France's data protection regulator has intensified its enforcement posture, and international businesses operating in the French market are now exposed to scrutiny at a level not seen in previous years. The Commission Nationale de l'Informatique et des Libertés (CNIL. France's national data protection authority) has accelerated its investigation cycle. Broadened the categories of organisations it targets. Additionally, significantly increased the scale of sanctions imposed on non-compliant data controllers and processors.
France's CNIL has issued a series of enforcement decisions targeting failures in consent mechanisms, unlawful cross-border data transfers, and inadequate data processor agreements. These actions apply to any organisation processing personal data of French residents, including foreign companies with no physical presence in France. Businesses must review their GDPR compliance posture immediately, as ongoing violations attract daily penalty accruals under French data protection legislation.
This alert sets out what has changed, which business categories are in the regulator's sights, and what immediate steps international companies should take to limit exposure.
What the CNIL has changed – and when it takes effect
The enforcement shift did not arise from a single legislative amendment. It reflects a deliberate change in how France's DPA deploys its investigative and sanctioning powers under the GDPR and the corresponding national implementing legislation. Several developments have taken effect or accelerated from late 2024 into 2025.
First, the CNIL has moved from reactive complaint-based investigations to proactive, sector-wide sweeps. Rather than waiting for individual data subjects to file complaints, the regulator now initiates coordinated audits across entire industry verticals – including e-commerce, adtech, financial services, and cloud-based SaaS platforms. The practical effect is that a company may receive an inspection notice without any prior complaint having been filed against it.
Second, the CNIL has tightened its interpretation of lawful consent mechanisms. Cookie banners that use pre-ticked boxes, obscured reject options, or misleading interface design are now treated as invalid consent – even where those interfaces were tolerated in prior enforcement cycles. The regulator has confirmed this position applies with immediate effect to all data controllers targeting French users.
Third, cross-border data transfers – particularly those directed to non-EEA processors without valid standard contractual clauses or binding corporate rules – are now a primary enforcement priority. The Cour de cassation (Supreme Court of France) and CNIL guidance have reinforced that data transfer compliance obligations cannot be delegated entirely to the processor. The data controller remains jointly accountable.
Fourth, processor agreements between corporate entities – whether structured as a société à responsabilité limitée (SARL) or a société par actions simplifiée (SAS) – are being reviewed for substantive compliance rather than formal existence. A data processing agreement that exists on paper but lacks required clauses on sub-processing, audit rights, and deletion protocols will be treated as absent for enforcement purposes.
Which businesses are affected – and the threshold criteria
The CNIL's current enforcement priorities affect a broad range of organisations. The threshold is not defined by company size or revenue. Instead, the regulator applies a data-volume and data-sensitivity lens.
Businesses that fall within the immediate scope include:
- Any data controller or data processor processing personal data of French residents, regardless of where the entity is incorporated or established
- Operators of websites, mobile applications, and digital platforms that deploy tracking technologies or targeted advertising directed at French users
- Companies transferring personal data outside the EEA – including to affiliated group entities – without a compliant transfer mechanism in place
- Organisations in regulated sectors such as healthcare, financial services, and telecommunications that handle sensitive personal data categories
- Third-party processors serving French clients who have not updated their contractual arrangements to reflect current CNIL guidance
Foreign companies with no French subsidiary are not exempt. Under GDPR's territorial reach, any entity offering goods or services to individuals in France – or monitoring their behaviour – falls within the scope of French data protection legislation. The absence of a local legal entity does not limit CNIL jurisdiction. Enforcement against foreign entities has included formal notices served through EU cooperation mechanisms, and in some cases through a huissier de justice (court-appointed enforcement officer) acting under mutual legal assistance procedures.
The compliance deadline for correcting identified violations is typically set in the CNIL's formal notice – usually between 30 and 90 days from service of the notice. However, daily penalty accruals can begin from the date the violation is formally established, not from the expiry of the remediation period. This makes early identification and correction critical.
For a tailored strategy on GDPR compliance exposure in France, reach out to info@ferrazwhitmore.com.
Immediate actions for international companies
International businesses should treat this enforcement cycle as a prompt for structured self-assessment. The following steps address the most common deficiencies identified in recent CNIL actions.
Audit consent mechanisms now. Review all cookie banners and consent collection interfaces on French-facing digital properties. Confirm that the reject option is as prominent as the accept option, that no pre-selection of consent is applied, and that withdrawal of consent is as simple as granting it. Interfaces that do not meet these criteria should be corrected before the next compliance review cycle.
Map your data transfers. Identify every flow of personal data leaving the EEA. For each flow, confirm that a valid transfer mechanism is in place – standard contractual clauses, an adequacy decision, or binding corporate rules. Do not assume that a processor's assurances are sufficient. The data controller bears independent responsibility under French data protection legislation.
Review processor agreements. Contracts with third-party processors – including cloud providers, analytics platforms, and marketing technology vendors – should be reviewed against the CNIL's current guidance on mandatory contractual content. Agreements that predate the most recent CNIL recommendations are likely deficient. Pay particular attention to sub-processor notification obligations, audit rights, and data deletion or return procedures.
Update your records of processing activities. French data protection legislation requires data controllers to maintain a detailed record of all processing operations. This record must accurately reflect current data flows, retention periods, and legal bases. CNIL auditors routinely request this documentation as the first step in an investigation.
Designate or verify your EU representative. Foreign companies without an EU establishment that are subject to GDPR must appoint a representative in an EU member state. If the representative is based in another member state, confirm that France's CNIL is the lead supervisory authority for your French-facing operations. and that your representative has current contact details on file with the regulator.
Companies with questions about their specific exposure can also find relevant context in our analysis of data protection services in France. As well as our coverage of AI regulation in France. There, AI-driven data processing is increasingly drawing CNIL attention. Parallel developments in neighbouring jurisdictions are addressed in our alert on data protection enforcement in Portugal.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice assists data controllers and data processors in managing GDPR compliance, regulatory investigations, and cross-border data transfer structuring across France, Portugal, and the broader EU. We combine Portuguese civil law expertise with English common law tradition to support international companies navigating French data protection legislation – from consent mechanism audits to CNIL enforcement response. Our team has advised on data protection matters across 15 practice areas, with direct experience before EU supervisory authorities and in cross-border enforcement cooperation. As an international law firm operating across France and Europe, Ferraz & Whitmore works with in-house counsel, entrepreneurs, and institutional investors who need results-oriented legal support. To discuss how recent CNIL enforcement actions affect your business, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.