CNIL Fines VanityFair.fr Publisher €750,000 for Cookie Consent Failures

Written By Nathalie Pouderoux

The French data protection authority (CNIL) has imposed a €750,000 penalty on Les Publications Condé Nast, the publisher behind Vanity Fair, following repeated failures to comply with French cookie rules.

The matter began in 2019, when privacy group NOYB submitted a complaint about the cookie practices on vanityfair.fr. After an initial investigation, the CNIL issued a formal compliance order in 2021 and closed the case the following year.

However, follow-up checks in 2023 and early 2025 revealed that non-compliant practices persisted. As a result, the CNIL’s restricted committee, the body responsible for sanctions, found multiple breaches of Article 82 of the French Data Protection Act relating to the use of cookies and similar technologies. Given the previous enforcement action and the scale of user impact, a significant fine was issued.

What Went Wrong for Les Publications Condé Nast?

The regulator highlighted several failings that will be relevant to any organisation operating an online service in France or targeting French users:

1. Cookies were deployed before users gave consent

The site placed cookies requiring consent immediately on arrival, without waiting for the user to take any action on the cookie banner. This is a direct breach of the requirement that consent must be obtained before any non-essential trackers are dropped.

2. The cookie information lacked transparency

Certain cookies were presented as “strictly necessary” even though users were not given clear explanations of what they did. The CNIL criticised the absence of meaningful information that would allow users to understand whether consent was truly required.

3. Refusal and withdrawal mechanisms did not work

Even when users selected “Refuse all” or later attempted to withdraw their consent, new consent-based cookies were still installed, and existing cookies continued to be read. The CNIL viewed this as a serious failure in honouring user choices.

Key Takeaways for Your Business

The Condé Nast decision offers important lessons for any business using cookies or similar technologies. Above all, the ruling reinforces that non-essential cookies cannot be deployed until a user has actively given consent, and any attempt to circumvent this, such as dropping trackers on page load, will be viewed as a violation. 

It also highlights the need for full transparency in that organisations must ensure that the purpose of each cookie is explained in plain, accurate terms, and that no cookie is categorised as “strictly necessary” unless it genuinely meets that definition. 

Beyond clarity, the CNIL made it clear that user choice must function reliably; refusal buttons, consent panels and withdrawal tools have to do exactly what they promise. Finally, the case shows that once a regulator intervenes, follow-up checks are inevitable. Businesses should therefore treat cookie compliance as an ongoing operational responsibility, regularly auditing their consent tools, reviewing third-party scripts and verifying that user preferences are consistently applied across their digital platforms.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.

Nathalie Pouderoux
Next

A Breakdown of the EU Commission's AI Strategy