Cookie banner dark patterns: CNIL’s enforcement is real and it’s escalating

Ines Pimentel

Is your cookie banner making it harder to reject cookies than to accept them? That’s a dark pattern – and CNIL is actively fining sites that haven’t fixed it. Learn what dark patterns are, which violations CNIL has acted on, and how to make your banner compliant.

Table of contents

In December 2024, the French Data Protection Authority (CNIL) issued a formal notice to multiple website publishers whose cookie banners failed to comply with France’s data protection laws, specifically Article 82 of the French Data Protection Act. Publishers were given one month to fix the violations or face fines. The action was part of a broader effort to combat dark patterns – design tactics that manipulate users into consenting to cookies without genuine choice.

The French Data Protection Authority, known as the CNIL (Commission Nationale de l’Informatique et des Libertés), recently issued a formal notice to multiple website publishers. The CNIL warned that their cookie banners fail to comply with France’s data protection laws, specifically Article 82 of the French Data Protection Act.

Publishers have been given a tight one-month deadline to address these violations or face significant penalties. This move is part of a broader effort to combat “dark patterns”—design tactics that manipulate users into consenting to cookies without genuine choice.

Get compliant with CNIL cookie recommendations today

Achieve compliance and maintain performance with a cookie banner tool designed for marketers.

Start a free trial

What is the CNIL and why does it matter for your website?

The Commission Nationale de l’Informatique et des Libertés (CNIL) is France’s independent regulatory body tasked with ensuring the protection of personal data and upholding privacy rights. 

Known for its rigorous enforcement of privacy laws, the CNIL has been at the forefront of ensuring cookie consent compliance with the General Data Protection Regulation (GDPR) and the ePrivacy Directive. It regularly audits and issues fines to organizations failing to meet data protection standards.

Dark patterns are manipulative design practices used to nudge website (or app) users toward specific actions, such as accepting cookies. These tactics undermine transparency and informed consent, violating data protection principles.

Which specific dark patterns is CNIL targeting?

The CNIL’s investigation uncovered several common examples of dark patterns in cookie consent banners:

  • Unequal button presentation: “Accept” buttons are prominently displayed, while “Reject” options are harder to find, often hidden in plain text or styled less visibly.
  • Ambiguous wording: Misleading language, such as “I decline non-essential purposes,” creates confusion about the choices being made.
  • Repeated “Accept” options: Users are presented with multiple “Accept” buttons, while the “Reject” option appears only once.
  • Delayed rejection options: Users must click through multiple layers or sub-menus to reject cookies, making the process more cumbersome than accepting them.

When CNIL issues a formal notice, targeted publishers typically have one month to comply or face significant fines and reputational damage. As the enforcement cases below show, CNIL doesn’t stop at warnings.

Concerned about cookie compliance?

Find out which cookies and trackers are collecting data on your website.
Scan your website for free

How has CNIL enforcement escalated since 2025?

Given the CNIL’s history of imposing substantial penalties for cookie-related violations – Amazon fined €35M, Carrefour and Carrefour Bank fined €2,250,000 and €800,000, the December 2024 formal notice wasn’t a one-off. It was part of a sustained enforcement campaign that CNIL has been running since 2019 – and 2025 showed just how serious that campaign has become.

The CNIL issued 83 sanctions in 2025, totalling approximately €486.8 million. Cookie violations and advertising trackers accounted for the bulk. Three cases stand out:

SHEIN: €150M

Advertising cookies fired the moment visitors arrived on the site – before any interaction with the consent banner. The banner had a “Reject all” button, but clicking it didn’t prevent new cookies from being placed. Previously deposited cookies also kept running after consent was withdrawn. Scale mattered: 12 million monthly French visitors amplified the impact.

American Express: €1.5M

The most instructive case for day-to-day site management. CNIL found cookies placed before any user choice was made, cookies placed despite an explicit refusal, and cookies that kept running after consent was withdrawn. It confirmed that withdrawal must actually work – not just record a preference while cookies continue to fire.

Google: €325M

The 2025 Google fine was the third issued by CNIL against the company for cookie-related violations, following €100M in 2020 and €150M in 2021. It reflects a broader pattern in CNIL’s enforcement approach: penalties tend to escalate when the same issues recur across the industry.

CNIL’s enforcement activity hasn’t slowed into 2026 either — in January alone, the authority issued fines of €27M against Free Mobile and €15M against Free, in that case for a data security breach affecting 24 million subscriber contracts.

The formal notice this post originally covered gave websites one month to comply. CNIL’s track record since then shows that deadline was the beginning, not the end.

To ensure compliance with CNIL cookie guidelines and avoid penalties, follow these best practices on your website:

  1. Equal visibility and accessibility: Make “Accept” and “Reject” buttons equally prominent in terms of color, size, and placement.
  2. Clear and transparent language: Use unambiguous wording that makes it easy for users to understand their options. Avoid phrases that obscure the option to reject cookies.
  3. Respect prior consent: Ensure that no cookies are pre-set or fired before the user has explicitly given consent.
  4. Simple rejection process: Users should be able to reject cookies with the same ease as accepting them, avoiding extra clicks or hidden menus.
  5. Comprehensive cookie audit: Regularly scan your website to identify all cookies and trackers in use (or implement a website consent solution that does this automatically for you).
  6. Detailed cookie categories: Clearly differentiate between essential and non-essential cookies, explaining their purposes in user-friendly terms.

