CNIL Sanctions in 2024: Overview and Recommendations

In 2024, the CNIL significantly strengthened its enforcement actions with a record number of sanctions and corrective measures. Misleading prospecting, inadequate security, deficient handling of sensitive data… Which companies were targeted, why, and most importantly, how to avoid these pitfalls? A complete review of a significant year and practical advice to remain compliant in 2025.

I. Figures and Key Figures: An Increase in Penalties

In 2024, the CNIL’s enforcement action experienced a significant increase, marked by a record number of sanctions¹. Indeed, the total number rose from 21 in 2022 to 42 in 2023, reaching 87 sanctions in 2024, totaling more than 55 million euros in fines. This surge reflects an intensification of the CNIL’s activity. In addition to these sanctions, the CNIL issued 180 formal notices and 64 reminders of legal obligations; figures unprecedented until then. In total, 331 corrective measures were issued for the year 2024.

The sanctions issued in 2024 were marked by their diversity. Of these, 18 were adopted via the ordinary procedure, while 69 were issued via the simplified procedure², established in 2022 to accelerate the sanctioning process of the CNIL. These measures include 75 fines, of which 14 are accompanied by commitment charges.

Furthermore, 8 overtime payment orders were issued, requiring certain companies to pay amounts due to the non-compliance with previously issued orders by the CNIL. Finally, 4 warnings were issued and 12 decisions were made public, thus reinforcing the transparency of the CNIL’s enforcement action.

Among these figures, one of the striking elements is the exponential use of the simplified procedure, which has allowed for the imposition of 69 sanctions, including 50 fines, 12 fines accompanied by an order, and 6 penalty levies. These sanctions often relate to breaches such as a lack of cooperation with the CNIL or breaches related to the rights of the persons concerned, in particular regarding the rights of access, erasure, or objection.

II. The notable sanctions of 2024

1. Abusive commercial prospecting and non-compliance with consents

One of the sectors appearing most frequently in CNIL sanctions is commercial prospecting, particularly when carried out without obtaining prior explicit consent from the concerned individuals. By its deliberation SAN-2024-019 of November 14, 2024³, the CNIL thus sanctioned Orange SA for the failure to obtain prior consent in the context of commercial email prospecting. The CNIL considered that the company had failed to comply with the provisions of Article L34-5 of the Code of Posts and Electronic Communications⁴, which stipulates that all electronic prospecting must be subject to prior agreement/consent of the recipient. As a result, Orange was fined a significant amount of 50 million euros and a penalty intended to ensure its post-compliance.

Discover also our article on the fines imposed by the CNIL against the Accor group regarding the lack of consent of individuals for commercial prospecting.

2. Health data: pseudonymization and re-identification

The applicable regime for health data constituted another point of attention for the CNIL. Consequently, the company Cegedim Santé, a player in the management of medical data, was sanctioned under deliberation SAN-2024-013 of September 5, 2024⁵, in particular for a failure regarding the pseudonymization of personal data. Although Cegedim considered that its personal data was anonymized, the CNIL considered that it remained pseudonymized data, as it could be linked to individuals through a unique identifier. Consequently, individuals could be reidentified, with all the associated legal consequences. Cegedim was thus sanctioned for the amount of 800,000 euros and with a requirement to comply with the obligations relating to the security of sensitive data. This sanction provides additional focus to the issues related to anonymization and pseudonymization.

Also discover our article on the CNIL sanctions imposed on DEDALUS BIOLOGIE, which was fined 1.5 million euros for its handling of medical data.

3. Illicit data collection practices: the example of KASPR

KASPR, a company specializing in the collection of professional information on LinkedIn, was sanctioned for having collected and exploited the personal data of thousands of professionals without complying with GDPR obligations. The CNIL criticized KASPR for not having sufficiently informed the concerned individuals about how their data was collected, nor for having obtained their explicit prior consent before this collection.

By an order SAN-2024-020 of December 5, 2024⁶, KASPR was therefore sanctioned with an administrative fine of 240,000 euros, accompanied by an order to bring its practices into compliance under penalty of a daily fine.

4. Insufficient implementation of personal data security.

In 2024 as well, several sanctions concerned companies that had not implemented sufficient measures to ensure the security of personal data.

The company Private to Private – PAP – (decision SAN-2024-002 of January 31, 2024⁷) was sanctioned for a failure to secure the personal data of its users. In practice, the company did not sufficiently protect data collected in its systems, which exposed it to risks of breaches.

Indeed, in addition to using overly permissive passwords consisting of a single unique character, confidential references were deemed too weak and were transmitted in plain text, facilitating unauthorized access to personal data. This confidential reference corresponds here to a combination of ten characters, seven of which are public and three private. It is transmitted in plain text and without the possibility of modification for any user who submits an advertisement and who does not hold an account on the PAP website. In practice, this reference allowed the user to directly access the advertisement and the associated space on the PAP website. The CNIL found that this confidential reference did not guarantee a sufficient level of security to protect personal data and could be easily accessed by third parties. These practices led to a pecuniary sanction of 100,000 euros.

III. What best practices to avoid the risk of sanctions from the CNIL?

1. The importance of explicit consent

The sanctions imposed by the CNIL in 2024 highlight the importance of obtaining explicit consent from individuals before collecting their personal data, particularly for commercial prospecting purposes. This reminder from the CNIL is timely, with the development of new forms of commercial prospecting, and should encourage a review of consent gathering conditions.

2. Strengthening of data security

Businesses must strengthen the security of the data they collect and use. The implementation of technical measures (e.g.: use of robust passwords⁸, encryption of data⁹, etc.) and organizational measures (e.g.: password policies, database access policies, etc.) is essential to create a secure ecosystem and reduce the risk of sanctions.

These security measures are all the more important to implement in a context of increasing cyber threat. And they must involve a broad and systematic deployment, to allow protection of the entire assets of each organization. Measures that must also be accompanied by anticipation of potential attacks (Cyber Crisis Management: 10 good reflexes to have in case of cyberattack).

3. The protection of sensitive data: heightened vigilance.

Businesses, public bodies, healthcare professionals, etc., handling sensitive data, such as health data, must pay particular attention to pseudonymization and anonymization procedures. Indeed, an anonymized data¹⁰ is data for which it is impossible to re-identify the person concerned, either directly or indirectly, including through the cross-referencing of multiple sources. When data is truly anonymized, it no longer constitutes personal data and is therefore no longer subject to the GDPR. However, anonymization must be irreversible: any residual possibility of re-identification, even from separate data or by inference, then excludes that qualification of anonymized data. For example, if data can be linked together to identify a person (correlation) or if additional elements can be deduced (such as age or financial situation), the data is then not considered anonymized.

Pseudonymization¹¹, on the other hand, consists of replacing directly identifying data, such as name or first name, with indirectly identifying data, such as a sequence of numbers. Unlike anonymization, pseudonymization is reversible, which means that it is possible to re-identify the person, generally by using a decryption key or by data linking. This ability to re-identify individuals implies that processing of pseudonymized data remains subject to GDPR obligations.

4. Transparency and cooperation with the CNIL

Finally, transparency and proactive cooperation with the CNIL are essential to avoid sanctions. Failure to comply with requests for information from the CNIL or a lack of response to inquiries may lead to the fueling of a potential sanction, as has been the case for several companies in 2024.

IV. Perspectives 2025 : what priorities for the CNIL?

Given the ongoing increase in risks related to data security and personal data protection, the CNIL has defined its priorities for 2025 around three major axes:

• The enhanced security of personal data, particularly in the face of rising cyberattacks.
• The increased scrutiny of data processing using artificial intelligence, particularly concerning automated decisions impacting individuals’ rights.
• The intensive pursuit of corporate compliance through streamlined procedures and rapid corrective measures.

In 2025, the CNIL will particularly intensify its vigilance on sectors using massive amounts of sensitive data and on digital prospecting practices, which are increasingly exposed to abuses.

Given these challenges, the authority plans a strategic CNIL 2025-2028 specifically focused on artificial intelligence, cybersecurity and strengthened protection of personal data.

Aumans Avocats: specialists in IT/Data, data protection and DPO outsourcing.

As a law firm specializing in CNIL audits and sanctions and more broadly on all things IT/Data and data protection, we are at your disposal to assist you with all your projects. Whether you are a startup, a SME or a group of companies, our expertise will allow you to navigate smoothly within the complex landscape of regulation and compliance. Do not hesitate to contact us to benefit from personalized advice and secure your digital future.

Sources:

1. https://www.cnil.fr/fr/sanctions-et-mesures-correctrices-bilan-2024-de-laction-de-la-cnil – Sanctions and corrective measures: 2024 CNIL action report ↩︎
2. https://www.cnil.fr/fr/la-procedure-de-sanction-simplifiee – The simplified sanction procedure ↩︎
3. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000050760620 – Decision SAN-2024-019 of November 14, 2024 ↩︎
4. https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000042155961/ – Code des postes et des communications électroniques, Article L34-5: The Electronic Communications Code, Article L34-5 ↩︎
5. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000050202759 – Decision SAN-2024-013 of September 5, 2024 ↩︎
6. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000050791828 – Decision SAN-2024-020 of December 5, 2024 ↩︎
7. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000049128617 – Decision SAN-2024-002 of January 31, 2024 ↩︎
8. https://www.cnil.fr/fr/generer-un-mot-de-passe-solide – Generate a strong password ↩︎
9. https://www.cnil.fr/fr/tag/chiffrement – The concept of encryption ↩︎
10. https://www.cnil.fr/fr/technologies/lanonymisation-de-donnees-personnelles – The anonymization of personal data ↩︎
11. https://www.cnil.fr/fr/tag/pseudonymisation – Pseudonymization of personal data ↩︎