Non-Compliant Cookie Banner: The 7 Costly Mistakes
Cookies are the top source of CNIL sanctions. In 2025, more than 60% of formal notices concerned consent management. Seven mistakes recur systematically — and each one alone can trigger a procedure.
Why cookies remain CNIL's #1 target
Since the CNIL guidelines of September 2020, reinforced by those of May 2022, cookie regulation is one of the most concrete and verifiable aspects of GDPR. Unlike other obligations (processing register, DPAs), the cookie banner is publicly visible — anyone, including CNIL agents, can check it in seconds from a browser.
The CNIL has developed automated monitoring tools that scan thousands of French sites each month, detecting cookies deposited before consent, asymmetric banners and poorly documented purposes. The result: a 3x increase in cookie-related formal notices between 2021 and 2025.
Sanctions don't just hit Amazon or Google. In 2024 and 2025, e-commerce stores, online media, B2B SaaS and institutional sites received fines between €15,000 and €200,000 for mistakes you'll recognize in this article.
The regulatory framework for cookies in France
- Article 82 of the French Data Protection Act — any non-strictly-necessary tracer deposit requires prior and informed user consent.
- GDPR Art. 4(11) and Art. 7 — consent must be freely given, specific, informed and unambiguous (positive action, no pre-checked box).
- CNIL cookie guidelines (2020, revised 2022) — refusing must be as simple as accepting, consent duration 13 months max, list of processors in privacy policy.
- CNIL recommendation on CMPs (2024) — consent management platforms must be regularly audited and their DPAs signed.
Is your cookie banner really compliant?
RGPDScan checks in 60 seconds if cookies are deposited before consent and if your banner meets CNIL 2026 requirements.
The 7 mistakes documented by the CNIL
This is the most sanctioned mistake by CNIL. A colored 'Accept' button versus a gray 'Refuse' link, different sizes, or the refuse button relegated to page 2 — all constitute an explicitly prohibited 'dark pattern'. Typical sanction: formal notice with publication. Correction: harmonize size, color and hierarchy level of both buttons.
GDPR explicitly prohibits pre-checked boxes for obtaining consent (Recital 32). Presenting advertising or analytics purposes with an already-checked box is illegal — consent must be active. This mistake was common before 2022; in 2026, it leads to near-automatic sanction.
"By continuing to browse you accept our cookies" — a phrase still found on hundreds of French sites in 2026. It has been illegal since 2020. Consent can only result from a positive and deliberate action. A banner that closes on scroll, a footer mention without real choice, or no banner with a CGU mention are all non-compliant.
CNIL recommends a maximum duration of 13 months for consent cookies (the tracer that stores the user's choice). Durations of 24 months, 36 months, or even indefinite have been flagged during CNIL inspections. Beyond 13 months, consent must be collected again. Check your CMP cookie expiration in DevTools.
"We use cookies to improve your experience" is not a purpose under GDPR. Users must know precisely what they're consenting to: audience measurement, targeted advertising, personalization, social media sharing. Each purpose must be readable, separate and allow granular choice. Overly generic banners were specifically targeted in 2024 CNIL reports.
This is technically the most serious violation. Even with a beautiful compliant banner, if Google Analytics, Meta Pixel or Hotjar cookies are deposited on page load (before any click), the consent has no value. CNIL checks this with automated tools that intercept network requests. Cdiscount (€100,000) and dozens of others were sanctioned on this point alone.
The right of withdrawal is as important as the right to consent. Users must be able to withdraw consent at any time, as easily as they gave it (GDPR Art. 7-3). A discreet link in the legal notices accessible in 4 clicks does not meet this condition. Minimum requirement: a 'Manage my cookies' or 'Withdraw my consent' link visible from all pages, typically in the footer.
Checklist: your banner in 10 points
- Refuse button as visible as Accept (identical size, color, hierarchy)
- No pre-checked boxes for non-essential purposes
- Zero non-essential cookie deposited before Accept click (test DevTools > Network > cookies)
- Purposes listed precisely: analytics, advertising, personalization, social media separately
- Consent cookie expiring within 13 months maximum (check in DevTools > Application > Cookies)
- 'Manage my cookies' link visible from all pages (footer)
- DPA signed with your CMP (Axeptio, Didomi, Cookiebot, etc.)
- No dark patterns: no guilt pop-ups, no gamification to accept
- Banner automatically reactivated after 13 months
- Monthly automated audit to detect any regression (third-party script added without consent)
Going further
- Google Analytics legal in France 2026: strict conditions
- Cookie wall: legal or illegal in 2026?
- Complete GDPR compliance checklist 2026
- CNIL fines 2026: sectors and amounts
- CMP comparison: Axeptio vs Didomi vs Cookiebot