As the French data protection authority (Commission nationale de l’informatique et des libertés, CNIL) recently imposed two high-amount sanctions, we take this opportunity to try and make a practical application of some rules from the recently published draft of the Digital Omnibus.
What Happened?
In the span of a week, the CNIL imposed major sanctions on two companies for violations of the French cookie regulations. First sanctioned was the publisher of the French “Vanity Fair” website for 750,000 euros, second was American Express France for 1.5 million euros.
Both sanctions show not only similarities through the fact that they concern cookies set on the respective website before or without appropriate consent but in their context: both websites were under the CNIL’s scrutiny for their use of cookies since 2023. The CNIL’s particular attention and the fact that it regards cookie regulations as “well-known” could be understood as an incentive for companies to keep paying extra attention to this field of data protection. The high amount set for each fine, gravitating around one million euros, being another incentive for companies of any size.
The Infringements
The sanctions apply to three overarching categories of violations: cookies set before consent, cookies set without consent and cookies remaining after withdrawal of consent.
- Cookies before consent: Before users had the chance to see the cookie banner, cookies were already set on the users’ devices. In Vanity Fair’s case, this related to one Google NID cookie, while in American Express’ case eigth cookies were concerned: five for optimization, three for marketing purposes.
- Cookies being placed without consent: Although users declined all the non-essential cookies, some were still set on their devices. On the Vanity Fair website, two cookies for marketing purposes were set, as for American Express, three non-essential cookies were still set after declining.
- Cookies remaining after withdrawal of consent: The CNIL highlights that cookies can remain on the end-user’s device, as long as solutions are in place so that cookies are not actively communicating with the website. If this is not the case, withdrawal of consent is rendered ineffective. And this is exactly what happened on both websites: in Vanity Fair’s case, out of 50 cookies, 38 remained on the browser of which two marketing and tracking cookies were actively read. In American Express’ case all consent-only cookies remained on the browser and were still actively communicating between the website and the device.
On top of the infringements above, the CNIL also identified other specific violations committed by the companies and in relation to the use of TCF (Transparency and Consent Framework) cookies, a standard for cookie banners and cookie functionalities for website publishers, without transparent information.
Would the Digital Omnibus Have Changed Anything?
These new sanctions from the CNIL come at an interesting moment as both are the first public French sanctions set after the publication of the draft of the Digital Omnibus by the European Commission. Published on the 19 November 2025, the Digital Omnibus includes numerous changes to current data protection regulations, especially the GDPR (see our article detailing the changes). Particularly discussed and interesting for our cases are the changes brought to the cookie regulations as they will be brought under a new regime under Article 88a of the GDPR draft.
Article 88a provides that cookies should continue to be, in principle, set after the explicit consent from the end-user. Currently only cookies necessary for the transmission of electronic communication and necessary to provide a service explicitly requested by the user are exempted from the consent requirement. Novelties under Article 88a of the GDPR-daft would be cookies necessary for the creation of aggregated information about the usage of the website to measure its audience (Art. 88a para. 3 lit. c) and those necessary to maintain security (Art. 88a para. 3 lit. d).
As such, even though we have no guarantee that the draft will remain as it is nor that it will be approved at all, we take this opportunity to participate in the discussion by examining an interesting, though somewhat tricky, question: Would the Digital Omnibus have changed anything regarding these sanctions? In order to answer this question, let us proceed and analyze each violation under the light of the Digital Omnibus and more specifically the possible Article 88a of the GDPR-draft.
This new list of exceptions from the Digital Omnibus does not, in our view, bring dramatic changes to these cases:
Vanity Fair Infringements Under the Light of the Digital Omnibus:
Regarding the first violation (cookies set without consent), Article 88a does not differ from either the ePrivacy Directive or its transposition measures (in our case, Article 82 French Data Protection Act) and still requires consent. As in both cases marketing and optimization cookies were set before even acquiring the user’s consent, it is unlikely that the authority would have interpreted this situation differently.
Regarding the two other violations (improper effect of refusal and of withdrawal of consent) Article 88a also does not greatly differ from the ePrivacy Directive. The main change, in this case, would lie at the question whether now consent-only cookies would shift towards the “necessary” cookies, especially the ones arising from the new exceptions of audience measurement (Article 88a para. 3 lit. c) and security (Article 88a para. 3 lit. d). In both cases, however, no security cookies or purposes akin to additional security were mentioned.
According to this, one could argue that, out of all the cookies that led to a violation in Vanity Fair’s case, maybe two types of cookies could have been looked at with a different view under Article 88a para. 3 lit. c: The first type tracking the number of time videos were watched by the user and the second type tracking the global usage of the page by the user. No other actions are mentioned besides pure tracking and activity measurement. According to Article 88a para. 3 lit. c, cookies necessary for: “creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use”, would be exempted from the requirement of consent. As a result, the two groups of cookies could be reclassified from “consent-only” to “necessary,” meaning they would no longer need to be removed after consent is withdrawn and the user would no longer be able to refuse them.
This difference, however, only relates to about two out of six non-compliant cookies. This new approach would not drastically change the outcome of the sanction, but maybe at best reduce the amount. This reasoning would anyway apply, only if said cookies created aggregated information and were used solely by the controller of the websites for their own use. Any re-use by third parties or further processing for additional marketing purposes after audience measurement remains, according to this understanding of the new cookie regulation, consent-only based.
American Express Infringements Under the Light of the Digital Omnibus:
In American Express’ case, the outcome may slightly differ from the current sanctions as well but should not drastically change. We have no other indication of any different use of the cookies other than “marketing and advertising purposes” and that they are consent-only based. As American Express’ violation against the principle of effective withdrawal of consent concerned every non-essential cookie that was set, it seems unlikely that all had solely the purpose of audience measurement. More likely is that classical marketing and advertising cookies were also included, all of them remaining consent-only based under the new Article 88a.
Conclusion
These two sanctions by the CNIL arrive at an interesting moment as the legal landscape is being discussed and may be subject to evolution. Yet the message remains clear: cookies should stay a focus for companies. A deeper analysis into each sanction also shows that even with the Digital Omnibus, companies will have to pay close attention to their cookie settings strategy, and they should rely on all the data protection expertise they can access—such as the services provided by FIRST PRIVACY—to navigate this topic effectively.