Cookies and web compliance: an underestimated, but very real risk for companies
Setting up a simple cookie banner is no longer enough for a site to be compliant. Too often, behind an appearance of legality, websites remain legally exposed. A site can be considered non-compliant if the trackers are not strictly supervised and documented.
1. Why compliance is a critical topic
The regulations (GDPR and ePrivacy) are based on a firm principle: no non-essential tracker must be deposited without prior consent. In France, the CNIL (cnil.fr) ensures strict control of this framework.
Concrete risks for companies:
- Financial risk: Penalties can reach several million euros or a percentage of global turnover.
- Quick formal notice: In the event of an audit, the time allowed to correct the technical settings or the privacy policy is often very short.
- Image risk: The CNIL’s sanctions are public. Deceptive practices, such as a refusal made difficult for the user, break the trust of Internet users.
2. The most frequent (and sanctioned) mistakes
The majority of non-conformities noted during inspections are not deliberate oversights, but technical errors:
- Cookies deposited before consent: This is the most frequent breach and is systematically sanctioned.
- Dark Patterns: Offering to accept in one click but having to decline in several steps is illegal. The CNIL requires that refusal be as simple as acceptance.
- Cookies policy disconnected from the technical: The discrepancy between the discourse (unclear purposes) and the technical reality (tools not mentioned) is regularly pointed out during audits.
3. Sanctions: SMEs also in the crosshairs
Contrary to popular belief, the CNIL does not only target web giants. While the fines of the GAFAM are spectacular, intermediate-sized companies (ETIs) and SMEs are just as exposed.
Case in point: The publisher of Vanity Fair (Condé Nast) was fined €750,000. The reasons included the deposit of cookies without consent and an ineffective opt-out mechanism.
For a smaller structure, the penalties generally vary between €20,000 and €200,000, an amount that can seriously weaken a cash flow. You can consult the CNIL’s guidelines on cookies for more official details.
4. Moving away from the superficial approach
Compliance is a technical, legal and operational issue that must be managed over the long term. To secure your business, a three-step approach is necessary:
- Actual technical audit: Identify which tools are actually collecting data.
- Rigorous implementation: Only activate scripts after explicit consent has been given.
- Continuous management: Review the documentation periodically
Expertise KP Consulting
At KP Consulting, we see that many companies think they are compliant when they are exposed without knowing it. Our approach identifies critical deviations and makes concrete technical corrections. We integrate this management into a global trajectory including the GDPR, the NIS2 directive and the ISO 27001 standard.
The objective
It’s about moving from a mere ‘window-dressing’ banner to genuine compliance, and above all, compliance that can be proven in the event of an inspection.
The question is no longer whether you have a banner, but whether you can prove your technical compliance as early as tomorrow.
