France Marketplace IntegrationFrance E-Commerce PackagesFrance Corporate WebsiteFrance Custom SoftwareFrance Company FormationFrance Fulfillment CenterFrance Product StorageFrance Mobile App Development
Login
France · E-Commerce

Complete 2026 RGPD e-commerce guide France: CNIL DPA, cookie consent banner, privacy policy, DPO, data subject rights, breach 72h notification, cross-border transfer.

FR · Complete RGPD & CNIL Compliance Guide — 2026 Edition

RGPD for E-Commerce in France 2026: CNIL Compliance, Cookie Consent & Data Protection Obligations

France is one of the strictest enforcement jurisdictions in the European Union when it comes to personal data. The CNIL (Commission Nationale de l’Informatique et des Libertes) closed 2026 with more than 16,000 complaints received from data subjects and over EUR 87 million in fines issued under RGPD and Article 82 of Loi Informatique et Libertes. For an online merchant, 2026 is not the year to gamble on compliance: cookie banners must offer Accept-all and Reject-all on the same layer, a 72-hour breach notification clock starts ticking the moment a SOC engineer raises an alert, and cross-border data transfers to the United States, the United Kingdom or non-adequate countries require SCCs plus a documented Transfer Impact Assessment. This guide walks through every RGPD obligation an e-commerce shop selling to French customers must implement — cookie consent, privacy policy, Article 30 register, DPO, data subject rights, breach playbook, cookieless analytics and CRM retention — with concrete references to CNIL deliberations, Cookiebot, OneTrust and the EU-US Data Privacy Framework.

+ 10 RGPD pillars covered + 2026 CNIL guidance + Cookiebot & OneTrust ready + 72h breach playbook
zunapro.com/panel/france/rgpd
RGPD Hub Compliant
CNIL Score 9.6 / 10
Consents
12,847
up 6%
DSARs
37
avg 4 days
Trackers
0 leak
audited
Consent Rate · Last 7 Days 68.4%up 5%
MonTueWedThuFriSatTdy
Data Subject Requests Live
#DSAR-2841 Access request · J. Martin Day 5/30
#DSAR-2840 Erasure · L. Dupont In Review
#DSAR-2839 Portability · M. Petit Delivered
RGPD Sync Active · CNIL register up to date · SCC validated
EUR 87M+
CNIL Fines Issued in 2026
16,000+
Complaints Received in 2026
72h
Breach Notification Deadline
4% / EUR 20M
Maximum RGPD Fine

RGPD France Snapshot 2026 — Quick Read

The RGPD (Reglement General sur la Protection des Donnees, the French name of the EU GDPR) is enforced in France by the CNIL, the country’s independent supervisory authority since 1978. Online merchants selling to French residents must operate a compliant cookie banner under Article 82 of Loi Informatique et Libertes, publish a privacy policy, maintain an Article 30 register of processing activities, appoint a DPO where required, honour the eight data subject rights, document Standard Contractual Clauses for any non-EU data transfer, and notify the CNIL within 72 hours of any personal data breach. CNIL increasingly recommends cookieless analytics and tight CRM retention. Maximum sanctions reach EUR 20 million or 4% of global turnover.

1. RGPD Overview — What French E-Commerce Operators Must Know

The Reglement General sur la Protection des Donnees, better known internationally as the EU GDPR, is Regulation (EU) 2016/679 of the European Parliament and Council. It became directly applicable across all 27 Member States on 25 May 2018 and is, in 2026, the single most important piece of regulation any e-commerce operator selling into France must master. The French acronym RGPD is used throughout administrative, judicial and commercial practice, including in CNIL deliberations, sectorial codes of conduct and Cour de cassation case law.

What makes France particularly demanding compared with other Member States is the combination of three legal layers. First, the RGPD itself sets the substantive rules: lawful basis, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, plus the over-arching principle of accountability. Second, Loi Informatique et Libertes (Law n. 78-17 of 6 January 1978, substantially amended in 2018 by Loi n. 2018-493 and again in 2019 by ordonnance n. 2018-1125) adapts the RGPD to French specifics — including age of digital consent (15), additional formalities for health data and judicial data, and the famous Article 82 governing cookies and trackers. Third, CNIL deliberations, recommendations, referentiels and Sandbox outputs add a thick layer of operational guidance that French courts treat as quasi-binding.

Why E-Commerce Is on CNIL’s Radar

Online merchants combine almost every category of processing the CNIL scrutinises: large-scale processing of identification and contact data, payment data, behavioural profiling for personalisation, cross-border transfers to US-based ad-tech vendors, and lengthy CRM retention for re-engagement campaigns. The CNIL’s 2024-2027 strategic plan explicitly names e-commerce, mobile applications and digital advertising as priority enforcement sectors. In 2026 alone, the CNIL closed multiple high-profile cases against retailers for non-compliant cookie banners (graphical bias toward Accept), excessive CRM retention (more than 3 years of inactive prospects) and missing or out-of-date Article 30 registers.

