In 2025, the CNIL (the French supervisory authority for data protection) confirmed a clear underlying trend:
sanctions do not target isolated technical shortcomings alone, but rather everyday operational practices — visible, repeated, and yet entirely avoidable.
Cookies, commercial prospecting, video surveillance, data security…
The decisions published in 2025 clearly illustrate what the CNIL expects in practice from organisations, regardless of their size.
Below is an overview of the five GDPR non-compliances most frequently sanctioned in 2025, and, above all, how to effectively prevent them in 2026.
The top 5 GDPR non-compliances most frequently sanctioned in 2025
1. Cookies and trackers: “consent” that is not valid consent
What the CNIL sanctions
Misleading interfaces, the absence of a “Reject” button, cookies placed before any user choice is made, or forced consent when creating an account.
In 2025, several very significant sanctions reiterated that consent cannot be inferred and must not be circumvented.
Why this is non-compliant
The placement of non-essential cookies and trackers is subject to prior, freely given and informed consent.
Any interface that excessively nudges the user or delays refusal is contrary to applicable rules.
How to prevent this risk
-
Rejecting cookies must be as easy as accepting them
-
No cookies before a clear user choice
-
Regular audits of tags and marketing tools
-
Retention of proof of consent
2. Commercial prospecting: poorly controlled databases
What the CNIL sanctions
Prospecting without valid consent, use of purchased data without proper verification, and the sharing of customer databases with partners under insufficient legal safeguards.
Why this is non-compliant
Electronic marketing activities are subject to strict rules, particularly regarding consent and transparency.
Sharing personal data with third parties without a clear lawful basis constitutes a serious breach of the GDPR.
How to prevent this risk
-
Precisely identify the origin of the data
-
Require usable and documented proof of consent
-
Contractually frame any data sharing
-
Rigorously manage objections and opt-outs
3. Video surveillance: overly intrusive systems
What the CNIL sanctions
Cameras covering excessive areas, continuous monitoring of employees, insufficient information provided to individuals, and excessive retention periods.
Why this is non-compliant
Video surveillance must be proportionate to the purpose pursued.
Filming “just in case” or “as a precaution” is never GDPR-compliant.
How to prevent this risk
-
Clearly define the purpose of the surveillance system
-
Limit filmed areas to what is strictly necessary
-
Reduce retention periods
-
Provide clear and accessible information to data subjects
4. Data security: measures insufficient in light of the risks
What the CNIL sanctions
Known security vulnerabilities left unaddressed, overly broad access rights, and inadequate safeguards for sensitive data.
Why this is non-compliant
The GDPR requires the implementation of technical and organisational measures appropriate to the level of risk.
The more sensitive or extensive the data, the higher the level of protection required.
How to prevent this risk
-
A clear and effectively implemented data security policy
-
Strict access and authorisation management
-
Regular security testing and timely remediation
-
Robust oversight of technical processors and service providers
5. Data subjects’ rights: ignored or poorly handled requests
What the CNIL sanctions
Failure to respond, missed deadlines, incomplete responses, or an inability to identify the data concerned by a request.
Why this is non-compliant
Data subjects’ rights lie at the very heart of the GDPR.
An organisation’s inability to respond properly often reflects inadequate data governance.
How to prevent this risk
-
A clear process for handling data subjects’ requests
-
Centralisation and traceability of requests
-
Training for teams in contact with the public
-
An up-to-date record and mapping of processing activities
What CNIL sanctions in 2025 really reveal
Beyond the diversity of decisions, one clear message emerges:
Once again, sanctions demonstrate that GDPR compliance cannot be reduced to a one-off checklist exercise, but requires continuous and structured governance, fully integrated into business practices, tools, and data governance frameworks.
Anticipating 2026: turning compliance into a reflex
Preventing GDPR risks in 2026 does not mean “doing more”, but rather doing better and earlier:
identifying high-risk processing activities, prioritising effective actions, documenting decisions, and supporting teams over time.
My DPO Partner supports organisations in designing and implementing pragmatic, tailored GDPR roadmaps, helping to secure their practices and achieve long-term operational peace of mind.
