CNIL fines Vanity Fair publisher €750,000 for cookie violations

On November 20, 2025, France's data protection authority imposed a financial penalty of €750,000 against LES PUBLICATIONS CONDE NAST for multiple violations of cookie consent requirements on the vanityfair.fr website, according to the deliberation published November 27, 2025.

The restricted committee of the Commission Nationale de l'Informatique et des Libertés determined that the French publishing company had systematically failed to respect user privacy choices when deploying tracking technologies across its digital properties. The enforcement action targeted practices affecting approximately 7.4 million visitors between June and October 2023, with more than six million accessing the site from France.

Background of enforcement

The CNIL's investigation originated from a December 2019 complaint filed by privacy advocacy organization NOYB regarding cookie practices on vanityfair.fr. This triggered an extended regulatory process spanning multiple years, including three online monitoring missions and one company audit conducted between 2020 and 2021.

Following these initial investigations, the authority issued a compliance order to the publishing company on September 13, 2021, specifically directing the organization to collect user consent before depositing any cookies not covered by legal exemptions. Authorities closed the initial enforcement proceeding on July 11, 2022, with observations noting areas requiring continued attention.

Additional online monitoring missions took place on July 19 and November 9, 2023, prompted by another NOYB complaint. These investigations revealed ongoing violations of Article 82 of the French Data Protection Act. A supplementary verification occurred on February 11, 2025, examining whether remedial measures had been implemented.

The publishing company operates four magazine brands including Vanity Fair, Vogue, GQ, and AD, maintaining both print publications and digital platforms. According to financial disclosures, the organization generated €26.4 million in net revenue during 2023 within France, employing 173 personnel.

Violations identified

The CNIL's restricted committee identified four distinct categories of violations related to cookie management on vanityfair.fr.

During the November 9, 2023 monitoring mission, investigators detected a cookie identified as NID depositing on user terminals immediately upon website access, occurring before any interaction with the consent banner. This cookie facilitates user connection and stores preferences when Google accounts are utilized. The publishing company acknowledged this unauthorized deployment resulted from technical error and implemented corrections on January 12, 2024.

The regulatory framework established by Article 82 prohibits cookie operations that neither facilitate electronic communications nor serve strictly necessary functions for delivering requested online services. The CNIL has consistently enforced these requirements, previously sanctioning multiple organizations for depositing advertising cookies without prior consent authorization.

Investigators also determined that the website's cookie preference interface misleadingly categorized certain tracking operations. Three cookie purposes appeared under the designation "always active" and were described as "strictly necessary cookies" that "cannot be disabled." These included operations labeled as "match and combine offline data sources," "link different devices," and "receive and use automatically sent device identification characteristics."

The publishing company explained these designations originated from the Transparency and Consent Framework developed by the Internet Advertising Bureau. Under this standardized consent mechanism, certain "functionalities" support specific processing purposes without requiring separate user authorization. However, the CNIL found this information presentation insufficient because it failed to direct users toward the framework's governing rules.

Further violations emerged when investigators tested the website's refusal mechanisms. After clicking the "refuse all" option in the cookie preference interface, monitoring equipment detected continued presence of cookies subject to consent requirements. The July 19, 2023 inspection identified a cookie designated "_dd_s" that aggregates user-generated events across multiple pages to enhance advertising library performance. Similarly, the November 9, 2023 inspection found the previously mentioned NID cookie persisting despite explicit user refusal.

Beyond these immediate deposits, investigators documented additional tracking during subsequent navigation. The "_dd_s" cookie remained active while a new cookie labeled "cneplayercount" appeared, designed to analyze user activity by counting videos viewed during browsing sessions.

The most recent violation category concerned consent withdrawal effectiveness. During the February 11, 2025 inspection, investigators first accepted cookies via the banner interface, then withdrew consent using the preference management system. Despite this withdrawal, two cookies continued operation: "CN_xid_refresh" enabling comprehensive navigation tracking, and "_ga_9C8GH73ZS1" associated with Google Analytics services.

Technical compliance failures

The regulatory authority emphasized that Article 82 requirements extend beyond initial consent collection to encompass ongoing respect for user preferences. When individuals withdraw previously granted authorization, responsible parties must implement technical safeguards preventing further cookie reading or writing operations.

The CNIL's September 2020 recommendation specified that withdrawal effectiveness may require specialized technical solutions. One approach involves modifying cookie expiration dates, rendering previously valid cookies unusable for network request purposes even if browser deletion only occurs upon session closure.

For the two cookies linked to the vanityfair.fr domain that continued reading operations after consent withdrawal, the regulatory authority determined the publishing company possessed complete technical control over these operations. Implementation of expiration date modification represented a straightforward compliance measure requiring minimal technical effort.

The publishing company indicated it discontinued the "CN_xid_refresh" cookie and disabled the "_ga_9C8GH73ZS1" cookie to prevent data transmission to Google servers. However, the CNIL's analysis established that reading operations persisted within the company's own domain regardless of external data sharing, constituting continued violations of consent withdrawal requirements.

The regulatory authority noted particular concern regarding the Google Analytics cookie given that the publishing company had previously received specific direction in the 2021 compliance order to cease unauthorized Google Analytics cookie deployment.

Penalty determination

Article 20 of the French Data Protection Act authorizes the CNIL's restricted committee to impose administrative fines not exceeding €10 million or two percent of annual global revenue, selecting whichever amount proves higher. For violations addressed in the European General Data Protection Regulation's Articles 83.5 and 83.6, these limits increase to €20 million or four percent of global revenue.

The regulatory authority evaluated multiple factors specified in GDPR Article 83 when calibrating the financial penalty. These included violation nature, gravity, duration, processing scope, affected individual counts, damage levels, and responsible party conduct.

