Changeflow GovPing Data Protection CNIL Annual Report: 2025 Fines and Sanctions
Priority review Enforcement Amended Final

CNIL Annual Report: 2025 Fines and Sanctions

CNIL News (France DPA)
Filed February 9th, 2026
Detected February 11th, 2026
Email Set alert

Summary

The CNIL reported imposing €486.8 million in fines and 83 sanctions in 2025, primarily for violations related to cookies, employee monitoring, and data security. The report details 143 compliance orders and 31 reminders of legal obligations issued during the year.

View original document View source feed page

What changed

The French Data Protection Authority (CNIL) has released its 2025 annual report, detailing significant enforcement actions. In 2025, the CNIL issued 83 sanctions totaling €486,839,500, including 78 fines and 16 decisions by its restricted committee. Key areas of enforcement included non-compliance with rules on cookies and other trackers, leading to substantial fines for two major entities, and violations related to the video surveillance of employees, resulting in sanctions for 16 organizations. The report also highlights enforcement against subcontractors and cooperation with European counterparts under the GDPR's one-stop-shop mechanism.

This report indicates a robust enforcement posture by the CNIL, particularly concerning digital advertising technologies and employee privacy. Regulated entities operating in France, especially those handling personal data, should review their practices related to cookie consent, employee monitoring, and data security to ensure compliance with GDPR requirements. While specific compliance deadlines are not detailed for past actions, the substantial fines and the ongoing focus on these areas underscore the importance of proactive compliance efforts to avoid penalties and corrective orders.

What to do next

  1. Review cookie consent mechanisms and data collection practices.
  2. Ensure video surveillance of employees complies with legal requirements and proportionality principles.
  3. Verify subcontractor agreements and data processing activities align with GDPR obligations.

Penalties

Cumulative fines totaling €486,839,500; 78 fines issued; 27 fines with penalty payments; 3 decisions to impose penalties for failure to comply with prior orders; 2 warnings.

Related changes

AEPD Fines ORNITOLÓGICA DE ANDALUCÍA FOA 131,801 Euros for GDPR Violation
Priority review Mar 07, 2026 AEPD Resolutions (Spain DPA) Data Protection
AEPD Archives Proceedings Against Orange Spain Regarding Portability
Priority review Mar 07, 2026 AEPD Resolutions (Spain DPA) Data Protection
GDPR Resolution Fines Company 1,400 Euros for Unsolicited Email
Priority review Mar 05, 2026 AEPD Resolutions (Spain DPA) Data Protection
Svoboda v. Amazon.com Inc. - Biometric Information Privacy Act Class Action
Priority review Mar 07, 2026 7th Circuit Court of Appeals Federal Courts
AP Warns Users: TikTok Continues to Send Personal Data to China
Priority review Mar 06, 2026 Dutch DPA News Data Privacy
Dutch DPA Cookie Policy Campaign
Routine Mar 06, 2026 Dutch DPA News Data Privacy

Source

CNIL News (France DPA) cnil.fr/en/news
Data Protection
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various DPAs (CNIL, BfDI, AEPD, etc.)
Filed
February 9th, 2026
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Employers Technology companies Retailers
Geographic scope
France

Taxonomy

Primary area
Data Protection
Operational domain
Compliance
Topics
Cookies Employee Monitoring GDPR

Browse Categories

Federal Courts 27 State Courts 105 Securities Regulation 2 Financial Regulation 24 Consumer Protection 2 Drug Safety 15 Data Protection 10 Competition 2 Attorneys General 3 Insurance Regulation 3 Trade & Export 38 Legislation 39 Government 98 Energy Regulation 6 Environment 3 Labor & Employment 2 Tax 1

Get Data Protection alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.