RGPDScan/Blog/CNIL Fines 2026
GDPR News10 min readMay 16, 2026

CNIL Fines 2026: What Really Puts Your Site at Risk

In 2026, the CNIL has stepped up its enforcement policy. GDPR fines no longer only affect large corporations: SMEs and freelancers have been sanctioned for violations found on the majority of French websites.

This article covers the most frequently sanctioned violations, actual fine amounts, and the 5 priority measures to protect your website.

20 M€
Maximum GDPR fine
4%
Of global turnover (if higher)
300+
CNIL inspections in 2025
83%
Of French sites non-compliant

The 5 Most Sanctioned Violations

These cases illustrate the types of breaches that European data protection authorities sanction most severely.

Meta (Facebook)2023

Data transfer to the US without valid legal basis (Irish DPA decision, GDPR applicable)

1,2 Md€
TikTok2023

Dark patterns in cookie banner targeting minors (pre-ticked boxes, difficult refusal)

345 M€
Criteo2023

Targeted advertising without valid consent, incorrect legal basis for retargeting

40 M€
Clearview AI2024

Mass biometric data collection without legal basis, refusal to honor data rights

20 M€
French e-commerce site (SME)2025

Cookies placed before consent, no reject button, missing privacy policy

250 000 €

What the CNIL Checks First

These 8 points are the most frequently checked during automated inspections and enforcement proceedings.

Cookies placed before consent
Missing "Reject All" button
Pre-ticked boxes (dark patterns)
Non-compliant consent banner
Missing or incomplete privacy policy
US transfers without SCCs
Failure to honor access/deletion rights
Excessive data collection

The 5 Priority Measures

1
Audit your cookie banner with a GDPR scanner
2
Verify no cookie is placed before consent
3
Update your privacy policy
4
Document your non-EU data transfers
5
Train your teams on GDPR user rights

Check your compliance in 60 seconds

RGPDScan automatically detects the most common GDPR violations: unconsented cookies, dark patterns, undeclared trackers, non-EU transfers and banner issues.

Frequently Asked Questions

What is the maximum CNIL fine?

The CNIL can issue fines of up to 20 million euros or 4% of annual global turnover (whichever is higher). For SMEs, common fines range from €50,000 to €500,000.

Are SMEs and freelancers affected by GDPR fines?

Yes. In 2025, several French SMEs received fines between €20,000 and €500,000 for basic violations: missing compliant cookie banner, cookies placed without consent, missing privacy policy.

How does the CNIL discover violations?

The CNIL conducts automated online inspections, processes user complaints (5,168 complaints in 2024), and carries out targeted inspections in high-risk sectors. It automatically analyzes cookie banners and trackers.

How long do I have to comply after a CNIL inspection?

The CNIL may issue a formal notice with a compliance deadline (typically 1 to 3 months). If ignored, a financial penalty follows. Serious violations (illegal transfers, dark patterns) can result in an immediate sanction.

Is a RGPDScan audit enough to be protected?

RGPDScan automates the verification of 30+ technical compliance points and generates mandatory documents. It does not replace legal counsel but drastically reduces your exposure to common sanctions.