The French data protection authority, the CNIL, has significantly ramped up its use of the simplified sanctioning procedure in 2026. Since the beginning of the year, it has issued 23 new sanctions for a total of €133,750 in fines. Nineteen of these decisions originated from complaints filed by individuals. The cases primarily concern video surveillance that infringes on employees’ privacy, non-compliant cookie banners, and failures to respect individuals’ rights of access and erasure, often combined with a lack of cooperation with the CNIL itself.
This enforcement wave sends a clear message to organizations operating in France: even seemingly routine data processing activities are under close scrutiny, and basic compliance failures can lead to swift financial penalties.
What Is the CNIL’s Simplified Sanction Procedure?
Introduced in 2022, the simplified procedure allows the CNIL to handle cases that do not present particular legal complexity more efficiently. Unlike the ordinary procedure, which involves the full restricted committee (formation restreinte), the president of the CNIL or another designated member can decide on the sanction alone.
Key features of the simplified procedure include:
- A maximum fine of €20,000 per decision.
- No public disclosure of the sanctioned organization’s name.
- Faster resolution, enabling the CNIL to act more quickly to protect individuals’ rights.
All fines issued by the CNIL — whether through the simplified or ordinary procedure and whether targeting private or public sector organizations — are collected by the French Treasury and paid into the state budget.
The simplified procedure is particularly well-suited to recurring, well-established types of violations where the facts are clear and the legal principles are settled. This explains why so many of the 2026 decisions involve cookie banners and employee video surveillance — areas where the CNIL has already issued extensive guidance and previous enforcement decisions.
Video Surveillance of Employees: A Recurring Privacy Violation
Several companies in the fast-food, urban transport, and railway station retail sectors were sanctioned for operating video surveillance systems without the required prefectural authorization or for filming employees on a permanent basis without justification.
Under French law and the GDPR, video surveillance in the workplace must respect employees’ right to privacy. Cameras may only be installed for legitimate purposes (such as security) and must be proportionate. Permanent filming of employees is generally prohibited unless exceptional circumstances justify it.
The CNIL has long stressed that even in areas open to the public, cameras must not continuously record staff in a way that allows constant monitoring of their activities. In these recent cases, organizations failed to obtain the necessary administrative authorization (under Article 5.1.a GDPR) or violated the data minimisation principle (Article 5.1.c GDPR) by collecting more data than necessary.
These sanctions serve as a reminder that video surveillance remains one of the highest-risk processing activities in the employment context. Organizations must be able to demonstrate both the legal basis for installation and that the system is configured to minimize intrusion into employees’ private lives.
Cookie Banner Failures: Still Getting the Basics Wrong
A significant portion of the 2026 simplified sanctions concerned non-compliant cookie consent mechanisms on websites, particularly those of online ticket sellers and telemarketing companies.
The CNIL identified several common violations of Article 82 of the French Data Protection Act (Loi Informatique et Libertés):
- Incomplete information about the purposes of cookies and the identity of the entities placing them.
- Cookies requiring consent (such as advertising cookies) being placed before the user had given any consent.
- Imbalanced consent interfaces that made it easy to accept all cookies with one click but required multiple additional clicks to refuse them.
The CNIL has repeatedly clarified that if a website offers a simple way to accept all cookies, it must offer an equally simple way to refuse them. A “Personalize” button followed by a more complex interface does not meet the requirements of valid consent under French and European law.
These cases show that, despite years of guidance and multiple enforcement actions, many organizations still treat cookie compliance as a secondary concern rather than a core legal obligation. The simplified procedure has allowed the CNIL to address these issues at scale without tying up significant resources in full proceedings.
Failure to Respect Individual Rights and Lack of Cooperation
Eight of the 23 sanctions involved failures to respond properly to individuals’ requests for access or erasure of their personal data. In four of these cases, the organizations also failed to cooperate with the CNIL during the investigation of the complaints.
Under the GDPR (Articles 12, 15, and 17), organizations must respond to access and erasure requests within one month (extendable by two months in complex cases) and provide clear information about how individuals can exercise their rights.
Several sanctioned organizations either failed to respond at all or took far too long. In some instances involving lawyers and doctors, the organizations ignored the CNIL’s own requests for information during complaint handling. This led to formal injunctions requiring them to respond to the complainants, followed by daily penalty payments (astreintes) when they failed to comply within the deadline.
Article 18 of the French Data Protection Act makes cooperation with the CNIL a legal obligation. Ignoring CNIL inquiries or failing to implement required corrective measures can quickly escalate a complaint into a sanction with additional financial consequences through astreintes.
Broader Implications for Organizations Operating in France
The CNIL’s increased use of the simplified procedure reflects a strategic choice to handle high-volume, lower-complexity violations efficiently. This approach allows the authority to maintain pressure on organizations across multiple sectors without the resource intensity of full ordinary procedures.
Several important takeaways emerge for compliance teams:
1. Basic GDPR and French law obligations remain heavily enforced. Issues such as cookie consent, video surveillance in the workplace, and timely responses to data subject requests are not new, yet organizations continue to fall short. These are areas where the CNIL has published extensive guidance, making non-compliance particularly difficult to defend.
2. Cooperation with the authority matters. Failing to respond to CNIL inquiries or to implement injunctions can transform a relatively minor issue into significantly higher costs through astreintes and additional fines.
3. The simplified procedure lowers the threshold for enforcement. With a maximum fine of €20,000 and no naming of the organization, the CNIL can act quickly and frequently. Organizations should not assume that only large-scale or high-profile violations will attract attention.
4. Employee monitoring and video surveillance require careful design. Any system that records staff must be justified, proportionate, and (where required) authorized. Permanent filming without exceptional justification is a clear red flag.
5. Cookie compliance is still a weak point for many websites. The requirement for balanced, equally easy acceptance and refusal mechanisms has been consistently enforced. Organizations that continue to use dark patterns or incomplete banners face ongoing risk.
Practical Recommendations
Organizations should take the following steps to reduce exposure:
- Conduct an audit of all video surveillance systems, particularly those in workplaces, and verify both legal authorization and technical configuration.
- Review all website cookie banners and consent mechanisms against current CNIL expectations and Article 82 requirements. Ensure refusal is as easy as acceptance.
- Establish clear internal processes and timelines for handling data subject rights requests, with escalation procedures if deadlines are at risk.
- Train staff who interact with the CNIL on the obligation to cooperate fully and promptly.
- Document all decisions and measures taken in response to complaints or CNIL inquiries.
Proactive compliance in these areas not only reduces the risk of sanctions but also strengthens trust with customers, employees, and regulators.
CNIL Sanctions
The CNIL’s 23 simplified sanctions since January 2026 demonstrate that the authority remains highly active in enforcing core data protection rules. While the individual fines are relatively modest compared with some of the CNIL’s larger ordinary procedure decisions, the cumulative effect and the speed of the simplified process send a strong deterrent signal.
Organizations that treat privacy compliance as an ongoing operational discipline — rather than a one-time project — will be best positioned to avoid these types of enforcement actions. The recurring themes in the 2026 decisions (video surveillance, cookies, and rights handling) are areas where clear guidance already exists. The challenge for many organizations is consistent implementation across all touchpoints.
At Captain Compliance, we help organizations translate regulatory expectations into practical, auditable processes. If your team needs support reviewing video surveillance systems, cookie consent mechanisms, or data subject rights procedures in light of the CNIL’s recent enforcement activity, we are available to assist.
Staying ahead of these issues is not only about avoiding fines — it is about building responsible data practices that protect individuals and support sustainable business operations in France and across Europe.