With the French Data Protection Authority (CNIL) recently hitting Google and Shein with fines totalling €475M, it’s clear we’re long past the prospective guidance phase and well into active enforcement.
Regulators are stepping up enforcement against non-compliant tracking and targeting, while paying closer attention to consent UX, tracking behaviours, and banner design.
These latest actions reflect a growing trend: regulators in multiple jurisdictions are treating consent UX and tracking behaviour as compliance-critical. Even outside the EU, digital teams should monitor evolving standards.
CNIL Enforcement Highlights
Both fines fell under Article 82 of the French Data Protection Act, which transposes the ePrivacy Directive into French law and dictates consent requirements for non-essential cookies and other tracking technologies. Separately, Google was also fined under Article L.34-5 of the French Postal and Electronic Communications Code for placing advertising messages in forms or emails in inboxes without consent.
Google: Fined €325M for cookie consent violations | Shein: Fined €150M for deceptive cookie practices |
Placed tracking cookies without valid consent Nudged users to accept cookies linked to personalised ads “Reject” was harder to access than “Accept” | Cookies placed without consent Nudged users into accepting cookies with dark patterns Insufficient information about cookies and inadequate refusal mechanisms |
The CNIL’s message is clear: Before any non-essential tracking begins, valid consent must be freely given, clearly presented, technically enforced and withdrawal must be as easy as consent and effective.
🌏 Global implications While these rulings are specific to tracking French visitors, they’re aligned with the approach taken to non-essential tracking under GDPR and ePrivacy. Businesses should assume that consent UX and tracking practices will face increasing scrutiny across the EU—especially in jurisdictions with stricter interpretations or limited exemptions for non-essential tracking. |
Designing consent for trust, not just compliance
Even if your cookie banner looks compliant, many sites still allow tracking scripts to load before consent. Whether it’s a faulty tag manager or a misconfigured CMP doesn’t matter; either way, it’s a risk.
The focus isn’t only on whether a cookie banner appears, but what’s happening before and behind it. Regulators are scrutinising:
- Placement of analytics or third-party cookies or other trackers before obtaining consent
- Prominence and friction of consent options presented
- Whether users understand the consequences of their choices
- Whether visual or design cues steer users toward or away from certain options
The theme aligns with EDPB Guidelines on Consent under Regulation 2016/679, which requires consent to be informed, specific and unambiguous. Users must withdraw consent easily, and pre-ticked boxes or implicit consent mechanisms are non-compliant.
This is good news for teams that care about ethical data, building trust and ensuring long-term user relationships. Cleaner consent flows reduce legal and compliance risks, improve the quality of the data collected, and keep analytics dashboards accurate and actionable.
Balance consent flows
If rejecting cookies is harder than accepting them, it undermines the principle of freely given consent.
If “reject” is buried, smaller or requires more clicks than “accept”, it’s considered a “dark pattern”, or manipulative design practice.
Regulators are now seeing these things for what they are and holding companies accountable for manipulative design.
Avoid consent gaps and unreliable analytics
A poorly designed consent banner can drive users to reject consent, leaving businesses with a fragmented view of their audience and impacting data quality and decision-making.
To reduce compliance risk while retaining customer insights, you need an analytics platform that is designed for privacy by default and offers flexible consent management and cookieless options.
Next steps to make sure your consent banner is compliantAudit ✔ Understand which cookies and trackers your site uses and what types (if any are strictly necessary/essential or consent-exempt). ✔ Test your site with tracking blockers to confirm nothing fires before opt-in. ✔ Review your UX holistically for validity of consent and ease of withdrawal. ✔ Audit banner design, wording, and placement to avoid hidden bias or dark patterns. ✔ Document compliance: and keep records of consent flows, lawful bases, and data retention policies. ✔ Use built-in conversion tracking to see how consent changes affect behaviour. Fix ✔ Configure settings so that no consent-exempt cookies or trackers fire before consent. ✔ Making reject paths as visible and frictionless as accept paths to avoid dark patterns. ✔ Wire user choices directly into scripts with CMP integrations and Tag Managers. ✔ Audit flows regularly: Review banner wording, placement and design to avoid hidden bias. ✔ Only track data your site genuinely needs. Avoid blanket tracking or plugging in every integration by default. ✔ Provide clear, specific information about third parties that place cookies on your site. |
Matomo in action: Dynamic consent management and cookie control
The goal is simple: maintain the visibility needed to improve user experience and conversion without letting your analytics setup become the weak link in your compliance posture.
The hardest part of consent isn’t the cookie banner. It’s wiring consent decisions into tags, scripts and cookie categories so that nothing fires early and everything updates when a user changes their mind.
Tag manager support and CMP integrations
Matomo supports tag triggering by category (e.g., statistics, marketing) to match analytics scripts with user preferences.. For example, hold back all advertising and promotional tags until marketing consent is given.
While regional logic isn’t built into Matomo by default, there are CMP integrations that can also trigger Matomo tags based on user consent (see our CMP Integration Guides). If the French market requires stricter defaults under CNIL guidance, configure triggers and defaults for French visitors without changing your global setup.
Flexible with third-party cookies
- If your stack uses third-party cookies for advertising, connect your consent manager so those technologies only load after explicit consent.
- If your goal is to avoid third-party cookies for most users, you can keep Matomo limited to first-party, statistics-only cookies unless a user opts in to broader categories.
Consent-exempt configurations of Matomo
Both Matomo On-Premise and Matomo Cloud can be configured to comply with the CNIL consent exemption. Check out our FAQ for more on configuring Matomo for CNIL exemption for audience measurement tools.
GDPR and privacy features
- IP anonymisation helps reduce the risk of identifying individuals while still letting you understand traffic patterns.
- Data retention controls help minimise storage duration, which aligns with GDPR principles on storage limitation.
- Clear APIs and audit-friendly settings help document your lawful basis for processing, consent status and data flows for your records of processing activities.
A privacy-first analytics stack you can trust
Regulators are raising the bar. Websites that continue to treat consent as a box-ticking exercise face fines, reputational damage and the slow erosion of user trust.
Privacy-centric analytics platforms are gaining traction because they provide businesses with full data ownership and transparency.
With Matomo, you own all of your data. And because there’s no sampling, reports are precise, not stitched together from estimates.
When paired with a compatible CMP, Matomo lets you configure cookieless tracking in certain jurisdictions and apply IP anonymisation to reduce personal data risk. Most importantly, you can build a consent flow that is fair, understandable, and easy for users to change at any time.
To learn more about Matomo’s CMP integrations that support regional logic and tag control, explore our Knowledge Base resources:
If you’re ready to bring your cookie policy, consent banner, and analytics under control, start your 21-day free trial. More than 1 million websites in over 190 countries choose Matomo because it delivers accurate insights while also supporting privacy.