For a typical SME shop with a few thousand orders per month, the compliance burden is real but absolutely tractable: a few weeks of focused work, supported by a CMP (Cookiebot or OneTrust), a register template, and a clear escalation runbook. Larger operators with hundreds of thousands of records, server-side ad-tech and international warehouses need a structured RGPD programme and almost always a full-time DPO.

Lawful Bases You Will Actually Use

  • Contract performance (Article 6.1.b) — the dominant basis for processing orders, deliveries, returns, invoices and after-sales support. No consent needed; the data is necessary to perform the contract.
  • Legal obligation (Article 6.1.c) — covers accounting retention (10 years under Code de commerce), invoicing requirements, tax records and anti-money-laundering checks.
  • Legitimate interests (Article 6.1.f) — fraud prevention, IT and network security, basic web analytics in some configurations, B2B prospection to professionals. Requires a documented balancing test (LIA — Legitimate Interest Assessment).
  • Consent (Article 6.1.a) — required for marketing cookies, behavioural advertising trackers, B2C email/SMS prospection to non-customers, push notifications, and any optional personalisation feature.

Core Principles E-Commerce Operators Misjudge

The CNIL’s control reports keep pointing to the same mistakes year after year: registration forms with too many mandatory fields (data minimisation failure), customer accounts kept active forever (storage limitation failure), unstructured Slack and Notion exports that leak personal data (integrity and confidentiality failure), and dashboards or reports that include unnecessary identifiers (purpose limitation failure). Each of these patterns is fixable at the platform-design stage — which is exactly what RGPD Article 25 (privacy by design and by default) requires.

Ready to launch a RGPD-ready French shop?

Zunapro’s France hub ships with a CNIL-aligned cookie banner, Article 30 register template, DSAR workflow and consent vault — everything an e-commerce DPO needs to start compliant.

Launch My French Shop →

2. The CNIL — France’s Data Protection Authority

What the CNIL Actually Is

The Commission Nationale de l’Informatique et des Libertes was created by the Loi Informatique et Libertes of 6 January 1978, long before the European Union existed in its current form. It was France’s answer to the SAFARI scandal — a 1974 attempt to interlink every French citizen’s administrative files under a unique national identifier — and is one of the oldest independent data protection authorities in the world.

The CNIL is an independent administrative authority (autorite administrative independante, AAI), meaning it is funded by the State but exercises its powers free of governmental hierarchy. In 2026 it employs roughly 290 staff, including a strong technology team (CNIL LINC laboratory), a sectorial inspection corps, lawyers, and the Comite (formation restreinte) that issues sanctions.

Powers the CNIL Can Use Against an Online Shop

  • On-site, online and documentary inspections — a CNIL agent can visit your warehouse, request server logs and inspect your CMS configuration. Online inspections (audit a distance) have grown sharply since 2022 and target cookie banners and ad-tech tags.
  • Formal notices (mises en demeure) — an administrative order to comply within a stated deadline. Many notices are now public, which creates significant reputational pressure.
  • Administrative fines — up to EUR 20 million or 4% of global annual turnover under RGPD Article 83, whichever is higher, for the most serious infringements; up to 2% of turnover for cookie violations under the simplified procedure introduced in 2022.
  • Injunctions under daily penalty payments (astreintes) — the CNIL can order specific corrective actions and add a daily penalty for non-compliance (e.g. EUR 5,000 per day).
  • Naming and shaming — decisions are increasingly published in full on cnil.fr with the merchant’s name; press coverage is systematic.

How CNIL Enforcement Has Evolved

The CNIL’s 2024-2027 strategic plan announced a clear shift toward more, faster, more focused enforcement. The simplified sanction procedure introduced by the Decree of 24 March 2022 allows a single restricted committee member to issue fines up to EUR 20,000 against SMEs for clear-cut violations — particularly cookie consent failures. By 2026 this stream alone closed several hundred enforcement actions per year against small merchants.

i
Official CNIL resources: the CNIL publishes deliberations, recommendations and sectorial referentiels at www.cnil.fr. Every e-commerce DPO should subscribe to the CNIL newsletter and watch the Sanctions section, the Cookies and Other Trackers guidelines, and the Commercial Prospection referentiel.

The DPO and the CNIL: Designation Process

If you appoint a Data Protection Officer, you must designate them officially via the dedicated CNIL portal. The designation includes the DPO’s contact details, which then become publicly searchable. The CNIL treats the DPO as its primary point of contact during inspections: missing, fictitious or inactive DPOs are a recurring aggravating factor in sanction decisions.

Centralise CNIL compliance in one panel

Zunapro keeps your French shop’s Article 30 register, DSAR workflow, breach log and CNIL designation details synchronised — ready for inspection in minutes, not weeks.

