The GDPR (General Data Protection Regulation) and CNIL (Commission Nationale de l'Informatique et des Libertés) guidelines impose strict obligations on e-commerce operators in France. The CNIL is the French data protection authority, particularly active in GDPR enforcement with over 400 inspections annually and a track record of significant fines. Non-compliance can result in penalties of up to €20 million or 4% of global annual turnover, whichever is higher, making compliance essential for any business targeting French consumers.
Cookie and tracker management
The CNIL requires explicit, free and informed consent before placing non-essential cookies, in accordance with its 2020 guidelines. A compliant consent banner must allow users to accept, refuse or customize cookies with equal ease – the "Reject All" button must be as prominent as "Accept All." Analytics cookies (Google Analytics, Facebook Pixel) and advertising cookies require prior consent before activation. The CNIL has imposed significant fines for non-compliance: €150 million on Google and €60 million on Facebook in 2022 for making cookie refusal more difficult than acceptance. Privacy-respecting alternatives like Matomo (configured in exempted mode) or Plausible Analytics can be used without consent if they meet the CNIL's specific conditions for audience measurement exemption.
Privacy policy and legal notices
Your e-commerce site must display a clear and comprehensive privacy policy mentioning: the identity of the data controller, categories of data collected (name, email, address, purchase history, browsing data), processing purposes, legal basis (consent, contract performance, legitimate interest), data recipients (processors, partners), retention periods (maximum 3 years after last contact for prospects, contract duration plus 5 years for customers), transfers outside the EU if applicable, and individual rights. Mandatory legal notices under the LCEN (Loi pour la Confiance dans l'Économie Numérique) must also appear on the site: company name, SIRET number, registered address, publication director and hosting provider details.
Customer rights and request management
Customers have extensive rights under the GDPR: right of access (obtain a copy of their data), right to rectification, right to erasure ("right to be forgotten"), right to data portability (receive data in a structured format), right to object (particularly to profiling and commercial prospecting), and right to restriction of processing. You must be able to respond to these requests within one month, extendable by two months for complex requests. A DPO (Data Protection Officer) is mandatory for businesses whose core activity involves regular and systematic monitoring of individuals on a large scale, which includes many e-commerce operations with behavioral tracking and personalization.
Data security and technical compliance
SSL/TLS encryption is mandatory for all pages of your site, not just payment pages. Payment data must comply with PCI-DSS standards – never store complete card numbers on your servers, use tokenization instead. Passwords must be hashed with robust algorithms (bcrypt, Argon2) and access limited to strict necessity following the principle of least privilege. Maintain a processing register compliant with Article 30 of the GDPR and conduct Data Protection Impact Assessments (DPIA) for high-risk processing activities. In case of a data breach, notification to the CNIL must occur within 72 hours, and affected individuals must be informed if the breach poses a high risk to their rights. Zunapro ensures complete GDPR compliance for your e-commerce platform in France, including initial audit, technical compliance implementation and ongoing monitoring.
