CNIL Compliance for Facebook Ads (France)

Pix-Vu Team||4 min read
CNIL Compliance for Facebook Ads (France)

Quick Answer

The Commission Nationale de l'Informatique et des Libertes (CNIL) requires every Facebook advertiser targeting French users to (1) display a cookie banner with a reject-all button as visible as accept-all, (2) block the Meta Pixel and Conversions API by default until consent is given, (3) keep proof of consent for the duration of the cookie, and (4) refuse 'cookie wall' patterns that condition access on accepting trackers.

What the rule actually says

The CNIL applies the French Data Protection Act and Article 82 of the Loi Informatique et Libertes — the local transposition of the ePrivacy Directive — together with GDPR. Its 2020 cookie guidelines, 2022 enforcement deliberations and 2024 'Recommendation 2024-X' on dark patterns set a high bar:

  • Refusing trackers must be as easy as accepting them in one click.
  • The banner must list every third party (including Meta) and the categories of data shared.
  • Continued browsing does not constitute consent.
  • Consent must be provable (timestamp, IP, banner version) for at least the cookie's lifetime plus the limitation period.
  • Children under 15 require parental consent under Article 45 of the LIL.

The CNIL can issue fines up to EUR 20 million or 4% of global turnover, plus public-disclosure orders that damage brand reputation.

What is allowed and what is banned

Allowed: targeted Facebook campaigns to French users who have given valid consent, server-side Conversions API with consent passed in the payload, and legitimate-interest processing for non-tracking analytics that is fully anonymised.

Banned: pre-loading the Pixel before consent, hiding the reject button, using 'continue browsing' as consent, charging for opt-outs without an equivalent free alternative, and processing minors' data for behavioural advertising without parental consent.

Step-by-step compliance setup

  1. Audit every Facebook tag with a debugger like Tag Assistant or Klaro and confirm none fire before consent.
  2. Use a CMP certified for the IAB TCF v2.2 framework with a CNIL-compliant template (Axeptio, Didomi, Cookiebot).
  3. Configure 'reject all' and 'accept all' buttons of identical visual weight.
  4. Pass the consent state to the Conversions API in the data_processing_options field.
  5. Link the CMP to Meta's Limited Data Use mode for users who reject.
  6. Update your privacy policy with French-language disclosures, retention periods and data subject rights.
  7. Sign Meta's Controller Addendum and store it in your compliance folder.
  8. Maintain a register of processing activities (Article 30 GDPR) and a DPIA if you do large-scale retargeting.
  9. Enable a French-language DSAR portal with one-month response SLAs.
  10. Train staff on the 72-hour breach notification rule.

Frequently asked questions

Is a 'continue without accepting' link enough?
Only if it leads to a real refusal that blocks all advertising trackers. The CNIL fined Google EUR 150 million in 2022 for a deceptive version of this.

Can I use a 'pay or consent' wall?
The EDPB and CNIL have ruled that 'consent or pay' is incompatible with GDPR for large platforms. SMEs may use it under strict conditions, but the safer route is a free reject option.

Does the Conversions API need consent?
Yes. Server-side does not change the legal basis — it just changes the transport.

How long can I store consent records?
For the lifetime of the cookie plus the legal limitation period. The CNIL recommends six months minimum for the consent log.

Are non-French EU advertisers in scope?
Yes. The CNIL claims jurisdiction whenever French users are targeted, regardless of where the controller is established.

Real fine examples

  • Google — EUR 150 million (CNIL, 2022) for a non-compliant cookie banner with no reject-all.
  • Facebook (Meta) — EUR 60 million (CNIL, 2022) for the same reject-all violation.
  • Amazon — EUR 35 million (CNIL, 2020) for advertising cookies without consent.
  • Criteo — EUR 40 million (CNIL, 2023) for not proving consent for advertising trackers.
  • Yahoo EMEA — EUR 10 million (CNIL, 2023) for similar consent failings.

How Pix-Vu helps

French teams use Pix-Vu to design and screenshot Facebook ad creatives in a CNIL-friendly sandbox that never loads the Meta Pixel. It is the cleanest way to QA banner-and-creative interactions before exposing them to French users — and it is built with the privacy-by-design principles the CNIL expects. https://pix-vu.com.

Ready to automate your Facebook ads?

Let AI handle your ad creative, targeting, and optimization. Launch profitable campaigns on autopilot.

Get Started Free
Back to all posts