The French data protection authority CNIL has fined Vanity Fair France €750,000 for placing cookies on user devices without proper consent, even after previously being formally warned to comply with data protection rules.
According to CNIL, the website vanityfair.fr installed cookies immediately upon a visitor’s arrival, before any interaction with the consent banner. Even the “Reject all” button failed to prevent new trackers from being installed, while existing cookies remained active.
Investigators found that the publisher LES PUBLICATIONS CONDÉ NAST failed to properly inform users and incorrectly labeled several tracking cookies as “strictly necessary,” bypassing consent requirements despite their advertising or analytics purposes.
The watchdog stated that the severity of the fine reflects both the large number of affected users and the company’s failure to comply after having already received a formal notice in 2021. The case originated from a complaint filed by noyb in 2019. Although the investigation initially closed in 2022 after Condé Nast received compliance instructions, a follow-up audit revealed that the company still had not corrected its cookie practices in accordance with Article 82 of the French Data Protection Act.
In response to the decision, Condé Nast cited technical errors, shortcomings in the IAB Transparency and Consent Framework (TCF), and claimed it acted in good faith. The company also objected to the public disclosure of the sanction.
The incident highlights the growing regulatory pressure on websites to ensure transparency and obtain explicit consent before using cookies for tracking or advertising. Vanity Fair’s fine serves as a reminder that noncompliance — especially after a formal warning — can lead to substantial penalties and reputational harm.
