How it worksWhat We CheckPricingArticlesAbout Free Scan
What Happens During a CNIL Investigation
← All Articles CNIL Enforcement ⏱ 9 min read

What Happens During a CNIL Investigation: The Process, the Timeline, and What It Costs

⚠️ Disclaimer: This article is for informational purposes only and does not constitute legal advice. If you have received a communication from CNIL, consult a qualified lawyer with GDPR enforcement experience immediately.

📌 This article covers what happens during a CNIL investigation. For how CNIL finds non-compliant websites in the first place — automated scanning, complaint channels, and sector campaigns — see: How CNIL Finds Non-Compliant Websites

If CNIL Has Already Contacted You — Start Here

If you've received a communication from CNIL and need to act now, these are the five things that matter most:

  1. Do not ignore it. Every deadline in a CNIL process is legally significant.
  2. Do not delete or modify records. Preserve all data processing records, consent logs, and contracts with processors.
  3. Engage specialist legal counsel immediately — general business lawyers without GDPR enforcement experience are not sufficient for formal investigations.
  4. Start remediating the identified issues. Documented remediation before the final decision is a meaningful mitigating factor in CNIL sanctions.
  5. Respond fully and honestly. Incomplete or misleading responses aggravate outcomes.

The rest of this article covers the full investigation process and what to expect at each stage.

Most businesses first encounter CNIL in one of two ways: a letter arrives requesting information, or they read about a fine against another company and start wondering whether their own exposure is similar. Understanding how CNIL's investigation process actually works matters. The process is defined by law, it has distinct stages, and what you do — or fail to do — at each stage has a direct bearing on the outcome.

Stage 1: The Trigger

A CNIL investigation can begin in three ways:

Complaint. An individual, organization, or advocacy group submits a complaint via cnil.fr. CNIL received 16,433 complaints in 2023. Each is assessed for jurisdiction and plausibility. A well-documented complaint from a credible source almost always proceeds.

Own-initiative investigation. CNIL opens investigations proactively, based on its published annual priorities, its automated scanning results, or media reports. You may never know an investigation has been opened until you receive CNIL's first formal communication.

Cross-border referral. Under GDPR's one-stop-shop mechanism, another EU data protection authority can refer matters involving French users to CNIL, or CNIL can request cooperation on a cross-border case.

Stage 2: Preliminary Assessment

Once a complaint or initiative reaches the investigations unit, CNIL conducts a preliminary assessment. This is not yet a formal investigation — it's a determination of whether a formal investigation is warranted.

During this phase, CNIL reviews the complaint, may conduct a basic online inspection of the organization's website, and assesses jurisdiction. If the preliminary assessment concludes that a formal investigation is warranted, a dossier is opened. The organization is typically not notified at this stage.

Timeline: Weeks to a few months, depending on CNIL's workload and the complexity of the complaint.

Stage 3: Formal Investigation

This is where CNIL's actual investigative powers are engaged. There are two forms of investigation:

Online inspection (contrôle en ligne)

CNIL investigators access the organization's website remotely and document what they find. They can visit the website as a standard user would, observe which cookies are deposited, interact with consent mechanisms, and record the results. No prior notice is required for online inspections. Investigators may access your website at any time without informing you.

On-site inspection (contrôle sur place)

CNIL investigators can conduct physical visits to an organization's premises. During an on-site inspection, investigators can access systems, servers, and technical infrastructure, request and copy documents, and interview staff. On-site inspections are typically reserved for larger, more complex investigations.

Document requests (questionnaires)

In many investigations, CNIL sends formal written questionnaires requesting specific documents: privacy policies, data processing registers, contracts with processors, consent management records, data transfer agreements. Organizations are legally required to respond. There is no legal right to refuse a CNIL inspection or questionnaire. Obstruction or non-cooperation is itself a violation that can aggravate the final sanction.

Stage 4: The Right to Be Heard

Before any sanction is issued, CNIL must give the organization the opportunity to respond. This is the procédure contradictoire — a fundamental legal principle.

The organization receives a formal report documenting the alleged violations and is invited to submit observations in writing, and sometimes in person at a hearing. This is not a formality. Responses at this stage have materially affected outcomes in documented cases.

