Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — FRStylized flag-color motif for editorial reference. Not an official symbol.FR
France République française

WEB ANALYTICS · COOKIE COMPLIANCE · WESTERN EUROPE · FR

France — analytics & cookie compliance reference

What you can run on a French-targeted website without a fine — GA4, cookies, vendor stack, and the rules behind them. Single national DPA · CNIL is the most aggressive EU regulator on cookie banners and GA4.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting France. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

Loi I&L  Stricter
Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés (modifiée)
France's national data-protection statute. Predates GDPR by 40 years; now operates as the GDPR national-implementation vehicle (opening clauses, sectoral derogations, child-consent age, sanctions procedure). Article 8 sets child consent age at 15 — France used the GDPR Art 8(1) derogation to lower from the default 16.
  • Art 8 Child consent age — set at 15 (France lowered from GDPR default 16 via opening clause)
  • Art 20 CNIL sanctions powers — formal notice (mise en demeure), fines, processing bans
  • Art 31-36 Sectoral processing — health, biometric, judicial, social-security data
  • Art 82 Cookies and terminal-equipment access — transposition of ePrivacy Art 5(3); requires prior, informed, free, specific consent
Loi n° 78-17 (6 Jan 1978), modified by Loi n° 2018-493 (20 Jun 2018) for GDPR alignment + Ordonnance n° 2018-1125 (12 Dec 2018) recasting
Article 82 LIL  Stricter
Article 82 de la Loi Informatique et Libertés — cookies et accès au terminal
Transposes ePrivacy Art 5(3). CNIL's 2020 cookie guidelines + recommendation are the strictest practical reading in the EU: reject button must be at the same level (same prominence, same number of clicks) as accept; continued browsing is not consent; bundled consent is invalid; refusal must be as easy as acceptance.
  • Art 82(1) Storage / read access on terminal equipment requires prior, informed, granular consent
  • Art 82(2) Strictly-necessary exception — narrowly construed; analytics/marketing/A-B testing never qualify by default. CNIL exempts certain audience-measurement configurations (cookie-less, anonymized, no third-party transfer, no profiling) — see CNIL exemption list.
  • Délib 2020-091 Reject-all button must have equal prominence to accept-all (same level / same number of clicks)
Inserted by Ordonnance n° 2011-1012; latest CNIL guidelines 17 Sep 2020 (délibération n° 2020-091) + recommendation 2020-092
Code conso. L223-1 (Bloctel)
Code de la consommation — Articles L223-1 à L223-7 (opposition au démarchage téléphonique)
Direct-marketing rules layered on top of GDPR/ePrivacy. Bloctel is the national do-not-call register — telemarketers must scrub against it. Email/SMS marketing requires prior opt-in (LIL Art L34-5 of the Code des postes et communications électroniques). Telemarketing now restricted to weekday 10:00–13:00 and 14:00–20:00 (since 2023).
  • L223-1 Bloctel registration — consumers may register to block cold-call telemarketing
  • L223-2 Telemarketers must consult Bloctel monthly; non-scrubbing = administrative fine up to €375K (legal person)
  • CPCE L34-5 Email/SMS/automated-call marketing — prior express opt-in (soft opt-in only for existing customers + similar products)
Loi n° 2014-344 (17 Mar 2014, Loi Hamon) + Loi n° 2020-901 (24 Jul 2020) tightening telemarketing windows

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
CNIL · Commission nationale de l'informatique et des libertés
Single national DPA — France has no state-level DPAs. Competent for all controllers established in France (private and public sector). Created 1978 by the original Loi I&L; the original European data-protection authority.
https://www.cnil.fr/

Coordination body

EDPB · European Data Protection Board
France is represented at the EDPB by CNIL. CNIL has historically driven EDPB positions on cookies, GA4 transfers, and dark patterns. Domestically, no inter-DPA coordination body is required because CNIL is the sole authority.
  • 2020-09-17 · Cookies — délibération 2020-091 + recommendation 2020-092 — CNIL issues binding guidelines + recommendation: reject must be as easy as accept; continued browsing is not consent; refusal at the same level as acceptance.
  • 2022-02-10 · Google Analytics — CNIL issues first formal notices (mises en demeure) against four French website operators using GA — first major EU DPA to act post-Schrems II. No fines, but operators ordered to bring use into compliance within 1 month.
  • 2024-12-19 · Consent or pay (cookie walls) — CNIL revised practical guidance — paywalled-consent models tolerable only under strict conditions (reasonable price, real-equivalence test, ability to refuse personalization without losing access).
https://www.edpb.europa.eu/

Notable enforcement

France ranks consistently in the top 2 EU member states by GDPR fine volume (alongside Ireland's DPC). CNIL has the highest cookie-banner enforcement output of any EU DPA — over €600M in cumulative cookie-related fines since 2020. CNIL pioneered post-Schrems II enforcement with the Feb 2022 GA4 formal notices, although it has never issued an actual GA4 fine. Distinctively, CNIL uses the formal-notice instrument (mise en demeure) as a graduated step before fines — non-public for companies who comply within the deadline, public for repeat offenders. The Google €150M (Dec 2021) and Facebook €60M (Dec 2021) fines for cookie reject-button asymmetry remain the canonical cookie-consent enforcement actions in the EU.

