How it works What We Check Pricing Articles About Free Scan →
How CNIL Finds Non-Compliant Websites
← All Articles CNIL Enforcement ⏱ 7 min read Updated 25 June 2026
⚠️
Received a legal warning?

Our Crisis Response Hub covers all enforcement scenarios with immediate next steps — Abmahnung, CNIL investigation, and more. Important: consult a qualified lawyer before responding to any formal notice.

🎬 Video summary and slide deck available at the end of this article.

How CNIL Finds Non-Compliant Websites — And Why You're More Visible Than You Think

One of the most common assumptions about regulatory enforcement is that it's reactive — that CNIL waits for something major to happen before investigating a business.

That assumption is wrong, and increasingly so.

CNIL — the Commission Nationale de l'Informatique et des Libertés — is France's data protection authority, and it has spent the last several years building the infrastructure to find non-compliant websites at scale. CNIL receives tens of thousands of complaints annually — its most recently published annual report recorded over 16,400 complaints in a single year, a figure that has grown every year since GDPR enforcement began. Its enforcement budget and technical capabilities have expanded significantly since 2021.

Understanding how CNIL finds businesses matters — because if your website has compliance gaps, the question is not whether CNIL could find them. It's when, and through which channel.

⚠️ Disclaimer: This article is for informational purposes only and does not constitute legal advice. CNIL enforcement procedures and priorities may evolve over time. If you have received a communication from CNIL, consult a qualified lawyer immediately.

📌 This article covers how CNIL finds non-compliant websites. For what happens after they do — the investigation stages, timelines, and how to respond — see: What Happens During a CNIL Investigation


Channel 1: Online Controls and Tracker Research

Since 2021, CNIL has increasingly relied on online controls (contrôles en ligne) — direct technical inspection of live websites by its investigators — alongside complaints and sector-wide campaigns to identify non-compliance.

CNIL's landmark cookie decisions against Google (€150M, SAN-2021-023), Facebook (€60M, SAN-2021-024), and Microsoft Bing (€60M, SAN-2022-023) each began with complaints followed by a manual online control by CNIL investigators — not by an automated scanner. The direction of travel is nonetheless clear: CNIL inspects live sites directly, and its published decisions become a permanent public record.

The significance: CNIL does not need a complaint to discover a violation. Its research lab (LINC) has also published tracker-visualisation research — e.g. a 2021 study built on the open-source CookieViz tool — showing that hidden tracking practices are technically detectable at scale. This was a one-off research publication, not a description of an ongoing automated enforcement sweep; CNIL's confirmed enforcement channel remains the manual online control described above.


Channel 2: Individual Complaints

The largest single source of CNIL investigations is complaints from individuals. French citizens can file a complaint online at cnil.fr in minutes, and CNIL is required to follow up on complaints that fall within its jurisdiction.

CNIL receives tens of thousands of complaints annually, with the number growing every year since GDPR came into force. The most common complaint subjects: marketing emails sent without consent, and failure to honor data subject rights.

What this means in practice: A single unhappy customer, a former employee, or a privacy-aware competitor can trigger a formal CNIL inquiry against your business. Filing a complaint is free, anonymous if requested, and takes approximately five minutes.


Channel 3: Sector-Wide Investigation Campaigns

Each year, CNIL publishes its thematic priorities — the industries and compliance areas it intends to focus enforcement activity on. Past sector-wide campaigns have targeted:

If your business operates in a sector that has been or is likely to be targeted, you face a higher-than-baseline probability of being swept up in a coordinated investigation — regardless of the size of your operation.


Channel 4: Cross-Border DPA Referrals

GDPR introduced a cooperation mechanism between EU data protection authorities. If a business operates websites targeting French consumers but is based in Germany, Ireland, or elsewhere, CNIL can — and does — cooperate with other DPAs to investigate those businesses.

This means geographic distance from France does not protect you. A German or UK-based business targeting French consumers with a non-compliant website is within CNIL's reach.


Channel 5: Media, NGOs, and Organized Complaints

Privacy advocacy organizations — including noyb (Max Schrems' organization), La Quadrature du Net, and others — actively submit coordinated complaints to CNIL on behalf of affected individuals. noyb alone filed hundreds of complaints across EU DPAs following the Schrems II ruling. Several French enforcement actions targeting analytics tools and data transfers originated from noyb complaints.

Investigative journalism also triggers CNIL investigations. A high-profile media story about a data breach or non-compliant business practice has consistently preceded formal CNIL inquiries in documented cases.



The Practical Implication

CNIL does not rely on chance discovery. It has built a multi-channel system that can identify non-compliant businesses through online controls, complaint intake, coordinated sector campaigns, and cross-border cooperation.

A website with a non-compliant cookie banner, a missing privacy policy, or a cookie that loads Google Analytics before consent is not invisible. It is identifiable — by CNIL's own systems, by individual complainants, and by organized privacy advocacy groups — at any point.

The question is not whether CNIL has the tools to find your website. The question is whether there is anything to find when they do.

See what CNIL's tools would find on your site.

A free Sitetals scan checks your website against the key compliance categories that CNIL investigates — cookie consent, legal notices, privacy policy, and data transfer exposure.

Scan your website now — results in under 60 seconds

Sources: CNIL Annual Report 2023 (activity data, enforcement statistics), CNIL Decision SAN-2021-023 (Google, €150M), CNIL Decision SAN-2021-024 (Facebook, €60M), CNIL Decision SAN-2022-023 (Microsoft Bing, €60M), GDPR Art. 60–62 (cooperation mechanism), CNIL published investigation priorities

🎬 How the CNIL Finds Websites — Video

How the CNIL actually finds non-compliant websites — the tools, the signals, and what triggers an investigation.

⬇ Download Slide Deck (.pdf)