Open My CNIL Hub →

The Legal Foundation: Article 82 of Loi Informatique et Libertes

Cookies and other trackers in France are governed by Article 82 of Loi Informatique et Libertes, transposing Article 5(3) of the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC). The rule is simple: any storage of or access to information on a user’s terminal that is not strictly necessary to deliver an online communication service expressly requested by the user requires prior consent.

The CNIL clarified the operational rules in Deliberation n. 2020-091 (recommendation of 17 September 2020) and accompanying guidelines, complemented by enforcement practice through 2026. The core requirements are summarised below.

  • Block all non-essential cookies before consent. No analytics, no advertising tag, no Hotjar/Clarity, no Facebook Pixel may fire before the user clicks Accept (or makes a granular choice).
  • Offer Accept-all and Reject-all on the same layer. Refusing must be as easy as accepting; both buttons must have the same visual weight (colour contrast, size, position).
  • List purposes clearly — audience measurement, advertising, social sharing, personalisation, etc., with the ability to grant or refuse consent for each purpose.
  • Allow withdrawal at any time via a persistent re-open mechanism (typically a small cookie icon in the footer).
  • Keep proof of consent — consent ID, timestamp, CMP version, purposes, vendor list, IP truncated — for the duration of the consent plus a reasonable evidentiary period (CNIL suggests at most 6 months after withdrawal).

What Is Forbidden

  • Pre-ticked boxes — consent must be active.
  • Cookie walls without alternative — conditioning access to content on cookie acceptance is, in CNIL’s 2022 cookie-wall guidance, only lawful where a real, equivalent alternative is offered (typically a paid « pay or consent » model with reasonable pricing).
  • Graphical bias — coloured Accept button vs. grey Reject button is a textbook violation flagged in multiple CNIL fines.
  • « Continuer la navigation »-style implied consent — merely scrolling or navigating to another page does NOT constitute consent.
  • Bundled consent — one Accept button covering 30 different vendors without granular control is not specific.

Cookiebot, OneTrust & Friends — Choosing a CMP

A Consent Management Platform (CMP) automates banner display, consent capture, vendor management and proof storage. The two most widely used CMPs in France are Cookiebot (Usercentrics group, Denmark) and OneTrust (United States, with EU data residency options). Both integrate with the IAB TCF v2.2 framework, both offer France-localised templates pre-configured for CNIL guidance, and both can render server-side via Google Tag Manager.

French alternatives worth considering: Axeptio (Paris, « French Tech » label), Didomi (Paris, listed on Euronext Growth), Sirdata Choice, and the open-source Tarte au Citron. Whatever CMP you choose, the responsibility for compliance remains yours as the controller — the CMP is a processor under Article 28.

Always allowed
No consent
Session cookies, CSRF tokens, language preference, shopping cart, load balancer affinity, security and fraud-prevention cookies strictly necessary to the service.
Consent-optional (CNIL exemption)
Audience measurement
Strictly purpose-limited audience measurement (anonymised IP, no cross-site, no behavioural profiling) configured per CNIL guidance — e.g. Matomo locked down, Piwik PRO Cloud (EU), AT Internet, certain GA4 configurations under DPF.
Consent required
Advertising / Marketing
Facebook Pixel, Google Ads conversion tag, TikTok Pixel, retargeting, social-share buttons that load third-party code, A/B testing tools that profile users, behavioural recommenders.
!

CNIL fine reality check: in 2023-2026 multiple French merchants received fines between EUR 50,000 and EUR 600,000 specifically because the Reject-all button was hidden one level deeper than Accept-all, or because cookies fired before the banner appeared. A two-hour CMP configuration review usually prevents the entire risk. Configure your French shop’s CMP with Zunapro →

4. Privacy Policy — The Document Every Shop Must Publish

RGPD Articles 13 and 14: The Information Obligation

RGPD Articles 13 and 14 lay out an exhaustive list of information that must be given to the data subject at the time of collection when data is collected directly (Article 13) or within a reasonable period when collected indirectly (Article 14, max one month, e.g. enrichment via a marketing data broker).

Mandatory Content of a French E-Commerce Privacy Policy

  • Identity and contact details of the controller — full legal name, SIREN, registered address, electronic contact.
  • Contact details of the DPO when one is appointed (e.g. [email protected]).
  • Purposes of the processing and the lawful basis for each — order processing (contract), accounting retention (legal obligation), newsletter (consent), fraud prevention (legitimate interest), etc.
  • Recipients or categories of recipients — carriers (Colissimo, Chronopost, Mondial Relay, DPD France), payment processors (Stripe, Adyen, PayPal, PayTR), CRM tooling, ad-tech vendors.
  • Cross-border transfers — if any data leaves the EEA, name the country, the safeguard (DPF, SCCs, BCRs, derogations) and where to obtain a copy.
  • Retention periods — per category of data and per purpose, not a generic « as long as necessary ».
  • Data subject rights — access, rectification, erasure, restriction, portability, objection, automated-decision rights, complaint right to CNIL.
  • Source of the data when not collected directly from the data subject.
  • Existence of automated decision-making including profiling, with meaningful information about the logic and the consequences (e.g. fraud-score blocking, dynamic pricing).

