What’s the difference between RGPD (CNIL) strict guidance vs other EU countries?

RGPD is just France’s name for GDPR — same regulation. The difference is enforcement: the CNIL (Commission Nationale de l’Informatique et des Libertés) is one of the strictest GDPR enforcement bodies in the EU, with multi-million-euro fines against Google, Amazon, Facebook, TikTok, etc.

Concrete differences from a Magento perspective:

• Cookie consent — CNIL requires granular, per-purpose opt-in. No pre-ticked checkboxes. No “continued browsing = consent”. The “Reject all” button must be as prominent as “Accept all” (CNIL guidance, 2021+ enforced).
• Cookie wall ban — you cannot block content for users who refuse non-essential cookies (CNIL position, narrower than ICO).
• Data localisation — CNIL prefers EU-region hosting (Adobe Commerce Cloud Frankfurt, OVHcloud, Scaleway).
• Loi Informatique et Libertés — the French national law (1978, updated 2018 + 2024) layered on top of RGPD. Adds rules around health data, biometric data, and France-specific DSAR routing.

We ship Cookiebot / Axeptio / Didomi (French-native) wired into Magento’s cookie API, banner copy reviewed against CNIL guidance.