France · FR

Privacy policy for selling in France (RGPD/CNIL) — what it must contain (2026)

Selling to consumers in France means you must inform them about your data processing under the GDPR (RGPD in French) and the French Data Protection Act (loi Informatique et Libertés), supervised by the CNIL. A home-country privacy policy does not cover France's cookie rules (opt-in) or French rights terminology. Below: which law applies, what your policy for the French market must contain, and how to prepare it.

Create account

Which data protection law applies in France?

Processing consumer data in France is governed by the GDPR (RGPD in French) and the national French Data Protection Act (1978, amended), enforced by the CNIL. While the GDPR applies EU-wide, the French market has its own practical requirements — particularly on cookies and rights terminology — that a home-country policy does not reflect.

Mandatory content under the GDPR and the French Data Protection Act

  • Data controller — identity and contact details, plus a DPO where applicable.
  • Purposes and legal basis of each processing activity (consent, contract, legal obligation, legitimate interest).
  • Categories of data and recipients.
  • Retention periods per purpose.
  • Individuals’ rights and how to exercise them.
  • Transfers outside the EU and the safeguards used (standard contractual clauses, etc.).

Cookies and trackers — the CNIL rules

Tracking cookies require prior opt-in consent. Under CNIL guidelines (deliberation 2020-091), the user must be able to refuse as easily as accept: a “Reject all” button at the same level as “Accept all”. Setting trackers before consent is a frequent ground for fines.

Individuals’ rights and complaints to the CNIL

Your customers have the rights of access, rectification, erasure, restriction, objection and portability. The policy must explain how to exercise them (contact, DPO) and note the right to lodge a complaint with the CNIL.

Risk and enforcement

Common failings: a generic, copied policy that does not describe actual processing, missing retention periods, a non-compliant cookie banner, and omitting the CNIL reference. The CNIL can fine up to EUR 20M or 4% of turnover; in 2023 this totalled around EUR 86 million.

How to prepare a compliant policy for France

Rather than translating your existing policy, generate a document that describes your real processing activities — purposes, legal bases, retention, rights and cookies — compliant with the GDPR and the French Data Protection Act, in French and ready to publish in minutes.

Generate this document in minutes

Create an account and generate all the legal documents for your shop — without a lawyer, with updates whenever the law changes.

Create account

Frequently asked questions

Is a privacy policy mandatory in France?

Yes. The GDPR (art. 13) requires informing individuals at the point of data collection. Any shop processing customer data in France must provide an accessible privacy policy.

What is the difference between the GDPR and the French Data Protection Act?

The GDPR is the EU regulation; the French Data Protection Act (loi Informatique et Libertés, 1978, amended) implements it in French law and grounds the CNIL's powers. Both apply cumulatively in France.

How must the cookie banner work?

Tracking cookies require prior opt-in consent. Under CNIL guidelines (deliberation 2020-091), refusing must be as easy as accepting — a 'Reject all' button at the same level as 'Accept all'.

Is my home-country privacy policy enough for France?

The GDPR is shared, but the French market expects French rights terminology, references to the CNIL and the French Data Protection Act, and a CNIL-compliant cookie banner — so a dedicated French-language version is needed.

What fines can the CNIL impose?

Up to EUR 20 million or 4% of global turnover. In 2023 the CNIL issued around EUR 86 million in fines, notably on cookies and information to individuals.

This document for other markets