Website Rules in France

France's data protection authority is the Commission Nationale de l'Informatique et des Libertés (CNIL). Marie-Laure Denis has been its chair since February 2019, reappointed for a second term in January 2024 that runs until 2029.

Between December 2020 and September 2025 the CNIL has issued more than €700 million in cookie-specific fines. The headline cases every Irish business should know about:

• Google LLC and Google Ireland, €100M in December 2020 (decision SAN-2020-012) for ad cookies placed without consent on google.fr
• Amazon Europe Core, €35M in December 2020 (SAN-2020-013), upheld by the Conseil d'État in June 2022
• Google again, €150M in December 2021 (SAN-2021-023), reject was harder than accept
• Facebook Ireland, €60M in December 2021 (SAN-2021-024), same pattern
• Microsoft Ireland, €60M in December 2022 (SAN-2022-023) on bing.com
• Criteo, €40M in June 2023 (SAN-2023-009), upheld by the Conseil d'État in March 2026
• Yahoo EMEA, €10M in December 2023 (SAN-2023-024), upheld by the Conseil d'État in October 2025
• Google LLC and Google Ireland, €325M in September 2025 (SAN-2025-004) on Gmail advertising practices

The legal basis for all of these is Article 82 of the French Loi Informatique et Libertés, which transposes the ePrivacy Directive. The Conseil d'État confirmed in January 2022 that the GDPR one-stop-shop doesn't apply to cookie placement operations. That's why the CNIL keeps competence over Google Ireland and Meta Ireland even though Dublin is their EU seat.

The operational rules come from two CNIL texts, both dated 17 September 2020. Délibération 2020-091 sets the binding guidelines. Délibération 2020-092 gives practical recommendations.

Six concrete requirements for an Irish site targeting French visitors:

Consent before any non-essential cookie fires. Google Analytics, Meta Pixel, TikTok Pixel, retargeting tags, all of them must wait for an explicit click.

Reject must be as easy as accept. That means same visual weight, same position in the banner, same number of clicks. A prominent "Accept all" button next to a tiny "Settings" link fails this test.

Granular purpose consent. Bundling analytics with advertising under one "Accept" button is non-compliant. The user must be able to consent to analytics and refuse advertising.

Proof of consent. You must be able to produce, six months later, evidence that user X consented to purpose Y at time T. CMPs store this automatically. Homemade banners usually don't.

Clear identification of recipients. The list of third parties that receive data must be accessible from the banner in one or two clicks. "Our partners" isn't enough.

Consent renewal. The CNIL recommends renewing consent every six months maximum. A user who clicked accept in June should see the banner again by December.

An Irish SaaS selling to French SMEs that ignores this gets complaints routed through the DPC to the CNIL. In practice the CNIL handles the investigation itself because cookies fall under ePrivacy.

Two other French regulations catch Irish sites by surprise.

Dark patterns. The CNIL is one of the European DPAs most willing to call out deceptive UX as a GDPR violation. In the Google and Meta cases, the "reject" button being harder to find than "accept" was itself the violation. The CNIL applies the EDPB dark pattern taxonomy with a strict hand.

Accessibility. The Référentiel Général d'Amélioration de l'Accessibilité (RGAA) applies to public sector sites and to private sites above certain revenue thresholds under the European Accessibility Act transposition. For an Irish B2C site with French customers, the EAA became enforceable on 28 June 2025. If your turnover exceeds €2 million and you sell to French consumers, RGAA 4.1 is your reference.

The DGCCRF, France's consumer protection body, also enforces sections of the Code de la consommation that overlap with GDPR. Pricing transparency under the Omnibus directive transposition applies to any site selling in France. If you display "-30%" the reference price must be the lowest price you charged in the previous 30 days.

For a quick read of your French-facing site, start with the free scan. For the UK side of your EU operations, see our UK page.