Practical Drafting Tips

The CNIL has been clear — especially in its « Concrete steps for a clear and accessible information » 2022 guidance — that the privacy policy must be concise, transparent, intelligible and easily accessible, in clear and plain language. Pages of legalese are not compliant. The typical accepted pattern in 2026 is a two-layer notice: a short, scannable summary on top (tables, icons, plain French), with deeper detail accessible per purpose below.

Place a link to the privacy policy in every footer, in every form near the consent checkbox, and in every transactional email (order confirmation, shipping update, after-sales). The policy must be versioned and dated; substantive changes require notice to data subjects.

Privacy policy generator built into your shop

Zunapro’s France hub auto-generates an Article 13-aligned privacy policy populated from your active processors, retention rules and cross-border flows — ready to publish.

Generate My Privacy Policy →

5. Article 30 Register and the Data Protection Officer (DPO)

The Article 30 Register: The Backbone of Accountability

Under RGPD Article 30, every controller and every processor must maintain a written register of their processing activities (Registre des activites de traitement, RAT). It is the single most useful document a French e-commerce DPO can keep up to date, because it is the entry point CNIL inspectors ask for at the start of every audit.

What Goes Into the Register

  • Name and contact details of the controller, the joint-controller(s), the representative and the DPO.
  • Purposes of the processing — one row per purpose (order management, customer account, newsletter, prospection, loyalty, fraud, etc.).
  • Description of categories of data subjects and personal data.
  • Categories of recipients to whom the data has been or will be disclosed, including recipients in third countries.
  • Where applicable, transfers to a third country or international organisation, with the safeguard documented.
  • Where possible, the envisaged time limits for erasure of the different categories of data — the famous « retention period » column.
  • Where possible, a general description of the technical and organisational security measures.

When a DPO Is Mandatory

RGPD Article 37 sets three triggers for mandatory DPO designation. For e-commerce operators, the most relevant ones are:

  • Core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. This typically captures large loyalty programmes, behavioural recommenders, continuous prospect scoring and large-scale retargeting.
  • Core activities consist of large-scale processing of special categories of data (health, biometric, religious, political) or data relating to criminal convictions. Pure-play general goods e-commerce usually escapes this trigger, but parapharmacy, prescription glasses, biometric size measurement and similar verticals do not.

Even when not mandatory, the CNIL strongly recommends a designated DPO from roughly 50 employees, or from EUR 10M annual online turnover, or when more than 100,000 customer records are active in the CRM. The DPO can be internal or external (mutualised) and must report directly to top management.

DPO Independence and Resources

RGPD Articles 38 and 39 protect the DPO’s independence: they cannot be penalised or dismissed for performing their tasks, must be provided with the necessary resources, and must be involved properly and in a timely manner in all issues relating to personal data. The Cour de cassation has confirmed (multiple 2023-2024 decisions) that retaliating against a DPO — for instance by sidelining them after a critical opinion — is a wrongful act.

6. Data Subject Rights — Access, Rectification, Erasure, Portability

The Eight Rights at a Glance

  • Right of access (Article 15) — obtain confirmation of processing and a copy of the data.
  • Right to rectification (Article 16) — correct inaccurate data, complete incomplete data.
  • Right to erasure / right to be forgotten (Article 17) — obtain deletion in defined cases (withdrawal of consent, data no longer necessary, unlawful processing, etc.).
  • Right to restriction of processing (Article 18) — freeze processing during disputes.
  • Right to data portability (Article 20) — receive personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
  • Right to object (Article 21) — in particular against direct marketing, which is absolute and free of charge.
  • Rights related to automated individual decision-making, including profiling (Article 22) — the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
  • Right to lodge a complaint with a supervisory authority (Article 77) — in France, the CNIL.

How to Handle DSARs in Practice

A Data Subject Access Request (DSAR) must be responded to within one month of receipt, extendable by two months for complex requests. The response must be free of charge except where the request is manifestly unfounded or excessive (rare). You can ask for proof of identity only where a reasonable doubt exists about the requester’s identity — the CNIL fined several operators for systematically demanding a passport scan, which is excessive.

A robust DSAR workflow involves: an intake channel (web form + dedicated email like [email protected]), an identity-verification step calibrated to risk, a structured search across every system (CRM, ERP, order DB, ticketing, marketing platform, ad-tech ID stitching), a reviewer step to redact third-party data, and a delivery step with secure download (encrypted ZIP, expiring link).