  1. 2021-12 €150.0M
    Google LLC + Google Ireland CNIL · Art 82 LIL stood

    Cookie-banner reject button asymmetry on google.fr and youtube.com — accept took one click, reject took multiple. Split €90M for Google LLC + €60M for Google Ireland (deliberation SAN-2021-023, 31 Dec 2021). Largest cookie-consent fine globally at the time. Combined with Facebook Ireland's €60M (SAN-2021-024) on same day = €210M weekly total.

  2. 2025-09 €150.0M
    SHEIN (Roadget Business) CNIL · Art 82 LIL stood

    Cookies deposited on shein.com without consent; reject-all option absent on first layer of the banner; cookies persisting after refusal. Tied with Google 2021 as largest CNIL cookie fine.

  3. 2020-12 €100.0M
    Google LLC + Google Ireland CNIL · Art 82 LIL stood

    Cookies deposited on google.fr without prior consent + insufficient information + partially deficient opt-out. Split as €60M for Google LLC + €40M for Google Ireland (deliberation SAN-2020-012). Pre-banner-redesign sweep.

  4. 2021-12 €60.0M
    Facebook Ireland (Meta) CNIL · Art 82 LIL stood

    Cookie-banner reject button on facebook.com required several clicks while accept took one — same-day deliberation as Google fines (SAN-2021-024). Established CNIL's equal-prominence doctrine in enforcement.

  5. 2022-12 €60.0M
    Microsoft Ireland CNIL · Art 82 LIL stood

    Bing.com lacked an equivalent reject-all option on the cookie banner; advertising cookies set without consent. Plus advertising-fraud anti-fraud cookie deposited without basis.

  6. 2019-01 €50.0M
    Google LLC CNIL · Art 6, 13, 4(11) stood

    Lack of transparency, inadequate information, invalid consent for ads personalization on Android setup. CNIL deliberation SAN-2019-001 — France's first headline GDPR fine.

  7. 2023-06 €40.0M
    Criteo CNIL · Art 6, 7, 12, 13, 15, 17 stood

    Adtech retargeting — invalid consent for profiling, insufficient information, deficient DSAR/erasure pipelines. Originally proposed at €60M; reduced after corrective measures.

  8. 2020-12 €35.0M
    Amazon Europe Core CNIL · Art 82 LIL stood

    Cookies deposited on amazon.fr without prior consent + insufficient information about purposes (deliberation SAN-2020-013). Same-day decision as Google SAN-2020-012.

GA4 status

CNIL was the first major EU DPA to act on GA4 — issuing formal notices (mises en demeure) to four French website operators in Feb 2022 for unlawful US transfers under Schrems II. CNIL never issued an actual GA4 fine — only formal notices, several of which were closed after the operator switched away from GA4 or implemented server-side anonymization. After EU-US DPF (10 Jul 2023), the practical posture relaxed: while Google LLC remains DPF-certified, transfers are lawful in principle. GA4 remains usable in France only with prior, explicit, granular consent under Article 82 LIL.

DPAStance
CNILPre-DPF (Feb 2022 – Jul 2023): formal notices issued; GA treated as unlawful by default. Post-DPF (since Jul 2023): permissive, transfers lawful with DPF + Article 82 LIL consent. CNIL retains the right to escalate to fines if DPF lapses or consent fails.

Cross-border transfers + Schrems II

France pioneered post-Schrems II enforcement: CNIL's Feb 2022 formal notices against GA users were the first major EU DPA action treating Google Analytics as unlawful under Schrems II logic. Notably, CNIL never issued an actual GA4 fine — only formal notices (mises en demeure). After the EU-US DPF (10 Jul 2023), CNIL accepts adequacy for DPF-certified US importers and the GA4 formal-notice posture is de facto suspended. CNIL retains the strictest practical TIA scrutiny — controllers are still expected to document Schrems II analysis as a defensive measure.

EU 2021/914 SCCs remain the fallback when DPF certification is absent or revoked. CNIL scrutinizes Module 2 (controller-processor) and onward-transfer clauses heavily, particularly for adtech vendors with US infrastructure.