The committee characterized the violations as grave given their systematic nature across information provision, consent collection, refusal recognition, and withdrawal implementation. These deficiencies prevented users from reasonably understanding the scope of operations conducted on their devices, undermining their capacity to maintain control over personal data.

The enforcement action particularly emphasized the extended timeframe of regulatory engagement. Initial interactions between the CNIL and the publishing company commenced in 2019, establishing a pattern where compliance measures occurred only in response to regulatory intervention rather than proactive implementation.

The committee determined the company demonstrated negligence in failing to respect obligations that had been repeatedly explained through multiple channels. The CNIL has provided extensive guidance regarding cookie requirements since publishing recommendations in 2013, reinforced through 2019 guidelines and numerous public enforcement decisions. The publishing company could not reasonably claim ignorance of these well-established requirements.

The regulatory authority acknowledged the company's eventual implementation of corrective measures following each monitoring mission notification. However, these adjustments occurred reactively rather than demonstrating autonomous compliance commitment, particularly concerning given the 2021 formal compliance order.

Financial considerations also influenced penalty calculation. Advertising revenue generation and commercial space sales constitute core business activities for the publishing company. Cookies function as fundamental infrastructure within online advertising ecosystems, directly contributing to company revenue streams.

Based on disclosed financial information, the publishing company generated €26.4 million in French net revenue during 2023, producing €855,227 in net profit. The previous year's performance showed €47.6 million in French net revenue with €3.6 million in net profit. These figures encompass all four magazine brands operated by the organization.

After evaluating the company's financial capacity, violation circumstances, and applicable legal criteria, the restricted committee determined a €750,000 administrative fine represented appropriate, proportionate, and dissuasive consequences for the established violations.

Publication decision

The CNIL's restricted committee elected to publish the enforcement decision on both the commission's website and Légifrance, France's official legal publication platform. This publication will initially identify the sanctioned company by name, transitioning to anonymous designation after a two-year period from publication date.

The committee justified this publicity measure based on the website's visibility, violation gravity and duration, and the substantial number of affected individuals who deserve notification regarding these practices. The time-limited identification approach balances public information interests against proportionality considerations.

The publishing company challenged the publication decision, arguing it lacked justification. However, the regulatory authority maintained that transparency serves essential purposes given the scale of privacy impacts and the need to inform millions of website visitors about practices affecting their personal data.

Industry context

This enforcement action continues France's intensified cookie compliance oversight. The CNIL imposed a €150 million penalty against SHEIN's subsidiary on September 1, 2025, for similar violations involving pre-consent cookie tracking and deficient consent mechanisms. That same day, authorities fined Google €325 million for Gmail advertising practices and account creation cookie violations.

December 2024 saw Orange receive a €50 million penalty for inserting advertisements in user email inboxes without authorization and maintaining cookie reading operations after consent withdrawal. The telecommunications provider affected 7.8 million email service users through these practices.

The regulatory authority has recently focused attention on deceptive design practices in cookie consent interfaces, issuing formal notices in December 2024 against multiple website publishers employing dark patterns that make cookie acceptance easier than rejection. These enforcement actions demonstrate systematic attention to both technical compliance and interface design psychology.

Broader European enforcement reflects similar priorities. German courts have clarified consent requirements for tag management systems, while Dutch authorities have addressed cookie banner violations through investigations concluded in March 2025.

The publishing company's case illustrates how regulatory patience diminishes when organizations receive repeated guidance without implementing sustainable compliance programs. Five years of regulatory engagement failed to produce systematic adherence to cookie requirements, ultimately necessitating financial consequences to ensure behavioral change.

Timeline

• December 2019: NOYB files initial complaint regarding vanityfair.fr cookie practices
• 2020-2021: CNIL conducts three online monitoring missions and one company audit
• September 13, 2021: CNIL issues formal compliance order to LES PUBLICATIONS CONDE NAST
• July 11, 2022: Initial enforcement proceeding closed with observations
• July 19, 2023: First follow-up online monitoring mission identifies ongoing violations
• November 9, 2023: Second follow-up monitoring mission documents additional non-compliance
• February 11, 2025: Supplementary inspection examines remedial measure implementation
• July 21, 2025: Rapporteur notifies company of proposed sanctions
• September 12, 2025: Company submits written observations defending practices
• November 6, 2025: Restricted committee holds hearing session
• November 20, 2025: Committee adopts final decision imposing €750,000 fine
• November 27, 2025: Decision published on CNIL and Légifrance platforms

Summary

Who: France's Commission Nationale de l'Informatique et des Libertés sanctioned LES PUBLICATIONS CONDE NAST, a French publishing company operating Vanity Fair, Vogue, GQ, and AD magazine brands with combined employment of 173 personnel and €26.4 million in 2023 French revenue.

What: The regulatory authority imposed a €750,000 administrative fine for four categories of Article 82 violations: depositing cookies without prior consent, providing misleading cookie information, failing to honor user refusals, and continuing cookie reading operations after consent withdrawal. The decision will be published with company identification for two years.

When: The restricted committee adopted its decision on November 20, 2025, published November 27, 2025, following investigations spanning from December 2019 through February 2025 and encompassing multiple monitoring missions, compliance orders, and procedural exchanges.

Where: Violations occurred on the vanityfair.fr website affecting approximately 7.4 million visitors between June and October 2023, with more than six million users accessing from French territories, representing the geographic scope of CNIL's enforcement jurisdiction.

Why: The enforcement action responded to systematic failures in respecting user privacy choices across five years of regulatory engagement, demonstrating that reactive compliance measures following each inspection notification proved insufficient to establish sustainable adherence to cookie consent requirements under French data protection law.