 32 M€+

Source: analysis of 87 CNIL deliberations 2018-2024 in e-commerce and retail sector.

How to avoid a sanction

Probability of CNIL audit for a French e-commerce site is about 1 in 200 per year. But upon complaint (consumer, ex-employee, competitor), it rises to 80%. The 5 actions that reduce risk to near-zero:

  • 1. CNIL-compliant cookie banner

    Refuse button as visible as Accept. No analytics/advertising cookies before click. Per-purpose granularity. Choice memorized 6-13 months.

  • 2. Updated privacy policy

    All sub-processors named (Stripe, Mailchimp, Klaviyo, HubSpot…), precise retention periods, exercisable rights, DPO or responsible contact.

  • 3. Documented DSAR procedure

    Any access, deletion, opposition request handled < 1 month. Dedicated email (dpo@…), online form, requests registry.

  • 4. Processing register

    Simplified CNIL template for SMEs. List: customer management, marketing, payroll, video surveillance, prospecting. Updated annually.

  • 5. Quarterly automated GDPR audit

    Each new Shopify app or WordPress plugin can break compliance. Automatic audit 4x/year minimum (RGPDScan, Cookiebot scanner). Report archived.

Going further

Frequently asked questions

What's the minimum CNIL fine for an e-commerce site?
No legal minimum. The formal notice is free but public. Observed financial sanctions for e-commerce SMEs start around €20,000. Ceiling is €20 million or 4% of global annual revenue — whichever is higher.
How does CNIL calculate fine amounts?
Article 83 GDPR criteria: nature and severity, duration, intent, mitigation measures, previous incidents, cooperation, data categories concerned, voluntary notification. Cooperation matters greatly: a site fixing before audit usually gets a formal notice rather than financial sanction.
Can a CNIL fine ruin an e-commerce SME?
Theoretically yes (4% global revenue), practically no. CNIL adjusts to company size. For VSE: usually formal notice then €10-50k if non-compliant. For SME: €20-150k. For mid-cap: €100k to €2M. "Ruinous" sanctions reserved for large groups (Amazon €32M).
Does my professional liability insurance cover a CNIL fine?
No in France. Case law (Cour de cassation 2019) confirms administrative fines cannot be insured — otherwise deterrent disappears. Only legal defense costs can be covered. Check your cyber-risk contract.
How long between a CNIL audit and sanction?
Typical procedure: audit (1 day) → analysis (2-6 months) → formal notice (30 days to comply) → hearing (3-6 months) → sanction deliberation (published within 30 days). Average: 12-24 months between audit and final sanction.
How to reduce CNIL fine risk in e-commerce?
Five priority actions: (1) quarterly GDPR audit — banner, scripts, forms; (2) Reject button as visible as Accept; (3) updated privacy policy with sub-processors named; (4) DSAR procedure (< 1 month response); (5) documented processing register. A poorly configured Shopify/WooCommerce is sanctioned 95% of audits; well-configured passes audit without sanction.

Avoid the 5 Cdiscount reasons

RGPDScan detects pre-consent cookies, dark patterns, non-respected retention in 60 seconds.