Right to Erasure in E-Commerce: Real-World Edge Cases

Pure erasure is rarely absolute. For an online shop, the typical pattern is:

  • Delete from CRM and marketing tools — full erasure.
  • Anonymise order records older than 5 years (commercial statute of limitations) — replace name and address with hashed pseudonymous identifiers, but keep invoice totals and product references for accounting.
  • Keep invoices in intermediate storage for 10 years under Code de commerce Article L.123-22 — legal obligation overrides the erasure request.
  • Keep fraud-scoring decisions for the retention window declared in your AML/CTF policy — typically 5 years after the end of the relationship.

Portability Format and Scope

Portability covers data provided by the data subject (account fields, addresses, order history they entered) and is delivered in a structured, commonly used and machine-readable format — in practice JSON or CSV. It does NOT cover derived data such as fraud scores, customer-lifetime-value calculations, or RFM clusters. Where technically feasible, you must transmit the data directly to another controller designated by the data subject (Article 20.2).

7. Cross-Border Transfers — SCCs, DPF and Schrems II

The CJEU’s Schrems II judgment (case C-311/18, 16 July 2020) invalidated the EU-US Privacy Shield and significantly tightened the conditions under which personal data may be transferred from the EU to non-adequate third countries. The framework rebuilt since then has three pillars:

  • Adequacy decisions (Article 45) — the European Commission declares that a third country offers an essentially equivalent level of protection. In 2026 this covers the UK, Switzerland, Japan, South Korea, Canada (commercial sector), New Zealand, Israel, Argentina, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey, and — since 10 July 2023 — the United States under the EU-US Data Privacy Framework (DPF) for certified importers only.
  • Appropriate safeguards (Article 46) — for non-adequate countries, the most common tool is the new Standard Contractual Clauses (Commission Implementing Decision 2021/914 of 4 June 2021), to be combined with a Transfer Impact Assessment (TIA) per EDPB Recommendations 01/2020 and supplementary measures such as encryption at rest and in transit, pseudonymisation, and contractual challenges to government access requests.
  • Derogations (Article 49) — explicit consent, contract performance, public interest, etc. To be used only for occasional, non-systematic transfers.

What This Means for Your Stack

Map every vendor that touches personal data and label each transfer:

  • Stripe, PayPal, Adyen — EU entities exist; verify the contracting entity in your DPA.
  • Google Workspace, Google Analytics 4, Google Ads — US transfers under DPF; module 2 (controller to processor) SCCs typically apply as backup.
  • AWS, Cloudflare, Datadog — transfer rules depend on the chosen region. EU-region deployments + the DPF backstop are the current state of the art.
  • Meta (Facebook, Instagram) pixels, TikTok pixel — US/CN transfers; consent + SCC + risk acceptance documented in TIA.
  • Email tools (SendGrid, Mailchimp, Klaviyo) — check contracting entity, EU residency option, DPF status.

The TIA in 30 Minutes

A Transfer Impact Assessment is a structured document recording: the nature of the data, the recipient, the country of import, the legal framework of that country (government access, national security exceptions), the practical likelihood of access, the supplementary measures implemented, and the resulting residual risk. The EDPB’s six-step methodology is the de-facto standard. For each vendor, store the TIA next to the corresponding row of your Article 30 register.

Vendor map, SCC vault and TIA template

Zunapro inventories every processor your French shop relies on, attaches the right SCC module and stores TIA documents alongside your Article 30 register — ready for CNIL inspection.

Map My Cross-Border Transfers →

8. Breach Notification — The 72-Hour Clock

What Counts as a Personal Data Breach

RGPD Article 4(12) defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. For e-commerce, the recurring scenarios are: a compromised admin account exposing the customer list, a misconfigured S3 bucket exposing invoices, a phishing-driven warehouse fraud leaking shipping addresses, a stolen laptop with unencrypted CRM extract, or a credential-stuffing wave allowing attackers into customer accounts.

The 72-Hour Notification Obligation

Under RGPD Article 33, the controller must notify the CNIL without undue delay and where feasible not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is later than 72 hours, it must be accompanied by reasons for the delay.

The notification is filed via the CNIL online portal at notifications.cnil.fr. It must include the nature of the breach, categories and approximate number of data subjects and records concerned, the DPO contact, the likely consequences, and the measures taken or proposed.

When You Must Also Notify the Data Subjects

Under Article 34, when the breach is likely to result in a high risk to the rights and freedoms of natural persons, you must communicate it to the affected individuals without undue delay, in clear and plain language. High risk is typically met when financial data, identity documents, health data or large volumes of contact data are exposed.

Exemptions exist: if you had strong encryption or pseudonymisation in place rendering the data unintelligible to unauthorised parties, or if you have since taken measures ensuring the high risk is no longer likely to materialise, or if individual notification would involve disproportionate effort (use a public communication instead).

