A French court has convicted Lafarge and sentenced former executives to jail for financing terrorism and violating sanctions through payments to the Islamic State in Syria. This enforcement action signals heightened scrutiny of corporate compliance with anti-terrorism financing laws and sanctions regimes, particularly for companies operating in high-risk regions. The ruling emphasizes the need for robust internal controls and due diligence to prevent such violations.
No articles specifically tagged for France yet. Check our blog for general compliance coverage.
The French Data Protection Authority (CNIL) has published its plenary session agenda for April 16, 2026, detailing several regulatory items under review. These include recommendations on connected vehicle location data, opinions on decrees for traffic enforcement and military data processing, and guidance on soft law approaches, all shaping data protection compliance in France under the GDPR framework.
French Finance Minister Roland Lescure has called for increased development of euro-denominated stablecoins and tokenized deposits by EU banks, marking a significant policy shift from previous skepticism. This signals government support for European alternatives to counter U.S. dominance in digital payments, with endorsement of the Qivalis consortium's euro-pegged stablecoin planned for 2026.
The French data protection authority (CNIL) has published final binding recommendations clarifying legal requirements for tracking pixels in emails under French data protection law. The guidance distinguishes between pixels requiring user consent and exempt cases, providing practical compliance guidance for organizations using email tracking technology.
The French data protection authority (CNIL) issued recommendations in April 2026 to improve transparency and user control over tracking pixels in emails. These invisible files collect data on email opens, timing, devices, and location, requiring clear information and explicit consent for marketing uses. Organizations must ensure compliance with data protection laws, particularly for marketing activities where consent is mandatory.
The French data protection authority (CNIL) has published details of enforcement actions from 2025-2026, imposing significant fines up to €27 million for GDPR violations. This demonstrates active regulatory scrutiny across multiple sectors and highlights common compliance failures including data security deficiencies, breach notification violations, and inadequate data subject rights handling.
The French data protection authority (CNIL) has published its enforcement report for the 2026 municipal elections, marking the first application of new political advertising transparency regulations effective October 2025. CNIL processed 81 complaints, conducted four investigations, and initiated one sanction procedure against a candidate for non-compliance with data subject rights, signaling active enforcement of GDPR-based political communication rules.
The French data protection authority (CNIL) has announced its 2026 work program to assist organizations with GDPR and EU AI Act compliance. The program includes developing guidance on cross-domain consent mechanisms, finalizing practical AI deployment guidance for workplace and healthcare settings, and clarifying GDPR application to AI systems as CNIL prepares to serve as market surveillance authority under the EU AI Act.
France's e-invoicing mandate requires all VAT-registered businesses to receive e-invoices via state-approved platforms (Plateforme agréée) starting September 2026, with phased issuance requirements for large/mid-sized companies (2026) and SMEs (2027). This represents a shift from document management to structured data management, requiring data orchestration across business systems to ensure compliance.
The French data protection authority (CNIL) has announced its 2026 priority control themes, focusing on recruitment practices (including automated decision-making systems), the single electoral register (REU), and sports federations. These controls prefigure CNIL's future role as a market surveillance authority under the EU AI Act in employment and will involve coordinated European enforcement under the CEF framework.
The French Senate has passed a bill that would ban children under 15 from social media platforms deemed harmful, with a two-tier system allowing parental consent for less detrimental platforms. This represents a new regulatory mandate requiring social media companies to implement age verification systems and adjust content moderation policies to comply with child protection requirements.
The French data protection authority (CNIL) is developing a recommendation on creditworthiness assessment practices in credit granting, addressing automated decision-making and profiling under data privacy regulations. This regulatory guidance will impact financial institutions and lenders using automated systems for credit decisions, requiring alignment with data protection principles.
The French data protection authority (CNIL) has issued practical guidance on using legitimate interest as a legal basis for AI system development, particularly when web scraping is used to build training datasets. This webinar provides specific criteria and examples to help organizations assess compliance under GDPR, emphasizing the need for strong safeguards in data processing.
The French data protection authority (CNIL) has published a comprehensive retention period framework for human resources data management. While non-binding, this operational guidance helps organizations identify appropriate retention periods for HR activities and references legally mandatory requirements from French national legislation.
Privacy organization noyb has filed a complaint with France's CNIL alleging Google's Android Advertising Identifier (AAID) violates the EU e-Privacy Directive by tracking users without consent. The complaint could lead to significant sanctions against Google and signals increased enforcement against hidden mobile trackers across the EU.
The French Data Protection Authority (CNIL) has ordered three French websites to comply with GDPR after determining their use of Google Analytics constitutes illegal data transfers to the United States. This enforcement action follows similar rulings in Austria and stems from the CJEU's Schrems II decision, creating significant compliance pressure for EU companies using US-based analytics services.
The French Data Protection Authority (CNIL) has imposed a €40 million fine on advertising company Criteo for multiple GDPR violations, including failure to comply with data subject rights and lack of valid consent. This enforcement action signals increased regulatory scrutiny of the ad-tech industry's data practices under GDPR.
noyb has filed complaints with France's CNIL against mobile apps Fnac, SeLoger, and MyFitnessPal for violating the ePrivacy Directive by collecting and sharing personal data without valid user consent. The enforcement action signals increased regulatory scrutiny of mobile app data practices, with technical analysis showing only 3.5% of apps offer real consent choices. Companies operating mobile apps in the EU must review their consent mechanisms to avoid similar enforcement actions.
The French data protection authority CNIL has fined Google €325 million for sending unsolicited advertising emails to Gmail users without proper consent, violating the ePrivacy Directive and GDPR. Google must implement compliant consent mechanisms within six months or face daily penalties of €100,000, signaling heightened enforcement of marketing consent requirements.
Privacy organization noyb has filed a formal complaint with France's CNIL against social media platform BeReal for implementing deceptive consent practices using dark patterns that violate GDPR requirements. The complaint alleges that BeReal manipulates user consent by making rejection persistently annoying while acceptance is permanent, undermining the GDPR's requirement for freely given consent. This enforcement action signals increased regulatory scrutiny of dark patterns and consent compliance under GDPR.