Topic: International transfers

Employee data

Key thresholds

Child consent age
15 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 12 · 6 green · 5 yellow · 1 red
VendorStatusRationale
 GREEN Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII).
 GREEN Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config.
 GREEN EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany.
 GREEN German-hosted, cookieless, GDPR-aligned by design.
 GREEN EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required.
 GREEN Open-source, cookieless, fully self-hostable. Default-green when self-hosted.
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green.
 YELLOW EU residency available on paid plans; default cloud is US. Identifies users by default — needs config.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Tag managers · 1 · 0 green · 1 yellow · 0 red
VendorStatusRationale
 YELLOW Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended.
Session replay · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Full session capture — highest-risk category. Explicit consent + DPIA + strict retention.
 RED Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent.
 RED Session replay + Microsoft tracking. DPIA + explicit consent required.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
France vs Germany
COMPARE
France vs Italy
COMPARE
France vs Spain
COMPARE
France vs Switzerland

Common questions

Is Google Analytics legal in France in 2026?
Yes, conditionally. CNIL was the first major EU DPA to issue formal notices (mises en demeure) on GA4 in Feb 2022, treating US transfers as unlawful post-Schrems II. CNIL never issued an actual GA4 fine — only formal notices. After EU-US DPF (10 Jul 2023), CNIL accepts adequacy for DPF-certified US importers; GA4 is now usable in France with prior, explicit, granular consent under Article 82 LIL while Google LLC remains DPF-certified. Without consent, GA4 remains non-compliant.
Is there a CNIL pré-validated cookie banner?
No. CNIL does not 'pré-valider' or certify specific banners. The 'Conformité' label (RGPD certification) does not cover cookie banners. CNIL does publish reference deliberations (2020-091) and a recommendation (2020-092) describing acceptable patterns. The CNIL also exempts certain audience-measurement configurations (cookieless, no profiling, no third-party transfer, anonymized, retention ≤25 months) from consent — see CNIL's published exemption criteria.
Do I need to register telemarketing campaigns with Bloctel?
Yes if you make cold telemarketing calls to French consumers. Code de la consommation L223-2 requires monthly scrubbing of your call list against the Bloctel registry. Failing to scrub = administrative fine up to €375K (legal person). Since 1 Mar 2023, telemarketing is also restricted to weekdays 10:00–13:00 and 14:00–20:00 (excluding bank holidays). Email/SMS marketing is governed separately by CPCE Art L34-5 — prior express opt-in required.
What is the child-consent age in France?
15 years old. France used the GDPR Article 8(1) opening clause to lower the digital-services consent age from 16 to 15. Codified in Article 8 of the Loi I&L. Below 15, parental authorization is required for direct offers of information-society services to a child.
Does my privacy notice need to be in French (Loi Toubon)?
Yes for French-targeted sites. The Loi Toubon (Loi n° 94-665, 4 Aug 1994) requires that information directed at French consumers be available in French — the Court of Cassation has repeatedly applied this to online consumer-facing content. CNIL position aligns: privacy notices, cookie banners, and DSAR procedures must be available in French when targeting French users (.fr domain, EUR pricing, French-language marketing). English-only is insufficient. A multilingual notice with a French version available is acceptable.
What is the difference between a CNIL formal notice and a fine?
A mise en demeure (formal notice) is a graduated CNIL instrument that orders the controller to bring processing into compliance within a deadline (typically 1–3 months). It is not a sanction and not always public. If the controller complies in time, the matter is closed — no fine. If non-compliance persists, CNIL escalates to the sanctions formation, which can issue fines, processing bans, and public naming. The Feb 2022 GA4 formal notices were never escalated to fines.
Do I need a French Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behavior of people in France (or any EEA state), unless the small-business exception in Art 27(2) applies (occasional processing, no large-scale special-category data, low risk). CNIL has not pursued representative non-designation as aggressively as German DPAs but has the power to do so.
Does Schrems II still affect transfers post-DPF?
Yes for non-DPF transfers. The DPF restored adequacy for DPF-certified US importers (renewed by EU General Court Sep 2025, T-553/23). For non-DPF US recipients, Schrems II logic applies — Transfer Impact Assessment + supplementary measures required. CNIL retains the strictest TIA scrutiny among EU DPAs and continues to expect documented Schrems II analysis even with DPF as a defensive measure.
When is a DPO mandatory in France?
France did not lower the DPO threshold below the GDPR baseline. CNIL applies the general GDPR test (Article 37): mandatory when the core activity is large-scale regular and systematic monitoring, large-scale special-category processing, or you are a public authority. Unlike Germany's BDSG ≥20-employees rule, France has no headcount threshold — most French SMBs do not need a DPO unless they fit the GDPR criteria.
What's the consent model for cookies on a French website?
Article 82 LIL + CNIL délibération 2020-091 + recommendation 2020-092. The reject-all button must be at the same level as accept-all (same prominence, same number of clicks). Continued browsing is not consent. Pre-ticked boxes are invalid. Granular per-purpose consent must be available. Refusal must be as easy as acceptance. Strictly-necessary cookies are exempt, narrowly construed — analytics/marketing/AB testing never qualify by default. CNIL's audience-measurement exemption applies only when configuration is anonymized, no profiling, no third-party transfer, retention ≤25 months.

// EDITORIAL · NOT LEGAL ADVICE This page summarises France's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.