The 72-Hour Playbook

  1. Hour 0 — alert raised. SOC or sysadmin opens an incident ticket; the DPO is paged immediately.
  2. Hour 0 to 4 — triage. Is personal data actually involved? What categories, what volumes, what time window? Snapshot logs and IOCs before they rotate.
  3. Hour 4 to 24 — containment and forensic preservation. Rotate credentials, revoke tokens, block IPs, freeze data exports.
  4. Hour 24 to 48 — risk assessment using EDPB Guidelines 9/2022 on examples regarding personal data breach notification. Decide: notify CNIL? notify data subjects?
  5. Before hour 72 — file the CNIL notification via notifications.cnil.fr. If facts are still emerging, file a partial notification and update later.
  6. Post-incident — root-cause analysis, corrective plan, register the breach in your internal breach log (Article 33.5), brief leadership.

Keeping a Breach Register

RGPD Article 33.5 requires the controller to document every personal data breach, including the facts, its effects and the remedial action taken. This register must be made available to the CNIL on request. Even breaches not notified (because risk was assessed as low) must be logged with the rationale — this is one of the first things CNIL inspectors will ask about.

9. Cookieless Analytics — CNIL Guidance and Tools

Why CNIL Pushes Cookieless

The CNIL has spent the last five years actively encouraging French publishers and merchants to move toward cookieless or exemption-eligible analytics. The reasoning is simple: a strict audience-measurement configuration can sit inside the Article 82 consent exemption, which means no cookie banner friction, no lost data on the 30%+ of users who reject all, and a much cleaner compliance posture.

The CNIL Audience-Measurement Exemption Criteria

  • Strictly limited to measuring audience of the website for the controller’s own benefit.
  • No matching with other treatments (no cross-site profiling, no behavioural advertising audiences).
  • No transmission of the data to third parties — processor-only relationships allowed.
  • Truncated IP addresses (at least the last octet for IPv4) and short identifiers.
  • Retention limited — CNIL accepts up to 13 months for the cookie or identifier, and up to 25 months for raw data.
  • Clear information given to the user in the privacy policy with a documented opt-out.

Tools That Fit the Exemption

  • Matomo (self-hosted or Matomo Cloud EU) — the historical reference, with a CNIL-approved configuration guide.
  • Piwik PRO Core Plan — EU data residency (Frankfurt, Warsaw), CNIL exemption configuration documented.
  • AT Internet Analytics Suite (now part of Piano) — the French enterprise standard, used by large media groups.
  • Plausible (EU-hosted) — lightweight, no cookies at all.
  • Fathom Analytics, Simple Analytics — minimalist cookieless tools.

What About Google Analytics 4?

After the EU-US Data Privacy Framework adequacy decision (10 July 2023), GA4 became usable again in a controlled configuration: server-side tagging, IP anonymisation, no User-ID without consent, no Google Signals without consent, and ideally first-party domain proxying. However, the CNIL continues to recommend switching to a first-party or fully cookieless alternative wherever possible, particularly for SMEs without the engineering resources to maintain the heavyweight GA4 configuration.

+

Conversion-rate impact: French publishers that moved to cookieless or exemption-eligible analytics typically recover 25-40% of the audience they lost behind the Reject-all wall of GA4, while also reducing CMP friction. Compare cookieless analytics tools inside Zunapro →

10. CRM Compliance — Prospection, Retention and Marketing Rights

The CNIL Commercial Prospection Referentiel

The CNIL’s Referentiel relatif aux traitements de donnees a caractere personnel mis en oeuvre aux fins de gestion des activites commerciales (updated 2022, applied throughout 2026) is the practical bible of CRM compliance in France. It sets benchmarks for purposes, retention, data quality and security that the CNIL uses as the baseline in inspections.

B2C Prospection: Prior Opt-In

Under Article L.34-5 of the Code des postes et des communications electroniques (CPCE), commercial prospection by email, SMS, fax or automated calling system targeting a natural person requires prior free, specific and informed consent. There is one famous exception — the soft opt-in for customers:

  • The email address was collected during a sale.
  • The prospection concerns analogous products or services.
  • The prospect was informed at collection and offered a simple, free way to refuse.
  • Every subsequent message contains a clear and free unsubscribe link.

For B2B prospection toward functional addresses (e.g. [email protected]) of professionals about products and services relevant to their job, an opt-out regime applies — provided the information requirements of Article 13 are met.

Retention Benchmarks for the CRM

  • Active prospects — up to 3 years from the last contact initiated by the prospect (open, click, request, last purchase). After 3 years of pure inactivity, archive or delete.
  • Active customers — for the duration of the commercial relationship plus the relevant statute of limitations.
  • Invoices — 10 years under Code de commerce, in intermediate archive.
  • Marketing opt-ins / opt-outs — for the duration of the consent plus 3 years for evidentiary purposes.
  • Inactive newsletter subscribers — a re-engagement campaign is advised after 18-24 months of zero interaction; delete after 36 months.

