The official 2025 numbers
The CNIL, France’s data protection authority, published its 2025 enforcement report with record figures. In 2025 it issued 259 corrective decisions: 83 sanctions, 143 formal notices (mises en demeure), 31 reminders of legal obligations and 2 warnings. Cumulated fines reached €486,839,500 — an unprecedented amount, compared with €55.2M in 2024 and €89.2M in 2023.
| Year | Total fines |
|---|---|
| 2023 | €89,179,500 |
| 2024 | €55,212,400 |
| 2025 | €486,839,500 |
Of the 83 sanctions, 16 went through the ordinary procedure of the restricted committee and 67 through the simplified procedure. They include 78 fines (27 paired with injunctions under periodic penalty), three penalty-liquidation decisions and two calls to order.
Two decisions account for 97.6% of the total
The record headline is driven almost entirely by two decisions issued on 3 September 2025: €325M against Google and €150M against Shein, both primarily about cookie practices. Together they represent €475M — about 97.6% of the year’s total. Strip them out and the remaining fines add up to roughly €11.8M spread across the other decisions: the ordinary enforcement level did not explode, it stayed in the range French organisations have known for years.
That distinction matters. Reading “€487M in CNIL fines” as a signal that only tech giants are targeted gets the risk exactly backwards.
The simplified procedure is aimed at ordinary companies
67 of the 83 sanctions in 2025 — 81% — went through the simplified procedure, a fast track created in 2022 for cases that do not require the full restricted-committee process, with fines capped at €20,000. This is the CNIL’s instrument for sanctioning SMEs and mid-sized organisations at scale: cheaper for the authority, quick, and increasingly systematic. Add the 143 formal notices and the pattern is clear — for a typical company the realistic scenario is not a headline fine, it is a €5,000–€20,000 sanction plus an injunction, following a complaint or a breach.
The three recurring grounds — and the documents that prevent them
The CNIL highlights three recurring themes in 2025: cookies, employee monitoring and data security. All three are, at their core, governance failures that documented policies address directly:
| Ground | Typical failure | Preventive document |
|---|---|---|
| Cookies | No valid consent, no easy refusal | Cookie/consent policy + compliant banner |
| Employee monitoring | Disproportionate surveillance, no information | Employee monitoring & acceptable use policies |
| Data security (GDPR Art. 32) | Weak passwords, unrevoked access, no encryption | Access control, password and encryption policies |
What an SME should do with these numbers
- Treat the simplified procedure as your realistic exposure: up to €20,000 plus remediation under deadline — material for an SME, and public.
- Fix the three recurring grounds first — they are audited from the outside (your cookie banner) or triggered by any employee dispute or breach.
- Document Article 32 security: access control with MFA, password rules and revocation runbooks are what the CNIL asks for after a breach.
- Keep evidence: dated, approved policies and a processing register are the first items requested in any CNIL inquiry.
Primary sources
- CNIL — Sanctions et mesures correctrices : bilan 2025 (cnil.fr/fr/bilan-sanctions-2025).
- Vie publique — Sanctions et mesures correctrices de la CNIL, bilan 2025 (vie-publique.fr).
How PolicyForge helps
PolicyForge generates the GDPR-supporting documents the CNIL expects to see — access control, passwords, encryption, acceptable use, incident response with 72-hour notification — bilingual, versioned and signed off. Start free →