ARTICLE
29 July 2025

France And The New EU Regulation On Political Advertising: The CNIL Updates Its Doctrine Ahead Of The 2025 Implementation

GP
Goodwin Procter LLP

Contributor

Goodwin Procter LLP logo
At Goodwin, we partner with our clients to practice law with integrity, ingenuity, agility, and ambition. Our 1,600 lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigation and world-class advisory services in the technology, life sciences, real estate, private equity, and financial industries. Our unique combination of deep experience serving both the innovators and investors in a rapidly changing, technology-driven economy sets us apart.
Explore Firm Details
Online political advertising has become central to modern electoral campaigns. However, the growing lack of transparency, particularly regarding funding, targeting, and data processing practices, raises serious concerns about the protection of democratic principles.
France Privacy
Gretchen Scott and Céline Moille

Online political advertising has become central to modern electoral campaigns. However, the growing lack of transparency, particularly regarding funding, targeting, and data processing practices, raises serious concerns about the protection of democratic principles.

In response, the European Union adopted Regulation (EU) 2024/900 of 11 April 2024 on the transparency and targeting of political advertising. This regulation, which supplements the General Data Protection Regulation (GDPR), aims to regulate the increasing use of digital tools in the political sphere. Although the text entered into force in April 2024, it will apply in full starting from 15 October 2025.

In preparation for this implementation, the "Commission Nationale de l'Informatique et des Libertés" (CNIL), the French data protection authority, has begun updating its doctrine to reflect the new European framework. These updates mark a significant shift in the interpretation and enforcement of rules surrounding political communication in France, underlining the CNIL's role in ensuring compliance with the evolving European regulatory landscape.

I- Five core obligations framing political advertising

Inspired by the principles of the General Data Protection Regulation (GDPR) and focused on combating information manipulation and foreign interference in elections, the Regulation is built upon five essential obligations, identified as priorities by the CNIL:

  1. Clear identification of the political advertiser:
    All political advertising must explicitly indicate the identity of the sponsor, as well as, where applicable, any individuals or entities that funded, supported, or opposed the campaign. This obligation is intended to eliminate anonymous or covert campaigns and to ensure the accountability of all actors participating in the public debate.
  2. Transparency of funding and financial sources:
    Expenditures, the nature of purchased services, and the origin of the funding must be made publicly available. This will allow the electorate to understand the scale of financial means used and the potential influence of certain donors.
  3. Creation of publicly accessible ad repositories:
    Online platforms and competent national authorities will be required to establish repositories that allow public access to political ads' histories, dissemination parameters, targeting criteria, and funding sources. These tools aim to ensure real-time monitoring and full traceability of political messages disseminated online.
  4. Strict regulation of algorithmic targeting:
    The use of targeting techniques based on personal data is now subject to strict regulation. The use of sensitive data – such as political opinions, ethnic origin, religion, sexual orientation, or health data – is strictly prohibited, even with the data subject's consent.
    For other types of data, an explicit, freely given, and informed consent must be obtained before any political advertising takes place. Advertisers must be able to demonstrate that the individual has given their explicit agreement to receive targeted political communication.
    Platforms are also required to disclose the targeting criteria used by their algorithms.
    Furthermore, personal data must be collected directly from the individuals concerned: extracting data from electoral rolls or third-party databases is expressly forbidden.
  5. Direct information to users:
    Individuals exposed to political advertising must be clearly informed that the content is sponsored, the identity of the sponsor, the reasons they were targeted, and their rights under data protection law.

II- Key operational impacts for concerned stakeholders

The Regulation imposes substantial operational changes on three major categories of stakeholders:

  1. Political parties, Candidates, and Electoral Organizations
    They must ensure full compliance of their digital communication strategies, including data collection and processing, contractual arrangements with communications agencies, and online campaign management. Internal governance processes will need to be established to document decision-making, manage consent, and ensure financial transparency.
    They will also need to redesign their data acquisition strategies to exclude indirect sources and verify that consent is explicit, traceable, and specific to political communication.
  2. Online Platforms and Search Engines
    Although already subject to the Digital Services Act (DSA), major platforms (including social media, search engines, and ad tech providers) will be required to:
    • Develop labelling tools for political ads;
    • Systematically identify advertisers;
    • Create and maintain publicly accessible ad repositories;
    • Block targeting based on sensitive data;
    • Ensure algorithmic traceability of dissemination criteria.
    Their technical and legal responsibilities are significantly reinforced, as they may be held jointly liable for unlawful targeting practices.
    They must also put in place mechanisms to collect, verify, and store proof of explicit user consent before delivering targeted political ads.
  3. Communications Agencies and Consulting Firms
    Political strategy service providers will be required to incorporate regulatory constraints at every stage of campaign design and execution. They will need to support their clients in implementing compliance mechanisms, train their teams on the new obligations, and revise their targeting and analytics practices accordingly.
    This includes auditing all data sources to ensure they originate from direct collection and that no sensitive or indirectly obtained data is used.

Failure to comply with the Regulation may result in significant financial penalties, imposed by national data protection authorities, particularly by the CNIL, which will exercise its investigative and enforcement powers under the GDPR.

III- A strengthened role for the CNIL

Already the competent authority for personal data protection, the CNIL is granted a central role in enforcing the Regulation. It will act as the lead national regulator to:

  • Verify the transparency of political advertising and the repositories set up by platforms;
  • Monitor targeting practices and sanction the unlawful use of sensitive data;
  • Support stakeholders through the publication of guidelines, technical opinions, and practical recommendations.

The CNIL has already announced a proactive interpretation of the Regulation and intends to maintain enhanced dialogue with platforms, agencies, and political actors to ensure pragmatic implementation and prevent inertia.

Towards a regulation that creates strategic opportunities

Beyond its constraints, the Regulation may also be viewed as a strategic opportunity for political actors and their partners. Ensuring compliance with this new framework strengthens the democratic legitimacy of campaigns, bolsters voter trust in disseminated messages, and reinforces the protection of fundamental rights such as privacy and non-discrimination.

This new European standard may further influence international regulation and serve as a reference model for democracies committed to regulating the digital sphere in political contexts.

Key takeaways

With the full application of the new rules coming in October 2025, political actors and their service providers must urgently reassess their digital communication practices. GDPR compliance alone is no longer enough: Regulation (EU) 2024/900 introduces specific requirements, particularly on consent, profiling, and transparency.

Key novelties include a strict ban on sensitive data use (even with consent), a prohibition on indirect data collection (such as from electoral rolls or third parties), and the requirement to obtain and demonstrate explicit consent for targeted political messaging.

Our team closely monitors these regulatory developments and is already assisting several organizations in adapting their digital campaigns. From compliance audits to record-keeping, strategic advice, and engagement with the CNIL, we help turn regulatory constraints into opportunities for building trust.

Take a proactive approach: rely on our expertise to anticipate the Regulation's impacts and build a political communication strategy that is compliant, responsible, and effective.

Interested in a deeper dive into these new rules or in practical support for your teams? Feel free to reach out to us.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Gretchen Scott
Gretchen Scott
Photo of Céline Moille
Céline Moille
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More