The effectiveness of the EU’s landmark data protection rules has evolved since the entry into force of the GDPR in 2018, shifting from a focus on enforcement to driving tangible changes in companies’ behavior, particularly in relation to cookie consent practices, a senior official at the French privacy watchdog told MLex. Bertrand du Marais’s comments follow an EU legislative proposal that could change the way the cookie rules are enforced.
The effectiveness of the EU’s landmark data protection rules has evolved since the entry into force of the GDPR in 2018, shifting from a focus on enforcement to driving tangible changes in companies’ behavior, particularly in relation to cookie consent practices, a senior official at the French privacy watchdog told MLex.Severe sanctions against platforms for breaches of the General Data Protection Regulation are now a “sort of routine implementation” of the rules, while they’ve also influenced companies’ behavior, Bertrand du Marais, a commissioner at the Commission Nationale de l'Informatique et des Libertés, said in an exclusive interview on the sidelines of a conference* in Washington DC.
“I think we can say that GDPR and the EU privacy laws have been effective,” du Marais said.
In 2025, the CNIL’s total fines surged to €486.8 million (around $570 million) — almost nine times higher than 2024’s €55.2 million. The jump was mainly due to large fines against tech and e-commerce companies (see here).
Last September, Google was fined a record €325 million for violating French rules on managing cookies, and Infinite Styles Services Co. Ltd., the Irish subsidiary of Singapore-based online retailer Shein, faced a €150 million sanction for failing to obtain users’ consent to the use of tracking cookies on its shein.com website (see here).
The CNIL’s penalties, along with fines from other European data protection authorities, are starting to hurt tech companies, and “you can clearly see that there is a change in the behavior of large platforms,” du Marais said.
Du Marais pointed to the CNIL’s 2020 cookie guidelines, which established that rejecting cookies must be as easy as accepting them. The authority’s first major enforcement followed in late 2021, when it fined Google €150 million and Facebook €60 million.
These sanctions were imposed under France’s implementation of the EU’s e-Privacy Directive, which governs cookie rules in the bloc. Unlike the GDPR, which imposes a “one-stop shop” for regulating companies in the country where they’re based — mainly Ireland — any EU authority in the 27-nation bloc can enforce the e-Privacy Directive.
The effectiveness of the e-Privacy Directive may be at risk if EU legislative plans in the Digital Omnibus go ahead. The proposal, which is under discussion by EU legislators, would mean the EU's national data privacy watchdogs would no longer be able to act directly over cookies against companies operating in their territory in many cases. The change would concentrate enforcement at the Irish Data Protection Commission.
Cookies are small text files stored on a user’s device that can be used to enable website functions or track users across sites, and are regulated by both e-Privacy rules and by the GDPR.
The CNIL has been one of the most aggressive enforcers of the e-Privacy Directive, imposing fines totaling several hundred million euros since launching large-scale cookie enforcement in 2021.
In a series of consumer surveys, the CNIL has found that the share of users actively managing or refusing cookies has roughly doubled since the adoption of its 2020 guidelines, rising to around 40 percent, and has since remained relatively stable.
“When you look at the curves, you clearly see that there is a very significant inflection at that time, after the recommendation and when the first sanctions were imposed,” du Marais said. “We have continued to do this survey, and it's fairly stable after this inflection. So, from my point of view, it's exactly the goal we wanted to reach.”
According to a December 2024 survey by Toluna-Harris Interactive for the CNIL, 63 percent of users tend to accept cookies on websites, while 37 percent generally refuse them. Of those who generally refuse, roughly a third reject them all the time.
Du Marais emphasized that the French advertising market didn’t collapse after users were given the choice to accept or manage cookies. "We didn't kill the market,” he said.
Du Marais said that the same practice of issuing a recommendation and then following up with enforcement is being used with the mobile app ecosystem. Last May, the CNIL published a recommendation to help developers make more “privacy-friendly” mobile apps. The recommendations reiterate that apps must obtain consent to process data.
CNIL officials began inspections last year, and the first enforcement decisions are now expected in the following semesters, du Marais said. This model of enforcement provides legal certainty to companies, he said.
“You have to organize a sort of interim period,” he said. “It's also a matter of fairness, so the industry isn’t caught by surprise.”
IAB Europe, the lobby group for the AdTech industry, said a survey last year found that users accept websites that use a “pay or consent” model when they’re aware that this model funds free internet services.
Under this model, users either pay to access a website or accept cookies used for targeted advertising.
“While privacy is a top concern, 60 percent of consumers believe a 'pay or consent' model is reasonable when they understand the value exchange involved,” IAB Europe said in a press release, citing a survey conducted by Kantar, a research firm.
The European Data Protection Board — an umbrella group of EU data protection authorities — said in a 2024 opinion that in most cases, large online platforms won’t be able to comply with the requirements for valid consent, if users are given a choice between consenting to targeted ads and paying a fee (see here).
Consent must be freely given under the GDPR to be considered valid consent, the EDPB said.
Du Marais said one of the consequences of GDPR implementation is that news publishers’ business models are “very much oriented toward ‘pay or consent’, or toward ‘subscribe or consent’.”
* IAPP Global Summit 2026: Privacy-AI Governance, Washington DC, March 30-April 2, 2026.
Please email editors@mlex.com to contact the editorial staff regarding this story, or to submit the names of lawyers and advisers.