In 2025, CNIL issued record fines in the commercial prospecting sector: €900,000 for a marketing company, €325 million for a digital giant. In 2026, audits are intensifying, particularly on phone marketing. How can you prepare?
The 4 Types of CNIL Audits You Need to Know
CNIL has four different audit methods, and your company can be subject to any of them:
1. On-site inspection
A CNIL delegation arrives directly at your premises. They can access your IT systems, interview your teams, and copy any useful document. The prosecutor is notified 24 hours before.
2. Summons hearing
You receive a letter asking you to appear at CNIL offices on a given date. You have at least 8 days notice and can be assisted by legal counsel.
3. Online audit
Agents verify from their offices everything that is publicly accessible: your website, consent forms, legal notices. They may use a borrowed identity.
4. Document-based audit
A questionnaire is sent with a request for supporting documents. You must provide contracts, processing registers, proof of consent, etc.
What Triggers a CNIL Audit
Audits don't happen randomly. Here are the main triggers:
- Complaints: a prospect reports abusive marketing
- Annual program: commercial prospecting has been a priority theme since 2022
- Current events: a sector makes headlines (training, energy renovation...)
- Follow-up: verification after a previous formal notice
In 2025-2026, sectors under close watch include: energy renovation, insurance, professional training, and B2C telecom.
Documents to Prepare Imperatively
Anticipate by building a complete compliance file:
Processing register
Mandatory document listing all your personal data processing, their purposes, legal bases, and retention periods.
Proof of consent
For each contacted prospect, you must be able to prove:
- When consent was obtained
- Through which form (timestamped screenshot)
- The exact text of the checkbox
- IP address and validation time
Subcontracting agreements
If you work with external providers, contracts must include mandatory GDPR clauses (article 28).
Rights exercise procedures
How do you handle access, rectification, and erasure requests? Document your processes and response times.
Penalties to Fear in 2026
Amounts are exploding. Examples of 2025 CNIL sanctions in prospecting:
| Sector | Main violation | Fine |
|---|---|---|
| Digital marketing | Prospecting without consent | €900,000 |
| Data brokerage | Lack of legal basis | €80,000 |
| Energy renovation | Illegal prospecting | €15,000 |
| Distance learning | Phone recordings | €10,000 |
Failure to cooperate with CNIL is an aggravating circumstance: never ignore a letter from the Commission.
Compliance Checklist for Call Centers
Check these points before an audit occurs:
- Bloctel files: are your lists regularly purged? Check our guide on Bloctel sanctions.
- Call scripts: do they include information about caller identity and opt-out options?
- Recordings: if you record calls, are prospects informed at the start?
- Retention periods: do you delete data from unconverted prospects after 3 years maximum?
- Team training: do your salespeople know the legal calling hours?
How to React During an Audit
If CNIL shows up:
- Cooperate: refusing access is a criminal offense (article 226-22-2 of the penal code)
- Request the mission order: document signed by CNIL president
- Get assistance: your DPO, a lawyer, or your legal manager
- Note everything: keep track of questions asked and documents provided
- Review the report: you can make observations before signing
A well-managed audit can close without consequences. A defensive attitude or lack of documentation almost systematically leads to sanctions.
Monitor Your Phone Reputation
Beyond GDPR compliance, CNIL is increasingly interested in the actual impact of your practices. A high spam report rate can trigger an investigation.
With a solution like HUHU for call centers, you can monitor in real-time whether your numbers are flagged as spam by operators or blocking apps.
