France’s national data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has imposed a €3.5 million fine on a French company for improperly sharing user data and violating rules on tracking cookies, according to a regulatory decision published at the end of December 2025. The sanction reflects breaches of obligations under French and European data protection laws regarding consent and transparency in the processing of personal information.
The CNIL’s action stems from an investigation that found the company disclosed members’ personal data to third parties without obtaining valid consent from the individuals concerned. The regulator identified failures in how the business collected, used, and shared tracking information that was linked to users’ online activity, including cookie-based tracking mechanisms often used to tailor digital advertising and analytics services.
Under French law, implementation of cookies and similar tracking technologies requires clear, informed, and freely given consent from users before those technologies are activated on their devices. Tracking cookies can collect data about a user’s behaviour across websites, and regulators in the EU have emphasised that consent must be specific and unambiguous for each purpose in line with privacy protections under EU data protection standards such as the General Data Protection Regulation (GDPR) and related national rules.
The CNIL determined that the company’s practices did not meet these consent requirements and that the data sharing exceeded what was disclosed to users at the time of collection. Recent enforcement actions by the CNIL, including high-profile fines against large platforms for cookie-related consent violations, signal intensified scrutiny of compliance with consent and transparency obligations in digital tracking and data use.
Under the imposed fine, the company must adjust its data handling and cookie consent mechanisms to align with legal requirements. Regulatory agencies in the EU have the authority to enforce compliance and issue sanctions when organisations fail to obtain proper consent or do not provide clear information about how personal data is used.
The financial penalty reflects both the nature of the consent failings and the scale of personal data involved. The CNIL’s decision illustrates growing regulatory enforcement in Europe around user privacy, transparent data practices, and adherence to established rules for tracking technologies and data sharing.