How it works What We Check Pricing Articles About Free Scan →
WordPress CNIL Compliance 2026
← All Articles WordPress · CNIL ⏱ 8 min read Updated 27 June 2026

WordPress CNIL Compliance 2026: What French Site Owners Must Do

WordPress powers roughly 40% of websites. CNIL — France's data protection authority — has made website cookie consent one of its top enforcement priorities since 2021. These two facts are on a collision course.

If your WordPress site has a French audience, you are in CNIL's scope. This is not theoretical: CNIL has fined publishers, retailers, and B2B software companies — all running standard WordPress setups — for violations you can fix in an afternoon.

This guide tells you exactly what CNIL requires, which plugins are worth using, and where most WordPress sites fail.

⚠️ Disclaimer: This article is for informational purposes only and does not constitute legal advice. CNIL guidelines evolve. Consult a qualified lawyer for specific advice.


Why WordPress Sites Fail CNIL Checks

CNIL's enforcement pattern is consistent. The agency looks for three failures, in roughly this order:

  1. Cookies fire before consent. Google Analytics, Meta Pixel, LinkedIn Insight Tag — all of these fire on page load by default on most WordPress sites. Installing a consent banner doesn't fix this unless the banner is also blocking the scripts.
  2. Refusing cookies is harder than accepting them. CNIL's 2021 guidelines are explicit: refusing consent must be as easy as accepting it. A banner with a big "Accept All" button and no equivalent "Refuse All" button is non-compliant. CNIL has issued fines for this alone.
  3. The privacy policy is incomplete. CNIL requires disclosure of every third-party data processor, the legal basis for each processing activity, and data retention periods. A generic "we use cookies" page isn't enough.

Step 1: Audit What's Running Before Consent

Before you touch your cookie banner, find out what's actually loading.

How to check: Open your site in an incognito window. Open browser developer tools (F12 → Network tab). Load the page without accepting cookies. Filter by "third-party" requests. Every external request that fires before you click anything is a potential CNIL violation.

Common offenders on WordPress sites:

If any of these load before consent — on a French-audience site — you have a CNIL problem.

Run a free Sitetals scan to get a structured report of what's loading pre-consent on your site.

⚠️ Google Site Kit warning: If you installed GA4 via Site Kit (Google's official WordPress plugin), it may be injecting GA4 scripts directly into your page — independently of your consent plugin. Verify in Chrome DevTools that gtag requests do not fire before consent, even with Site Kit active.


Step 2: Install a CNIL-Compliant Cookie Banner

Not all cookie consent plugins are CNIL-compliant. The key requirements:

WordPress Plugin Options

Plugin Refuse All button Auto-blocks scripts Consent log Price
Complianz ✅ Configurable ✅ Yes ✅ Yes €59/year
Cookiebot ✅ Yes ✅ Yes ✅ Yes From €9/month
CookieYes ✅ Yes (verify placement) ✅ Paid tiers ✅ Paid tiers Free + paid
WP GDPR Compliance ⚠️ Manual ❌ No ❌ No Free

Plugin pricing as of June 2026 — verify current pricing on each vendor's site.

Complianz — Solid EU focus, French language supported, generates cookie declaration. Meets CNIL requirements when configured correctly.

Cookiebot — Scans your site, auto-categorizes cookies, blocks pre-consent. More automated discovery; higher cost.

CookieYes — Basic features free, paid tiers add auto-blocking and reporting. Adequate for small sites; verify Refuse All button placement manually.

What to avoid: Any plugin that only shows a banner without blocking scripts. The banner is not the fix — blocking the scripts until consent is given is the fix.


Step 3: Configure Script Blocking Correctly

Installing a consent plugin is step one. Configuring it to actually block tracking scripts is step two — and where most sites fail.

For each tracking script on your site, you need to tell your consent plugin to block it until the user accepts the relevant category. In most plugins, this means converting the script tag:

Before (fires immediately, non-compliant):

<script src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXX"></script>

After (blocked until consent):

<script type="text/plain" data-category="analytics" src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXX"></script>

Most consent plugins recognize the type="text/plain" + data-category pattern and activate the script only when the visitor consents to that category.

Test after configuration: Open incognito, open Network tab, load the page without accepting. Tracking scripts should not appear. Accept analytics. Refresh. Now they should load. If they load in both states, blocking is not working.

⚠️ Cache-plugin conflict: WP Rocket, W3 Total Cache, and similar caching plugins serve pre-generated HTML. After configuring script blocking, clear your full page cache and re-test in incognito. Any time you change your consent configuration, clear the cache again.


Step 4: Update Your Privacy Policy

CNIL requires your privacy policy to include:


What a CNIL Enforcement Action Looks Like

CNIL fined Doctissimo (a French content site) €380,000 in May 2023. The violations:

Doctissimo is a media property. CNIL decision SAN-2023-006 found the site kept data too long, mishandled consent for health-related data, and ran cookies before — and after — refusal. That cost them €380,000: €280,000 under GDPR and €100,000 under the French cookie-consent rules.


Mentions Légales — The LCEN Requirement

CNIL compliance covers cookie consent and data protection. The Loi pour la Confiance dans l'Économie Numérique (LCEN, Art. 6) is a separate, parallel obligation: any website published or hosted in France must display a Mentions légales page.

Required content:

This page is distinct from your privacy policy. Missing or incomplete Mentions légales is a separate legal failure, independent of your GDPR/CNIL configuration.


Quick Compliance Checklist for WordPress


Run Your Free CNIL Compliance Check

Paste your WordPress site URL. Get a free scan showing what's loading before consent, missing legal pages, and compliance gaps against CNIL requirements.

Free scan at Sitetals

Full PDF report with CNIL enforcement references and a remediation checklist: €49.


Related reading:


Sources: CNIL Cookie Guidelines (September 2020, updated 2022) · CNIL enforcement decisions: Doctissimo (May 2023), Criteo (June 2023) · GDPR Article 7 (consent conditions) · ePrivacy Directive Article 5(3) · LCEN Art. 6 (Mentions légales)

🩸 — Sitetals Editorial