Loyalty Programmes, Profiling and Scoring

Loyalty programmes that combine purchase history with behavioural data to build segments (RFM, lookalikes, churn scores) typically require a DPIA under Article 35. Be ready to document: the purposes of the profiling, the categories of data used, the consequences for the data subject (segmentation, promotion eligibility, dynamic pricing tolerance), and the safeguards (opt-out, manual review for borderline decisions, regular audit of bias).

CRM Tooling: Which Vendors Are CNIL-Friendly?

Popular CRMs used by French e-commerce in 2026 include Brevo (formerly Sendinblue, Paris HQ), Splio, Actito (Belgium, EU hosting), Salesforce Marketing Cloud (US, EU data residency options + DPF), HubSpot (US, DPF), Klaviyo (US, DPF), and Customer.io. Whatever tool you pick, make sure the data processing agreement (Article 28) is in place, the SCC module 2 is signed where data leaves the EU, and your retention rules are encoded directly in the platform (auto-suppression after N months of inactivity).

Launch a CNIL-Ready French Shop in Days, Not Months

Zunapro’s France hub bundles a compliant cookie banner template, an Article 30 register, a DSAR workflow, a breach log and CRM retention automation — everything you need to ship a RGPD-clean e-commerce site, faster.

Open the France Marketplace Hub →

Frequently Asked Questions (FAQ)

Is RGPD the same as the EU GDPR?

Yes. RGPD (Reglement General sur la Protection des Donnees) is the French acronym for the EU General Data Protection Regulation (Regulation (EU) 2016/679). The substantive rules are identical across all 27 Member States. France adapted the regulation locally through Loi Informatique et Libertes (Law n. 78-17 as amended in 2018 and 2019) and the CNIL is the national supervisory authority that enforces it.

Does a French e-commerce shop need a cookie banner?

Yes. Under Article 82 of Loi Informatique et Libertes and CNIL guidance updated through 2026, any cookie or tracker that is not strictly necessary for the service requires prior, free, specific, informed and unambiguous consent. The banner must offer Accept all and Reject all on the same layer, with equal visual weight; pre-ticked boxes and cookie walls without alternatives are prohibited. Refusing cookies must be as easy as accepting them.

What is the maximum CNIL fine for an e-commerce shop?

Under RGPD Article 83, administrative fines can reach EUR 20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, for the most serious infringements. For cookie violations under Article 82 of Loi Informatique et Libertes, CNIL can also issue fines up to 2% of turnover under a simplified procedure. Recent French cookie fines have ranged from EUR 50,000 for small merchants to over EUR 150 million for major players.

Do I need a Data Protection Officer (DPO) for my online shop?

A DPO is mandatory under RGPD Article 37 if your core activities consist of large-scale, regular and systematic monitoring of data subjects, or large-scale processing of special categories of data. Many mid-sized French e-commerce operators that profile shoppers, run loyalty programmes and use behavioural retargeting fall within scope. Even when not strictly mandatory, the CNIL strongly recommends appointing a DPO and registering them via the cnil.fr designation portal.

How long do I have to notify a data breach in France?

RGPD Article 33 requires notification to the CNIL without undue delay and where feasible within 72 hours of becoming aware of the personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the breach is likely to result in high risk, Article 34 also requires you to notify the affected data subjects without undue delay. Notification is filed through the CNIL online portal at notifications.cnil.fr.

Can I use Google Analytics in France in 2026?

Google Analytics has been the subject of multiple CNIL decisions (2022 to 2024) flagging illegal transfers of personal data to the United States. After the EU-US Data Privacy Framework adequacy decision in July 2023, Google Analytics 4 became usable again under contractually controlled conditions, provided you configure IP anonymisation, server-side proxying and a compliant consent banner. CNIL continues to recommend cookieless or first-party analytics solutions (Matomo, Piwik PRO, Plausible, AT Internet Analytics Suite) as safer alternatives.

What is a Data Processing Register and who must keep one?

Under RGPD Article 30, every controller and processor must maintain a written register of processing activities (Registre des activites de traitement). It documents the purposes, categories of data, recipients, retention periods, transfers and security measures for each processing operation. The obligation applies to organisations with 250 or more employees, and to smaller organisations whose processing is not occasional, involves special categories of data, or is likely to result in a risk to data subjects — which captures essentially every e-commerce business.

What rights do French shoppers have over their personal data?

RGPD Articles 15 to 22 grant data subjects eight core rights: the right of access, right to rectification, right to erasure (right to be forgotten), right to restriction of processing, right to data portability, right to object, rights related to automated decision-making and profiling, and the right to lodge a complaint with the CNIL. Online merchants must respond within one month and provide a free, accessible mechanism (in-account form, dedicated email such as [email protected]) to exercise these rights.

How do SCCs work for cross-border transfers after Schrems II?