Stay compliant, avoid fines and maintain a seamless user experience with a cookie banner tool built for marketers.

Start a free trial

Cookie Information’s customizable website cookie consent banners are designed to help you meet the highest privacy compliance standards as defined by the GDPR, the French Data Protection Act guidelines (namely Article 82), and the report on cookie banners adopted by the European Data Protection Board (EDPB).

Here’s how our cookie banner for websites can support your compliance efforts:

  • Cookie audits: Automated cookie scans (usually weekly) to keep track of all cookies and trackers running on your website, ensuring nothing goes unnoticed.
  • Compliant cookie consent banner design: Our banners are built to align with CNIL and GDPR requirements, offering equal prominence for “Accept” and “Reject” options.
  • Customizable consent solutions: Tailor your cookie banner’s design and messaging to suit your brand while maintaining full privacy compliance.
  • Real-time cookie and consent monitoring: Keep track of your compliance status across multiple websites with our intuitive compliance dashboard.

CNIL is not standing still. Two developments signal where requirements are heading.

CNIL published final recommendations on how consent should work for users who access services across multiple devices while logged into the same account. If a user rejects cookies on their laptop, should that choice apply when they open the same service on their phone?

The CNIL’s answer: it can – but only if strict conditions are met. Users must be informed upfront that their preference applies across all linked devices. Refusal must have the same scope as consent: you can’t globalize acceptance without globalizing rejection. Choices made while logged in must not override preferences set in non-authenticated environments (important for shared devices). And any conflict between a new device-level choice and an existing account preference must be clearly disclosed.

Implementing multi-device consent is optional. But it’s worth understanding if you run services where users log in from multiple devices.

In the same December 2025 recommendations, CNIL also announced it will launch work in 2026 on cross-domain consent – a framework that would allow a single consent to cover multiple websites or media properties belonging to the same group. The aim is to reduce repeated consent requests for users while maintaining privacy protections. This will go through public consultation before any recommendations are finalized.

For now, the existing rules on dark patterns, equal button prominence, prior consent, and working withdrawal remain fully in force – and fully enforced.

For marketers, a non-compliant cookie banner can lead to hefty fines, a loss of user trust, and ultimately impact your revenue. What’s often the challenge? Implementing compliant banners that don’t compromise user experience while maintaining marketing performance and avoiding, both financial and reputational risks if you fail to address these issues.

Cookie Information’s consent management platform helps you implement compliant practices and meet regulatory requirements without sacrificing usability or brand reputation. Select the best package for your needs or start your free 14-day trial now.

The CNIL’s formal notice serves as another wake-up call for website owners to prioritize cookie consent compliance, and the one-month deadline leaves little room for delay. Whether you’re a marketer, website publisher or developer, now is the time to act, whether your website was targeted in this first notice round or not.

By addressing dark patterns in cookie banners, making sure withdrawal of consent actually stops cookies from firing, and keeping up with evolving privacy regulations and CNIL guidance, you can stay compliant – and stay ahead of enforcement.

Ready to take action?

Start your free trial of Cookie Information Cookie Banner for Websites today to ensure your website meets CNIL recommendations and stays ahead of evolving regulations.

Start a free trial
What are dark patterns in cookie banners?

Dark patterns are manipulative design practices that nudge users into accepting cookies without providing a genuine choice. Examples include unequal button visibility, misleading wording, and cumbersome rejection processes.

What is the CNIL?

The CNIL (Commission Nationale de l’Informatique et des Libertés) is France’s data protection authority responsible for enforcing data privacy laws and ensuring compliance with the GDPR and French Data Protection Act.

Why is the CNIL targeting cookie banners?

The CNIL is cracking down on cookie banners that use dark patterns, which undermine user consent and violate Article 82 of the French Data Protection Act.

What happens if a website doesn’t comply with CNIL cookie guidelines?

Non-compliance can lead to fines, reputational damage, and regulatory scrutiny. For example, Amazon, SHEIN, and American Express have faced significant penalties for cookie-related violations.

What are CNIL cookie recommendations for compliant cookie banners?

Key recommendations include:

  • Ensuring “Accept” and “Reject” buttons are equally visible.
  • Using clear and transparent language.
  • Avoiding pre-set cookies before user consent.
  • Making the rejection process as simple as the acceptance process.
  • Conducting regular cookie audits to monitor compliance.
How can I make my cookie banner compliant?

Use a website consent management platform like Cookie Information to create customizable, compliant cookie banners. Features include cookie audits, equal button prominence, and real-time consent monitoring. Start free 14-day trial

What is the one-month compliance deadline?

When CNIL issues a formal notice, targeted websites typically have one month to address the violations. Failure to comply can result in fines or further regulatory action.

How does cookie compliance benefit marketers?

Compliance helps you maintain user trust, prevent fines, and ensure a seamless user experience while aligning with privacy regulations.

Where can I learn more about CNIL cookie guidelines?

Refer to CNIL’s official guidelines or use tools like Cookie Information to align your digital marketing practices with the latest privacy compliance standards.