One of the most common assumptions about regulatory enforcement is that it's reactive — that CNIL waits for something major to happen before investigating a business.
That assumption is wrong, and increasingly so.
CNIL — the Commission Nationale de l'Informatique et des Libertés — is France's data protection authority, and it has spent the last several years building the infrastructure to find non-compliant websites at scale. CNIL receives tens of thousands of complaints annually — its most recently published annual report recorded over 16,400 complaints in a single year, a figure that has grown every year since GDPR enforcement began. Its enforcement budget and technical capabilities have expanded significantly since 2021.
Understanding how CNIL finds businesses matters — because if your website has compliance gaps, the question is not whether CNIL could find them. It's when, and through which channel.
⚠️ Disclaimer: This article is for informational purposes only and does not constitute legal advice. CNIL enforcement procedures and priorities may evolve over time. If you have received a communication from CNIL, consult a qualified lawyer immediately.
📌 This article covers how CNIL finds non-compliant websites. For what happens after they do — the investigation stages, timelines, and how to respond — see: What Happens During a CNIL Investigation
Since 2021, CNIL has publicly confirmed the use of automated scanning tools to check websites for compliance at scale.
This is not speculative — CNIL explicitly referenced its automated scanning infrastructure in the decisions against Google (€150M), Facebook (€60M), and Microsoft Bing (€60M), all issued in 2022. The agency stated that its investigations began with automated scans that flagged non-compliant cookie interfaces.
The significance: CNIL does not need a complaint to discover a violation. A website with a non-compliant cookie mechanism can be flagged by an automated sweep without any human having visited the site.
What automated scanning can detect:
The largest single source of CNIL investigations is complaints from individuals. French citizens can file a complaint online at cnil.fr in minutes, and CNIL is required to follow up on complaints that fall within its jurisdiction.
CNIL receives tens of thousands of complaints annually, with the number growing every year since GDPR came into force. The most common complaint subjects: cookie consent, marketing emails sent without consent, and failure to honor data subject rights.
What this means in practice: A single unhappy customer, a former employee, or a privacy-aware competitor can trigger a formal CNIL inquiry against your business. Filing a complaint is free, anonymous if requested, and takes approximately five minutes.
Each year, CNIL publishes its thematic priorities — the industries and compliance areas it intends to focus enforcement activity on. Past sector-wide campaigns have targeted:
If your business operates in a sector that has been or is likely to be targeted, you face a higher-than-baseline probability of being swept up in a coordinated investigation — regardless of the size of your operation.
GDPR introduced a cooperation mechanism between EU data protection authorities. If a business operates websites targeting French consumers but is based in Germany, Ireland, or elsewhere, CNIL can — and does — cooperate with other DPAs to investigate those businesses.
This means geographic distance from France does not protect you. A German or UK-based business targeting French consumers with a non-compliant website is within CNIL's reach.
Privacy advocacy organizations — including noyb (Max Schrems' organization), La Quadrature du Net, and others — actively submit coordinated complaints to CNIL on behalf of affected individuals. noyb alone filed hundreds of complaints across EU DPAs following the Schrems II ruling. Several French enforcement actions targeting analytics tools and data transfers originated from noyb complaints.
Investigative journalism also triggers CNIL investigations. A high-profile media story about a data breach or non-compliant business practice has consistently preceded formal CNIL inquiries in documented cases.
You don't need to wait for a complaint to know if you're visible. These are the three patterns CNIL's scanners are documented to detect automatically:
Open your website in a private browser window — before clicking anything on the cookie banner. If tracking scripts (Google Analytics, Meta Pixel, advertising cookies) are already running, CNIL's tools will detect this. It's the most commonly cited violation in CNIL's published cookie enforcement decisions.
If your banner shows "Accept All" prominently but requires users to navigate to a preferences panel to refuse, that asymmetry is exactly what CNIL's automated scans look for. The 2022 fines against Google (€150M) and Facebook (€60M) both cited this pattern specifically.
Our scan of 19,500 business websites found that 58.8% of German sites and a significant share of French sites had no compliant banner despite using tracking technologies. CNIL's crawlers can identify tracking scripts loading on a page regardless of whether a banner is present.
If any of these apply to your site, you are currently detectable by CNIL's automated tools — without any individual having filed a complaint.
CNIL does not rely on chance discovery. It has built a multi-channel system that can identify non-compliant businesses through automated technology, complaint intake, coordinated sweeps, and cross-border cooperation.
A website with a non-compliant cookie banner, a missing privacy policy, or a cookie that loads Google Analytics before consent is not invisible. It is identifiable — by CNIL's own systems, by individual complainants, and by organized privacy advocacy groups — at any point.
The question is not whether CNIL has the tools to find your website. The question is whether there is anything to find when they do.
See what CNIL's tools would find on your site.
A free Sitetals scan checks your website against the same categories CNIL's automated tools look for — cookie consent, legal notices, privacy policy, and data transfer exposure. Results in 30 seconds.
Scan your website nowSources: CNIL Annual Report 2023 (activity data, enforcement statistics), CNIL Decision SAN-2022-001 (Google, €150M), CNIL Decision SAN-2022-002 (Facebook, €60M), CNIL Decision SAN-2022-021 (Microsoft Bing, €60M), GDPR Art. 60–62 (cooperation mechanism), CNIL published investigation priorities