After the CJEU Schrems II ruling (C-311/18, July 2020), transfers of personal data to non-adequate third countries require Standard Contractual Clauses (Commission Implementing Decision 2021/914) plus a Transfer Impact Assessment and supplementary measures (encryption, pseudonymisation). For the United States, the EU-US Data Privacy Framework (July 2023) restored an adequacy bridge for certified importers. For other countries (UK has its own adequacy, Switzerland likewise), SCCs remain the default vehicle, complemented by TIA documentation kept in your Article 30 register.

Can I send marketing emails to my customers without explicit consent?

Under Article L.34-5 of the French Code des postes et des communications electroniques and CNIL guidance, marketing emails to natural persons require prior opt-in consent. There is one important exception (soft opt-in): you may email your own customers about analogous products or services, provided the address was collected during a sale, the recipient was informed at collection and offered a clear opt-out, and every subsequent email includes an unsubscribe link. B2B emails to professionals at functional addresses follow a softer opt-out regime.

How long should I keep customer data in my CRM?

CNIL guidance on commercial prospection and CRM (Referentiel Gestion commerciale, 2022 update applied in 2026) sets the active prospect retention at three years from the last contact initiated by the prospect (open, click, purchase). Customer data tied to a contract is retained for the duration of the commercial relationship plus the relevant statute of limitations (typically 5 years for civil claims, 10 years for accounting under the Code de commerce). After active retention, data may be archived in intermediate storage with restricted access, then purged.

Do I need to register my CCTV or fraud-prevention tools with CNIL?

Since the 2018 reform of Loi Informatique et Libertes, the prior declaration regime was largely abolished and replaced by accountability documented in your Article 30 register and, where required, a Data Protection Impact Assessment (DPIA) under RGPD Article 35. Anti-fraud scoring, behavioural profiling, biometric checks and large-scale CCTV typically meet the DPIA threshold. The DPIA must be kept available for CNIL inspection and, in cases of residual high risk, submitted for prior consultation under Article 36.

What is the privacy by design obligation in e-commerce?

RGPD Article 25 requires data protection by design and by default: privacy-friendly defaults (no pre-ticked marketing boxes, minimum data fields in registration forms, short default retention), technical and organisational measures embedded from the architecture stage, pseudonymisation where possible, and the principle of data minimisation. Practically, this means designing your checkout, account creation, newsletter, recommender system and CRM with the lightest data footprint that still delivers the service.

Cookiebot vs. OneTrust vs. Axeptio — which CMP should I pick?

All three are CNIL-friendly when configured properly. Cookiebot (Usercentrics) is a strong default for SMEs — quick to deploy, IAB TCF v2.2 ready, transparent pricing. OneTrust is the enterprise standard with deep integration, server-side support and global vendor lists — the right pick for groups operating in multiple jurisdictions. Axeptio and Didomi are the French national champions, with templates specifically tuned to CNIL guidance and CNIL-style language. The CMP is a processor under Article 28 — the controller (you) remains responsible for the final configuration.

What does Article 82 of Loi Informatique et Libertes actually say?

Article 82 transposes Article 5(3) of the ePrivacy Directive (2002/58/EC). It prohibits any storage of, or access to, information already stored in the terminal equipment of an electronic communications service user, unless the user has consented after being given clear and complete information about the purposes of the processing and the means available to refuse. Two exceptions exist: when the storage or access is for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or when strictly necessary for the provision of an online communications service expressly requested by the user.

Conclusion — RGPD as a Competitive Advantage

RGPD compliance in France is no longer a one-off legal sprint — it is a continuous operational discipline. The CNIL has made it clear, through its 2024-2027 strategic plan and its accelerating sanction flow, that 2026 is the year online merchants must close the gap. The good news is that the building blocks are well documented: a tight cookie banner (Cookiebot, OneTrust, Axeptio, Didomi), a clear privacy policy, an up-to-date Article 30 register, a DPO with real authority, a DSAR workflow that returns answers in under a month, SCCs and TIAs for every non-EU vendor, a 72-hour breach playbook, and cookieless analytics where possible.

Merchants who treat RGPD as plumbing — baked into the platform rather than bolted on — consistently report two side effects: a 25-40% recovery of analytics signal when the consent banner stops blocking everything, and a higher customer-trust score that converts into better email engagement and lower churn. RGPD, done right, is a growth lever. Zunapro’s France hub gives you the templates, automation and audit trail to ship that compliance posture without grinding your engineering roadmap to a halt.

Sell in France with RGPD on Autopilot

Connect your French shop to Zunapro and ship a CNIL-aligned cookie banner, privacy policy generator, Article 30 register, DSAR workflow and CRM retention rules — in a single panel.

Open the France Marketplace Hub →
Share:

Need help with this?

Related service: E-Commerce

Contact Us

Get free consultation for your e-commerce project.

Chat on WhatsApp