The Website: A Preferred Channel for CNIL Inspections
Today, a website is a central element of a company’s strategy. It represents far more than a simple showcase: it is a communication, visibility, and credibility tool accessible at all times.
Through its website, a company presents its identity, values, products, or services, and creates a first point of contact with its clients, partners, or prospects. It also represents an opportunity for the company to strengthen its reputation, expand its customer base, and stand out from the competition.
Thus, by adapting to users’ needs and technological developments, the website becomes an essential lever for development and growth for any company, regardless of its size or sector of activity.
However, it must imperatively comply with the applicable regulations. In particular, it is required to respect legal obligations relating to the protection of personal data, the transparency of information, and users’ rights. This includes the presence of legal notices, a privacy policy, as well as compliance with the rules relating to cookies and data processing, in particular in accordance with Regulation (EU) No. 2016/679 of 27 April 2016 on the protection of personal data (GDPR) and the CNIL guidelines relating to the application of Article 82 of the amended Law of 6 January 1978 to operations involving reading or writing on a user’s terminal (notably “cookies and other trackers”).
Easily accessible and concentrating numerous GDPR obligations, the website now constitutes a preferred entry point for CNIL inspections, exposing organisations to an increased risk of sanctions in the event of non-compliance.
Through this article, we will provide the main keys to understanding the GDPR framework, as well as best practices for compliance and data security on your website.
We will first revisit the CNIL’s sanctioning powers (I), before detailing the three essential components of website compliance: obtaining valid consent (II), providing complete information to users (III), and ensuring data security and confidentiality (IV).
A sanction procedure may be initiated following a complaint, a report, or a CNIL inspection. The CNIL has extensive powers, ranging from a simple warning to injunctions subject to penalties and administrative fines of up to €20 million or 4% of global annual turnover. This risk has been strengthened since 8 April 2022 with the introduction of a simplified sanction procedure, intended for breaches that are not complex or of limited seriousness, and particularly suited to non-compliance observable on a website. This faster and lighter procedure allows the CNIL to issue a warning, a fine of up to €20,000, and an injunction subject to penalties without a public hearing, thereby facilitating and accelerating sanctions.
Recent examples show that no organisation is spared, whether large companies or very small structures. This is illustrated by the sanction imposed on 1 September 2025 on INFINITE STYLES SERVICES CO. LIMITED, the Irish subsidiary of the SHEIN group, with a €150 million fine for failure to comply with cookie rules on the shein.com website, as well as the sanction of 18 June 2025 imposed on a small mail-order company for a similar breach, resulting in a €3,000 fine under the simplified procedure.
Consequently, website compliance appears as a priority and strategic issue, both to limit legal and financial risks and to demonstrate a proactive approach to GDPR compliance.
The GDPR defines consent as any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, expressed by a statement or by a clear affirmative action (Article 4(11) GDPR). Such consent must be obtained prior to any processing of personal data, in accordance with the e-Privacy Directive of 12 July 2002.
These requirements imply that the data subject must have a genuine choice, without constraint or negative consequences in the event of refusal, that consent must be given for a specific purpose, and that there must be no ambiguity regarding its expression.
With regard to cookies, only technical cookies are exempt from consent: for all others, an information banner must be displayed from the user’s first visit, allowing them to accept, refuse, or customise their choice by purpose. Non-technical cookies must be disabled by default. Moreover, consent cannot be inferred from silence, which is deemed to constitute refusal, and users must be able to withdraw their consent at any time via an easily accessible mechanism (Article 7 GDPR). The choice must also be stored and periodically renewed, with a six-month duration considered good practice according to the CNIL.
Furthermore, when personal data are used for commercial prospecting purposes, specific consent is required pursuant to the e-Privacy Directive of 12 July 2002, transposed into Articles L34-5 of the French Postal and Electronic Communications Code and L121-20-5 of the French Consumer Code. In B2C, the principle is opt-in (“if the data subject has not said yes, it is no”), requiring explicit agreement through an unchecked checkbox, with any presumption of consent prohibited, subject to limited exceptions concerning existing customers for similar products or services or non-commercial prospecting, provided that a right to object exists. In B2B, the opt-out mechanism (“if the data subject has not said no, it is yes”) is tolerated provided that the prospecting is related to the recipient’s professional activity, although opt-in remains recommended. Finally, consent must also be obtained separately when prospecting is carried out by third-party partners. Ultimately, the data controller must be able to demonstrate proof of consent (Article 7 GDPR), notably through timestamping mechanisms (recording the precise date and time at which a person expressed their consent) and documentation of the procedures implemented.
