The Number That Made Headlines
On May 19, 2026, France's Commission nationale de l'informatique et des libertés (CNIL) published its 2025 Annual Report, and the lead figure was hard to miss: 83 sanctions totaling €486.8 million — by some distance, the regulator's biggest enforcement year ever. The press release pairs that headline with 20,150 complaints (up 10% year-on-year), 6,167 data-breach notifications (up 9.5%), and 323 investigations. The CNIL also announced that half of its 2026 controls and enforcement actions will target data-security failures, with secondary themes covering recruitment, the single electoral register, and sports federations.
Read past the press release, though, and the €487M number deserves a second look.
Two Decisions, €475 Million
The CNIL's own sanctions overview discloses the breakdown: 21 of 2025's sanctions concerned cookies and trackers, and two of those — both finalized in early September 2025 — alone account for €475 million of the year's total.
On September 1, the restricted committee fined Shein €150 million for placing advertising cookies on visitors' devices before any consent interaction, for cookie banners that omitted purposes and third parties, and for continuing to write and read cookies after users clicked "Refuse all." Two days later, the same body fined Google €325 million (split €200M against Google LLC and €125M against Google Ireland Ltd) for inserting ads between Gmail messages without consent and for setting cookies during Google-account creation.
Subtract those two and the remaining 81 sanctions of 2025 — including 14 for inadequate data security, 16 for unlawful workplace video surveillance, and 14 for failures to honor erasure requests — sum to roughly €12 million. Median enforcement, in other words, is producing five- and low-six-figure fines on individual organizations. The "record €487M" is real, but it is mostly two Big-Tech-grade transfers from California and Singapore-headquartered fashion logistics, not a generalized escalation against French firms.
Steelmanning the Cookie Fines
The strongest case for those two fines is straightforward. Shein averaged roughly 12 million monthly French visitors, and Google's Gmail footprint in France is the dominant inbox by some distance. When a "Reject all" button does not actually reject — when consent is engineered to fail — the deception is not technical noise; it is a deliberate workaround of the choice users were promised. Article 82 of France's Loi Informatique et Libertés (which transposes the ePrivacy Directive, not the GDPR proper) treats that as a strict-liability violation, and the European Data Protection Board has logged similar reasoning across member states. If the deterrent effect of a fine scales with the offender's revenue, headline-grabbing numbers are exactly what the law contemplates.
That said, the gap between cookie-consent enforcement and the rest of the regulator's caseload is worth naming. The marginal harm of a third-party advertising cookie placed during onboarding — recoverable by clearing browser storage — is not obviously of the same kind as a successful intrusion exfiltrating millions of identity records, the dominant failure mode in the 6,167 notifications CNIL processed last year. Yet the cookie file delivered 98% of the year's fine total.
The 2026 Pivot Is the Right Correction
Against that backdrop, CNIL's announced 2026 reallocation is encouraging. The regulator says hacking accounted for roughly one in two reported breaches in 2025, and cybersecurity failures already drove about 30% of sanctions. The decision to direct half of 2026 controls toward data security is a redirection toward the harms that most plausibly affect end users — credential theft, ransomware exfiltration, undeleted records sitting on misconfigured object stores. Recent guidance, summarized by Norton Rose Fulbright's Data Protection Report, already requires multi-factor authentication for personnel accessing large customer databases, with inspections set to begin this year.
That shift is good news for proportionality. Mandatory MFA on remote database access is a concrete, low-burden engineering ask whose absence reliably correlates with breach severity; it is the inverse of an interface-design dispute about whether a "Reject all" button is one click or two. If a regulator must choose where to spend a finite number of inspectors, verify the controls that stop the breach beats verify the layout that frames the consent — and CNIL appears to have made that choice.
What to Watch
Three questions follow from the report. First, whether the planned electoral-register and sports-federation themes deliver actionable findings or recapitulate generic complaints. Second, whether the next cohort of cookie fines tapers off as the rules harden into industry practice — privacy enforcement should aim to extinguish, not annuitize, recurring violations. Third, whether French enforcement remains compatible with EU-level coordination as the Digital Services Act, AI Act, and GDPR overlap on the same defendants; CNIL is now also a market-surveillance authority for high-risk AI under the AI Act, and that workload will compete for the same investigators it just promised to data security.
A €487 million headline buys attention. The 2026 priorities should be judged by whether they reduce breach severity in France, not by whether next year's total is higher.