On February 8, 2024, the French data protection authority (CNIL) published a list of its enforcement focus areas for 2024.[1] The CNIL will focus on the processing of children’s data by online services, the handling of individuals’ requests to access their personal data (so-called “DSAR”), the re-use of data processed for loyalty programs, and data processed in connection with the upcoming Olympic and Paralympic games.

CNIL: A GDPR Enforcement Heavy Weight

The CNIL’s primary role is to ensure compliance with data protection laws, including the General Data Protection Regulation (GDPR). Well-resourced, the CNIL employs both legal and technical experts. Its guidance and enforcement actions typically carry weight within the community of supervisory authorities at the European level.

Each year, the CNIL defines priority themes to focus its enforcement efforts. These typically relate to areas of high public interest and GDPR compliance within specific industries or topics. The CNIL conducts hundreds of inspections (both remote and onsite) annually (e.g., 340 in 2023) in response to complaints, reports of data breaches, or current events. On average, its focus areas account for 30 percent of these inspections. The CNIL has notably been increasing its use of on-site inspections, which involve staff interviews and technical assessments.

CNIL Focus Areas in 2024

  1. Children’s Data Use by Online Services. The CNIL intends to investigate how online services (such as social networks, dating sites, and online gaming platforms) process personal data of minors. They emphasize that extensive collection of information about children’s identity, preferences, or lifestyle habits may have implications for their privacy, psychological well-being, or future socio-professional prospects. While children’s data is a focus area across the EU,[2] the CNIL will focus on applications and websites popular among children and teenagers and assess their age verification mechanisms, security measures, and adherence to the data minimization principle. The CNIL has been very active in this field since 2022, when it created a prototype of a privacy-friendly age verification mechanism.[3]
  • Data Subjects’ Right of Access. As part of the European Data Protection Board (EDPB) Coordinated Enforcement Framework,[4] the CNIL will inspect how companies address individuals’ DSARs. The results of the CNIL and other data protection authorities’ inspections will be pooled and analyzed to enable targeted follow-ups at the national and European level.[5]
  • Loyalty Programs and Digital Receipts. The CNIL will zoom in on customer loyalty programs, such as those offered by supermarkets. These programs typically involve gathering various information about consumers (e.g., eating habits, household composition, and children’s ages) in return for promotions or discounts. In addition, the digitization of sales receipts requires processing additional data types (e.g., phone number or email address). The CNIL will focus on the re-use of such data (e.g., for marketing and sales), and ensuring that prior consent is obtained for any targeted advertising.
  • Data Collected for the 2024 Olympic and Paralympic Games. The CNIL will inspect how companies process personal data to ensure safety and security (e.g., QR codes for restricted areas, access authorizations, use of CCTV), and for ticketing services. Specifically, the CNIL will check if proper notice is provided to individuals, which parties their data is shared with, and how it is secured.

Next Steps

Companies should check if any of their activities in France touch on the above focus areas. If so, we would recommend reviewing processing activities to identify and remedy any compliance gaps and preparing staff for potential on-site inspections.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy issues and prepare for and address investigations in jurisdictions across the globe, including in France. For more information, please contact Yann Padova from Wilson Sonsini’s privacy and cybersecurity practice.

Laura Brodahl and Carol Evrard contributed to the preparation of this post.

[1] “Les contrôles de la CNIL en 2024,” available at https://cnil.fr/fr/les-controles-de-la-cnil-en-2024-donnees-des-mineurs-jeux-olympiques-droit-dacces-et-tickets-de.

[2] See, for example, https://www.wsgrdataadvisor.com/2024/01/10-privacy-predictions-in-the-eu-for-2024/ and https://www.wsgrdataadvisor.com/2023/12/ftc-proposes-significant-changes-to-coppa-rule/.

[3] See https://linc.cnil.fr/demonstrateur-du-mecanisme-de-verification-de-lage-respectueux-de-la-vie-privee.

[4] EDPB picks topic for 2024 Coordinated Action (June 17, 2023), available at: https://edpb.europa.eu/news/news/2023/edpb-picks-topic-2024-coordinated-action_en.

[5] More insights on DSAR handing can be found at https://www.wsgrdataadvisor.com/2023/11/weaponization-of-data-subject-access-requests-in-the-eu/.