European Union · updated 2026-06-15
France
France's CNIL is Europe's most aggressive cookie enforcer, fining Google and Meta hundreds of millions under national ePrivacy rules it can apply directly to foreign companies — no lead-authority shield. Get your banner right first.
- Law:
- GDPR + Loi Informatique et Libertés
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
€20,000,000 or 4% of global annual revenue, whichever is higher
What France requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Privacy policy (politique de confidentialité)
Art. 13–14 GDPRA French-language privacy notice covering controller identity, purposes, legal bases, recipients, retention, transfers, and rights, including the right to lodge a complaint with CNIL.
How to implement French consumer law (Loi Toubon) effectively requires French-language legal notices for services aimed at French consumers. Add CNIL's contact details in the complaints section.
Required -
Cookie consent banner
Art. 82 LILPrior consent for all non-essential trackers with refusal as easy as acceptance. Consent must be re-collected at least every 13 months per CNIL guidance.
How to implement Show 'Tout accepter' and 'Tout refuser' side by side at the first layer. Keep proof of consent. CNIL runs automated sweeps of French-traffic sites, including foreign ones.
Required -
Records of processing (ROPA)
Art. 30 GDPRA register of processing activities. CNIL publishes a free ROPA template aimed at small businesses.
How to implement Start from CNIL's open-source template (registre de traitements). It is the first document requested in a CNIL inspection.
Required -
Data protection officer (DPO/délégué)
Art. 37 GDPRMandatory only for GDPR-baseline cases, but CNIL treats a registered DPO as a strong good-faith signal.
How to implement If you appoint one, register them on CNIL's portal. External mutualised DPOs are common and accepted for startups.
Conditional -
Breach notification process
Art. 33–34 GDPR72-hour notification via CNIL's dedicated portal, plus an internal breach register for every incident, reportable or not.
How to implement Bookmark notifications.cnil.fr and pre-fill your organisation details. CNIL accepts a preliminary notification followed by a complete one if facts are still emerging.
Required -
Age verification for minors' consent
Art. 8 GDPR + Art. 45 LILFrance sets the age of digital consent at 15. Below that, parental consent is required for information-society services relying on consent.
How to implement If your product attracts under-15s, add an age gate and parental consent flow. CNIL has published specific recommendations on children's data.
Conditional
The details
- Cookie consent
- Art. 82 Loi Informatique et Libertés (ePrivacy) requires prior opt-in. CNIL guidelines demand a 'Reject all' button as prominent as 'Accept all' — burying refusal in a second layer has drawn nine-figure fines.
- Data Protection Officer
- GDPR baseline applies: mandatory for public bodies, large-scale monitoring, or large-scale special-category data. CNIL strongly encourages voluntary designation and runs a formal DPO registration portal.
- Processing agreements
- Art. 28 GDPR contracts required with all processors. CNIL publishes model clauses in French and checks for them during investigations.
- Breach notification
- Report via CNIL's online breach portal within 72 hours of awareness. High-risk breaches also require notifying affected individuals without undue delay.
- Enforcement in practice
- CNIL fined Google €150M and Meta €60M in 2022 for making cookie refusal harder than acceptance — decided under French ePrivacy rules, bypassing the one-stop-shop entirely.
Data subject rights
What users can demand from you in France, and the engineering that satisfies each right.
Right to access
Art. 15 GDPRUsers can obtain a copy of their data and details of processing within one month.
CNIL's complaint volume is dominated by ignored access requests — set up a tracked inbox (e.g. privacy@) and answer within 30 days.
Right to erasure
Art. 17 GDPRDeletion on request when data is no longer necessary or consent is withdrawn.
Cover production, backups, and processors. French commercial law requires keeping contracts and invoices (up to 10 years) — cite that as the retention exemption.
Right to data portability
Art. 20 GDPRMachine-readable export of user-provided data for consent- or contract-based processing.
JSON/CSV export satisfies the requirement. France pioneered this right pre-GDPR, and CNIL expects it to actually work, not just exist in the policy.
Right to rectification
Art. 16 GDPRCorrection of inaccurate data without undue delay.
Self-service profile editing plus a support path for derived or inferred data.
Right to restrict processing & to object
Art. 18, 21 GDPRFreeze processing during disputes; absolute right to object to direct marketing.
France additionally runs Bloctel, a do-not-call registry that telemarketers must scrub against. For email, honour objections immediately.
Post-mortem data directives
Art. 85 LILA French speciality: users may leave binding instructions on what happens to their data after death, and heirs can exercise limited rights.
You only need a process to handle heirs' requests with a death certificate. Large platforms offer directive settings; small services handle it via support.
Tools that cover France
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
cookie consent
Didomi
French-built consent platform designed around CNIL's guidelines, used by most large French publishers.
Visit Didomi → -
privacy policy
iubenda
Generates French-language privacy policies and cookie policies aligned with CNIL requirements.
Visit iubenda → -
compliance suite
OneTrust
Full compliance suite with a free cookie-consent tier; handles CNIL's 13-month consent renewal automatically.
Visit OneTrust →
Frequently asked questions
Why did CNIL fine Google and Meta without going through Ireland?
Cookie rules come from the ePrivacy Directive, not GDPR, so the one-stop-shop mechanism does not apply. CNIL can directly sanction any company dropping trackers on devices in France — which is why foreign SaaS companies should treat French cookie compliance as a standalone risk.
Does my privacy policy have to be in French?
If you direct your service at French consumers, effectively yes. The Toubon law requires French for consumer-facing contractual documents, and CNIL expects information under Art. 13 to be intelligible to the audience — English-only notices for a French audience fail that test.
How often must cookie consent be renewed in France?
CNIL recommends re-collecting consent at most every 13 months, and requires that proof of consent be kept. Most consent platforms expose this as a configurable consent-lifetime setting.
What is the fastest way to get CNIL-compliant as a small SaaS?
Three moves: deploy a banner with equal accept/reject buttons, publish a French privacy policy naming CNIL as the complaint authority, and fill in CNIL's free ROPA template. That covers the three things CNIL checks first.
Similar jurisdictions
Free download
Get GDPR updates for France
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.