Through Article 12, the GDPR establishes a general obligation of transparency requiring the data controller to provide data subjects with complete, accessible, and understandable information on all personal data processing operations, in accordance with Articles 13 GDPR in the case of direct collection and 14 GDPR in the case of indirect collection. This information obligation applies both to the use of cookies and to other data processing activities.
With regard to cookies, the requirement for informed consent implies the provision of information at several levels: via the banner, the customisation page, and the cookie policy. The banner must notably present, in a concise manner, the purposes of the cookies, the duration for which the user’s choice is stored, the identity of the data controllers and any joint controllers (i.e. third-party cookie providers such as Google), the existence of the right to withdraw consent at any time, as well as a link to the cookie or privacy policy, while clearly specifying that silence or continued browsing constitutes refusal. The customisation page must allow users to access more detailed information on cookie categories and their purposes, while the cookie policy must provide exhaustive information including the definition of cookies, the list of cookies used with their name, category, purposes, collected data and retention periods, consent management and withdrawal modalities, browser configuration options, as well as the consequences of refusing different cookie categories, distinguishing strictly necessary cookies from those that are not.
In parallel, information relating to personal data processing must be grouped in a separate privacy policy, easily accessible from the website and drafted in a clear and intelligible manner. This policy must mention the identity and contact details of the data controller and the DPO, the nature of the data collected, their purposes and legal bases, the recipients of the data, any transfers outside the European Economic Area and the safeguards implemented, retention periods or criteria used to determine them, the existence of profiling or automated decision-making, as well as all rights granted to data subjects and the modalities for exercising them, including the possibility of lodging a complaint with the CNIL.
Finally, each personal data collection form must include a visible GDPR information notice adapted to direct collection, specifying at least the data controller, the purposes pursued, data subjects’ rights, and a link to the privacy policy, with specific notices for forms collecting email addresses for newsletter purposes.
Article 32 GDPR requires the data controller and the processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of the processing.
These measures notably include the pseudonymisation and encryption of data, for example through the use of the TLS protocol to secure exchanges between the website and users, as well as the secure storage of passwords in an encrypted and non-reversible form. They must also ensure the confidentiality, integrity, availability, and resilience of processing systems, notably through the use of firewalls, limitation and regular updating of application components, securing access and administration interfaces, and the use of secure protocols for site administration. Furthermore, measures must enable the restoration of access to data within appropriate timeframes in the event of an incident, notably through hosting data within the European Union. Finally, the GDPR requires the implementation of regular procedures for testing, analysing, and evaluating the effectiveness of security measures, in order to identify and correct any vulnerability or anomaly.
Compliance with the GDPR certainly represents an investment, varying according to the size and activity of the organisation, but it above all constitutes a necessity in view of the growing risk of sanctions incurred in the event of non-compliance.
In practice, the website is now a preferred inspection channel for the CNIL, as it is easily accessible, directly observable, and concentrates many key GDPR obligations (information to data subjects, consent collection, cookies, commercial prospecting, security).
To give you 100% control over the design, together with Webflow project, you also get the Figma file. After the purchase, simply send us an email to and we will e happy to forward you the Figma file.
Yes, we know... it's easy to say it, but that's the fact. We did put a lot of thought into the template. Trend Trail was designed by an award-winning designer. Layouts you will find in our template are custom made to fit the industry after carefully made research.
We used our best practices to make sure your new website loads fast. All of the images are compressed to have as little size as possible. Whenever possible we used vector formats - the format made for the web.
Grained is optimized to offer a frictionless experience on every screen. No matter how you combine our sections, they will look good on desktop, tablet, and phone.
Both complex and simple animations are an inseparable element of modern website. We created our animations in a way that can be easily reused, even by Webflow beginners.
Our template is modular, meaning you can combine different sections as well as single elements, like buttons, images, etc. with each other without losing on consistency of the design. Long story short, different elements will always look good together.
On top of being modular, Grained was created using the best Webflow techniques, like: global Color Swatches, reusable classes, symbols and more.
Grained includes a blog, carrers and projects collections that are made on the powerful Webflow CMS. This will let you add new content extremely easily.
Grained Template comes with eCommerce set up, so you can start selling your services straight away.
To give you 100% control over the design, together with Webflow project, you also get the Figma file.
.svg)
.png)
.png)
