GDPR: Your Website's Legal Obligations in France
The GDPR (General Data Protection Regulation) has been in force since May 2018 and applies to any website that collects data from people in the European Union — regardless of where the website owner is based. In France, the CNIL (Commission Nationale de l'Informatique et des Libertés) enforces the regulation and can issue fines of up to €20 million or 4% of global annual turnover.
Here are the obligations that apply to your website.
1. Cookie Consent Banner
If your website uses cookies that aren't strictly necessary for its operation — and almost every website does (Google Analytics, Facebook Pixel, YouTube embeds, etc.) — you must obtain prior, explicit consent before those cookies are set.
What this means in practice:
- A cookie banner must appear on the first visit, before any non-essential cookies fire
- Users must be able to accept or refuse with equal ease — a "Refuse all" option must be as prominent as "Accept all"
- Consent must be logged (stored proof that consent was given)
- Users must be able to withdraw consent at any time
Non-compliant cookie banners are the #1 target of CNIL enforcement actions.
2. Privacy Policy (Politique de Confidentialité)
You must publish a clear, accessible privacy policy explaining:
- What personal data you collect (name, email, IP address, etc.)
- Why you collect it (legal basis: consent, contract, legitimate interest)
- How long you retain it
- Who you share it with (hosting providers, analytics, payment processors)
- Users' rights regarding their data
- Your contact details and data protection officer (DPO) if applicable
3. Legal Notices (Mentions Légales)
French law (Loi pour la Confiance dans l'Économie Numérique — LCEN) requires every professional website to display:
- Company name, legal form, registered address
- SIRET number
- Name of the publication director
- Hosting provider name and contact details
4. Respecting Data Subject Rights
Under GDPR, individuals have the right to:
- Access their personal data
- Correct inaccurate data
- Delete their data (right to be forgotten)
- Object to processing
- Data portability (receive their data in a reusable format)
You must be able to respond to these requests within 30 days.
5. Contact Forms and Data Minimisation
When you use contact forms, subscription forms, or any data collection mechanism:
- Only collect data you actually need (data minimisation principle)
- Add a mandatory checkbox for consent to data processing
- Never pre-tick consent checkboxes
- State clearly how the data will be used
6. Data Retention Limits
You cannot keep personal data indefinitely. Define and document retention periods for each type of data:
- Contact form submissions: typically 3 years
- Customer purchase data: 5–10 years (accounting obligations)
- Newsletter subscriptions: until unsubscription + 3 years
7. Data Breach Notification
In case of a personal data breach, you must:
- Notify the CNIL within 72 hours if the breach poses a risk to individuals
- Notify affected individuals if the risk is high
Practical Tools for Compliance
- Axeptio, Cookiebot, or CookieYes — GDPR-compliant cookie consent management
- CNIL's compliance assistant (cnil.fr) — free self-assessment tool
- Iubenda — automated privacy policy and cookie policy generation
For a professional, compliance-ready website with all legal requirements built in from the start, talk to our team at Mindzy — or explore our website creation services.
Further reading: