CNIL Cookie Fines: The 10 Biggest Sanctions 2020-2026

Since 2020, France's data protection authority — the CNIL — has issued more than €400 million in fines for cookie non-compliance. Three patterns appear in 90% of cases: hard-to-find refusal, cookies set before consent, pre-ticked consent. Here are the 10 biggest sanctions of the past six years, and what they concretely teach you in 2026.

These decisions are not theory. They draw the framework the CNIL applies to every audit — including for small businesses. Each fine rests on a precise, reproducible motive that may also exist on your own site if your banner has not been audited recently. Good news: the mistakes are always the same, and bringing your site into compliance takes less than a day.

Top 10 CNIL cookie fines (2020-2026)

The table below summarises the sanctions that set jurisprudence. Amounts are in euros, as they appear in the public deliberations of the CNIL's restricted committee.

| Year | Company | Amount | Main reason | |---|---|---|---| | 2021 | Google LLC | €150M | Refusal required 5 clicks vs 1 click to accept | | 2021 | Facebook (Meta) | €60M | Same as Google: imbalanced refusal | | 2020 | Amazon Europe Core | €35M | Setting advertising cookies without consent | | 2022 | Microsoft Ireland | €60M | No "refuse all" button on Bing.com | | 2023 | Criteo | €40M | Unlawful legal basis for ad tracking | | 2024 | Orange SA | €50M | Ads in emails without consent + third-party cookies | | 2023 | Yahoo EMEA | €10M | Cookie refusal not sufficiently clear | | 2022 | Apple Distribution Intl. | €8M | Advertising identifier enabled by default in App Store | | 2022 | TikTok UK | €5M | Consent not as easy to refuse as to accept | | 2024 | Voodoo SAS | €3M | Advertising identifiers used without consent |

A common thread runs through this entire list: the CNIL has explicitly targeted symmetry between acceptance and refusal since 2020, and has never wavered. The first six sanctions in the top precisely punish that imbalance, with varying degrees of severity. Google opened the series in 2021 with €150 million — the amount reflects both the number of users affected and the economic gain extracted from the asymmetry.

One trend deserves to be highlighted. Before 2022, targets were almost exclusively American giants: Google, Amazon, Facebook, Apple. Since 2023, French and European players have joined the line-up: Criteo, Orange, Voodoo. The CNIL has clearly signalled that no one is safe, regardless of flag. The 2024-2026 trend is progressively stepping down the turnover ladder: as the CNIL refines its automated detection tool, it extends its audits to medium-sized companies, with fines proportional to turnover.

The 3 most common reasons

If you only remember three things from this overview, remember these. They concentrate the bulk of sanctions issued since 2020.

1. Refusal not as simple as acceptance — present in roughly 70% of cookie fines. The canonical example remains Google in 2021: one click for "Accept all", five clicks via a "Settings" menu to refuse. The CNIL qualifies this imbalance as forced consent, because it exploits decision fatigue to steer the user toward the option most advantageous to the publisher.

2. Cookies set before consent — direct violation of article 82 of the French Data Protection Act. The 2020 Amazon example sets jurisprudence: Google Analytics and several advertising pixels activated from the very first page load, before any user interaction. €35 million in fines, without going through a formal warning. Testing this point is trivial: open Chrome DevTools, Network tab, reload your page, and see what fires before your click.

3. Pre-ticked consent or "continued navigation" — explicitly forbidden by the CNIL's September 2020 deliberation. The 2022 Apple example illustrates the subtlety: the IDFA advertising identifier was enabled by default in App Store settings, forcing the user to flip a switch to deactivate tracking. €8 million for a default-checked box — the cost of poorly designed defaults.

How much does it really cost an SMB?

The CNIL calibrates each fine according to the turnover of the sanctioned company. The €150 million imposed on Google is not an absolute ceiling but an application of the legal cap of 4% of global turnover. For a French SMB, realistic amounts are very different — and remain painful.

• €1M turnover → theoretical cap €40,000 (4% of turnover). Realistic in case of audit with proven breach: €5,000 to €15,000.
• €5M turnover → theoretical cap €200,000. Realistic: €20,000 to €80,000.
• €20M turnover → theoretical cap €800,000. Realistic: €80,000 to €300,000.

On top of the fine come three often-underestimated consequences. Mandatory publication of the sanction on the CNIL's website and in the press, which weighs heavily in B2B. Reputational impact on clients and partners, hard to quantify but real. And forced compliance within 30 days, with a daily penalty that can reach €10,000 per day in case of delay.

How to avoid this: the 2026 CNIL checklist

Eight actionable points to verify on your own site this evening. If you tick all eight, the risk of a fine drops to nearly zero — the CNIL targets blatant breaches first.

1. "Refuse all" button at first level, same size, same colour and same visual hierarchy as "Accept all". Not in a menu, not in light grey, not two clicks away.
2. No setting before the consent click. Verify via Chrome DevTools, Network tab, on a browser with empty cache.
3. Purposes grouped by category: audience measurement, advertising, personalisation, social networks. Each category must be refusable independently.
4. Proof of consent stored with timestamp, CMP version, and precise choice per purpose. Exportable in case of audit.
5. Permanent "Manage cookies" link visible in the footer of every page, which reopens the banner at any time.
6. Google Consent Mode v2 enabled if you use Google Ads or Google Analytics 4. See our Google Consent Mode v2 guide for the procedure.
7. Consent renewal every 13 months maximum, in line with CNIL recommendations.
8. Internal GDPR registry declaration of your CMP, the associated purposes and the sub-processors involved.

FAQ

Can the CNIL really audit a site with 1,000 monthly visits? Yes. In 2024, 23% of cookie audits targeted sites with fewer than 5,000 monthly visits. The Cookiedex tool scans without size discrimination, and a single user complaint can trigger an investigation — even for a very small site.

Is my hosting provider responsible? No. Responsibility lies exclusively with the site publisher, that is, you. Even if your Shopify or Wix CMS imposes a native banner, it is your job to make it compliant — or to install a third-party CMP. The host is never co-responsible for the choice of trackers.

How long do I have to comply after an audit? Generally 30 days from notification. In case of non-compliance, the CNIL imposes a daily penalty that can reach €10,000 per day, cumulative until effective compliance is observed by a new audit.