On 20 November 2025, the CNIL imposed a €750,000 fine on the Condé Nast group, publisher of Vanity Fair, Vogue, GQ, AD, Wired, etc.

Cookies placed without consent: the company that publishes the website “vanityfair.fr” fined 750,000 euros by the CNIL
Background information The company LES PUBLICATIONS CONDE NAST publishes printed and online magazines, including the magazine Vanity Fair. In December 2019, the CNIL received a public complaint from the association NOYB concerning the cookies placed on the devices of users visiting the “vanityfair.fr” website. After several investigations and discussions with the CNIL, the company received an order to comply in September 2021 and the proceedings were closed in July 2022.
Home

This decision, which stemmed from a complaint filed by the noyb association in 2019, sends a clear message to all websites : a cookie banner is not enough; it must actually work.

⚡️ The Context : A costly repeat offence

It all began in 2019 with a complaint filed by noyb, which resulted in a formal notice from the CNIL in September 2021. The proceedings were closed in July 2022.

However, during new inspections carried out in 2023 and early 2025, CNIL agents found that the vanityfair.fr website was still not compliant. The CNIL ruled that this constituted gross negligence, considering that Condé Nast had had several years and warnings to correct the situation.

🔎 The three major technical shortcomings

It is not the absence of a CMP (Consent Management Platform) that is being penalised here, but its technical inefficiency. Here are the three critical points highlighted in the deliberation:

🔹The placement of cookies ‘BEFORE’ consent (Zero-Click)

As soon as the user arrived on the home page, cookies were placed on their device even before they clicked on ‘Accept’ or ‘Refuse’.

The rule : Until the user has given their positive consent (opt-in), no non-essential trackers may be activated.

🔹‘Necessary cookies’ that were not necessary

The publisher had classified certain trackers (used to combine offline data or link different devices) as ‘Strictly Necessary’.

Problem : Users could not refuse them, which constitutes misleading information according to the CNIL.

🔹An ineffective refusal mechanism (the placebo effect)

Tests revealed that clicking ‘Refuse All’ or withdrawing consent after the fact did not always stop tracking. During its February 2025 inspection, the CNIL found that despite consent being withdrawn, certain cookies continued to collect and transmit data.

❌ The ‘technical bug’ argument dismissed by the CNIL

In its defence, Condé Nast pleaded good faith, explaining that these illegal deposits were due to :

  • A ‘technical error’ in the settings.
  • Incorrect configuration during an update.
  • The constraints imposed by the IAB's TCF framework.

The regulator's response is unequivocal :

"The fact that the cookie was stored (...) due to a technical error (...) has no bearing on the characterisation of the breach."

In short : The website publisher is responsible for the outcome. Whether the breach is due to an oversight, a bug or incorrect settings, you will still be liable for the fine. The CNIL also rejected the TCF's argument, pointing out that adherence to a standard does not exempt publishers from providing clear and accurate information to users.

🛡 How can you avoid this scenario with Sirdata?

This case shows that cookie management cannot be improvised.

Sirdata's ABconsent CMP provides technical security for data collection :

🔹Automatic Conditioning (Auto-Blocking)

Partner scripts are only triggered after consent has been given.

Result : No tags can ‘leak’ before consent is given. If the user has not clicked, the script does not load.

🔹Native compliance with standards (TCF v2.2 & Google Consent Mode)

We manage the complexity of categories (Strictly Necessary vs Advertising) upstream.

Security : No risk of mistakenly classifying an advertising cookie as ‘necessary’. The purposes are clearly defined according to standards validated by the IAB and Google.

🔹Real proof and withdrawal management

At Sirdata, the ‘Refuse’ button actually cuts off the flow. In addition, our revocation module allows the user to change their mind at any time, with immediate application to trackers.

🧠 In summary

The €750,000 fine imposed on Condé Nast marks the end of tolerance for implementation errors.

  • GDPR compliance is not just a visual banner, it is a technical reality.
  • ‘Good faith’ does not protect against penalties.
  • Repeat offences and negligence are very costly.

Do not let a scripting error jeopardise your profitability. Switch to an industrial, auditable and secure solution.

💬 Is your website truly secure ? Our experts can audit your situation and secure your data collection.

ABconsent - Consent Management Platform (CMP), gestion des consentements des internautes
Consent Management Platform, gestion des consentements des internautes, compatible IAB TCF 2.1. Gérez des consentements valides avec la preuve du consentement - Sirdata
SirdataSirdata