What to do at this stage:

Stage 5: The Decision — Two Procedures

Simplified procedure (procédure simplifiée)

Introduced in 2022. Handled by the Director-General of CNIL without a full hearing. Used for less serious violations. Maximum sanctions: formal warning or fine up to €20,000. Decisions are typically not made public unless the organization doesn't comply after a formal notice.

Standard procedure (procédure ordinaire)

Handled by the formation restreinte — CNIL's sanctions committee. This is the procedure for serious violations. Powers include:

Publication: the fine you can't hide. Major decisions are published on cnil.fr, typically with the organization's name, the nature of the violation, and the fine amount. They remain accessible online indefinitely. The reputational dimension of a published CNIL fine often exceeds the direct financial cost for consumer-facing businesses.

Stage 6: After the Decision

Compliance. Follow the corrective measures and pay any fine imposed. CNIL monitors compliance with orders it issues and can impose additional sanctions for non-compliance.

Appeal. CNIL decisions can be appealed before the Conseil d'État (France's highest administrative court). In practice, few organizations successfully overturn fines on appeal — but some have had fine amounts reduced.

How Long Does a CNIL Investigation Take?

Case typeTypical duration
Simple complaint → warning or small fine6–18 months
Cookie consent / legal notice violation12–24 months
Major data breach investigation18–36 months
Cross-border (involves other DPAs)24–48 months
[Complaint / Own-Initiative Scan] ↓ (weeks) [Preliminary Assessment — not yet notified] ↓ (1–3 months) [Formal Investigation Opened] ↓ (3–12 months) [Online / On-site Inspection + Document Requests] ↓ [Right to Be Heard — your response matters here] ↓ [Decision: Warning / Fine / Publication] ↓ [Compliance Monitoring — or Appeal to Conseil d'État]

The Cost of a CNIL Investigation: Beyond the Fine

Direct financial consequences:

Indirect costs: Management time diverted to the investigation, potential notification obligations to affected users, reputational damage if the decision is published. For smaller businesses, the legal response costs often equal or exceed the fine itself.

What Reduces a Sanction

CNIL's decisions consistently identify mitigating factors that reduce sanctions:

Aggravating factors: Non-cooperation or obstruction; violations that persisted after prior warnings; large scale of affected users; sensitive data involved; financial benefit derived from the violation.

The lesson from documented CNIL cases: the quality of your response to a CNIL investigation matters as much as the underlying violation. Organizations that cooperated fully consistently received better outcomes than those that didn't — even when the underlying violations were comparable.

🛠️ Remediation Sprint — What to Fix in 48 Hours

If you're concerned about your current compliance posture and want to reduce your exposure before any investigation opens, these four steps matter most:

1
Audit your cookie banner — Open your site in a private browser window before clicking anything. If tracking scripts fire before you interact with the banner, that is the violation CNIL's automated tools detect first.
2
Add a "Refuse All" button on the first layer — It must be as easy to refuse cookies as to accept them, directly on the banner without navigating to a preferences panel.
3
Update your privacy policy — Verify it names all data processors, describes data transfers outside the EU (including Google, Meta, and CDN providers), and includes GDPR-mandated information on data subject rights.
4
Document your consent logs — If your CMP is not logging user consent choices with timestamps and version IDs, start that now. Documented evidence of consent is a core CNIL expectation.

A Sitetals scan identifies which of these applies to your site — in 30 seconds.

Know your exposure before CNIL does.

A Sitetals scan checks your website against the same categories CNIL investigates — cookie consent, legal notices, privacy policy, and data transfer exposure. If an investigation were opened tomorrow, would your site pass scrutiny?

Scan your website now — results in 30 seconds

Sources: CNIL Annual Report 2023, CNIL published enforcement decisions (cnil.fr/fr/les-sanctions), GDPR Articles 57–58 (DPA powers), GDPR Articles 60–62 (cooperation mechanism), Loi Informatique et Libertés Articles 20–22 (CNIL procedure), CNIL Decision SAN-2022-001 (Google), CNIL Decision SAN-2023-002 (Criteo, €40M)