FDPA

Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, Article 82

Flag of FR
FranceOpt-inNational
ePrivacy Directive
Back to Regulations Guide

Key Facts

Effective Date
January 6, 1978
Enacted
January 6, 1978
Enforcing Authority
CNIL (Commission nationale de l'informatique et des libertés)
Consent Model
Opt-in
Applies To
Any entity storing or accessing information on terminal equipment of users in France

Overview

France has the most actively enforced cookie consent regime in Europe. CNIL (Commission nationale de l'informatique et des libertés) issued 259 corrective decisions in 2025 alone, with cookie-specific fines totaling EUR 486.8 million — including EUR 325 million against Google and EUR 150 million against Shein.

What This Means for Your Website

  • Prior, free, and informed consent is required before placing any non-essential cookies on French visitors
  • A "Refuse all" button or "Continue without accepting" must appear on the first layer of your consent banner
  • Cookie walls are prohibited — you cannot gate content behind cookie acceptance
  • Consent must be as easy to refuse as to give — no dark patterns allowed
  • CNIL allows a potential analytics exemption for privacy-friendly configurations (e.g., Matomo with specific settings), though this is narrowly defined
  • CNIL has imposed the largest cookie fines in EU history

Key Requirements

Article 82 of Loi Informatique et Libertés transposes the ePrivacy Directive for France. CNIL enforces with penalties of up to EUR 20 million or 4% of global turnover. The 2025 enforcement record of EUR 486.8 million in cookie fines demonstrates CNIL's willingness to impose significant penalties on major companies. The analytics exemption is available only for privacy-friendly configurations that meet strict criteria.

How ConsentStack Handles This

ConsentStack presents French visitors with a consent banner featuring prominent "Refuse all" and "Accept all" options on the first layer. All non-essential scripts are blocked by default. The platform's approach aligns directly with CNIL's cookie guidelines and enforcement expectations.

Penalties

Up to EUR 20 million or 4% global turnover. Cookie-specific fines in 2025 totaled EUR 486.8 million (EUR 325M Google, EUR 150M Shein).

Maximum Fine
€20,000,000 aggregate
Revenue-based
4% of annual revenue

Key Requirements

  • Prior, free, and informed consent before placing non-essential cookies
  • Refuse all or Continue without accepting required on first layer
  • Cookie walls are prohibited
  • Consent must be as easy to refuse as to give
  • Dark patterns in cookie banners are unlawful
  • Analytics potentially exempt with privacy-friendly configuration

Notable Provisions

  • Most actively enforced cookie regime in Europe
  • EUR 486.8M in cookie fines in 2025 (EUR 325M Google, EUR 150M Shein)
  • 259 corrective decisions in 2025
  • Analytics exemption available for privacy-friendly configurations

Other ePrivacy Directive Related Regulations

SI 336/2011Ireland
Ireland implements the ePrivacy Directive through SI 336/2011. The DPC is the lead supervisory authority for major tech companies headquartered in Ireland including Meta, Google, Apple, and Microsoft. Uniquely, cookie consent is limited to 6 months and must then be refreshed.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.
Dutch Telecom ActNetherlands
The Netherlands implements the ePrivacy Directive through Article 11.7a of the Telecommunications Act. The AP launched a major enforcement sweep in April 2025, warning 50 organizations for misleading cookie banners or placing tracking cookies without consent. Cookie walls are not permitted.
LSSISpain
Spain implements the ePrivacy Directive through Article 22 of the LSSI. Cookie violations are classified as slight offenses with EUR 30,000 fines per URL, but multiple URLs multiply penalties. AEPD allows consent-exempt analytics under privacy-friendly configurations, similar to CNIL.
Italian Privacy CodeItaly
Italy implements the ePrivacy Directive through Article 122 of the Privacy Code with detailed Garante cookie guidelines effective January 2022. Only technically necessary cookies may load by default. Scrolling is not valid consent, and closing a banner with "X" closes it without granting consent.
Danish Cookie OrderDenmark
Denmark implements the ePrivacy Directive through the Cookie Order (Cookiebekendtgørelsen), administered by the Danish Business Authority. Cookie consent is a declared 2026 enforcement priority for Datatilsynet, which will examine whether Danish websites give users a genuine choice.
LEKSweden
Sweden implements the ePrivacy Directive through Chapter 9 Section 28 of LEK. In April 2025, IMY issued a landmark reprimand against Aller Media for dark patterns in cookie banners. Less than 25% of Swedish users accept cookies, reflecting strong privacy awareness.
Norwegian E-Com ActNorway
Norway's January 2025 amendment to Ekomloven marked a major shift from tolerating passive consent to strict opt-in. Pre-ticked boxes and browser settings are now explicitly invalid. Accept and reject options must have equal prominence. Datatilsynet sanctioned 6 websites for tracking pixel violations.
Portuguese ePrivacy LawPortugal
Portugal implements the ePrivacy Directive through Law 41/2004, with a distinctive tiered penalty structure distinguishing between large companies, SMEs, and natural persons. The CNPD issued 90 fines totaling EUR 559,950 in 2023, demonstrating active enforcement.
Belgian E-Communications ActBelgium
Belgium enforces strict cookie consent with one of the EU's most active DPAs. Cookie walls are prohibited, and a Reject all button must appear on the first layer with equal prominence to Accept all. Dark patterns in cookie banners are actively enforced against.
Polish Telecommunications LawPoland
Poland implements the ePrivacy Directive through Articles 173-174 of the Telecommunications Law. While Article 173(2) technically permits consent via browser settings, PUODO recommends active consent. Since 2019, Article 174 requires cookie consent to meet full GDPR standards.
Czech ECACzech Republic
The Czech Republic shifted from implied consent via browser settings to full opt-in consent on January 1, 2022. Section 89(3) now requires GDPR-compliant prior consent before storing cookies. The UOOU began imposing fines on non-compliant websites in 2023.

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.
SI 336/2011Ireland
Ireland implements the ePrivacy Directive through SI 336/2011. The DPC is the lead supervisory authority for major tech companies headquartered in Ireland including Meta, Google, Apple, and Microsoft. Uniquely, cookie consent is limited to 6 months and must then be refreshed.

Frequently Asked Questions

What are CNIL's cookie requirements?

CNIL requires prior opt-in consent with a Refuse all or Continue without accepting option on the first layer. Cookie walls and dark patterns are prohibited. ConsentStack meets all CNIL requirements.

How much are CNIL cookie fines?

CNIL imposed EUR 486.8 million in cookie-specific fines in 2025, including EUR 325 million against Google and EUR 150 million against Shein. Penalties can reach EUR 20 million or 4% of global turnover.

Does CNIL exempt analytics cookies?

CNIL allows a narrow exemption for privacy-friendly analytics configurations, such as Matomo with specific privacy settings. Standard analytics tools like Google Analytics are not exempt.

Does French cookie law apply to non-French websites?

Yes. If your website is accessible to French visitors and places cookies on their devices, you must comply with French cookie requirements. ConsentStack detects French visitors automatically.

Stay compliant with FDPA

ConsentStack helps you implement Opt-in consent for France automatically.

Get started free