If you sell anything from a workshop in Limoges, run a B&B, or take restaurant bookings online, French law applies whether your site is in French or in English. Most small business sites miss at least one of the six layers of rules. Here is what each one requires and the order to fix them in.
If you sell anything from a workshop in Limoges, run a B&B, or take restaurant bookings online, French law applies whether your site is in French or in English. Most small business sites miss at least one of the six layers of rules. Here is what each one requires and the order to fix them in.
French website law is not one single text. It is a stack: the Loi pour la Confiance dans l'Économie Numérique (LCEN, 2004) governs identifying information. The Règlement Général sur la Protection des Données (RGPD, 2018) governs personal data. The ePrivacy directive, transposed into French law in 2020, governs cookies and trackers. The Code de la consommation governs e-commerce. Since June 2025, the European Accessibility Act (EAA), transposed into French law, governs accessibility. Each layer is enforced independently, and penalties stack.
Two practical consequences. First, a site can be fully compliant on three layers and still face fines on a fourth. Second, the regulator that acts depends on which layer is broken. The CNIL handles personal data and cookies. DGCCRF handles consumer law. The Défenseur des droits handles accessibility complaints.
Every site published from or targeting France needs a "mentions légales" page. The LCEN lists what it must contain:
The page is supposed to be reachable from anywhere on the site in two clicks. Most agencies put it in the footer. That is fine. Burying it in a 2019 archive under "About" is not.
The Orange Pro guide on the topic notes that micro-enterprises (auto-entrepreneurs) are exempt from share-capital disclosure but still need SIRET, host, and director information. There is no exemption for being too small to bother.
If your site collects an email address through a contact form, runs Google Analytics, or stores any customer information, RGPD applies. The core obligations:
The CNIL has published a simplified framework for very small businesses that covers the basics in a few pages. Following it does not make you bulletproof, but it moves you out of the "obviously negligent" category.
What trips up most small sites: forms that collect data without stating why, mailing lists built from trade-show contacts without documented consent, and analytics that run before the user has had a chance to object. Each of these is a known RGPD violation.
France interprets the ePrivacy directive strictly. No non-essential cookie can be set before the user has given explicit consent, and refusal must be as easy as acceptance. A banner with an "Accept all" button and a hidden "Manage preferences" link does not count.
What is actually required:
Google Analytics, Meta Pixel, Hotjar, and most advertising tools are non-essential. They all require prior consent. A small business that ships a new site and forgets the consent layer is in violation from day one.
If the site accepts payment, RGPD is not enough. The Code de la consommation imposes a separate set of obligations:
Simplébo's 2025 update on the topic reminds site owners that the same rules apply to booking systems and reservation deposits, not just physical product sales. A restaurant that takes a deposit through its own form is doing e-commerce.
Since 28 June 2025, the EAA applies in France. Any business selling a digital service to consumers must meet the European standard EN 301 549, which aligns with WCAG 2.1 AA. The penalty structure is not as visible as RGPD's, but complaints reach the Défenseur des droits and can lead to injunctions.
The practical scope: text contrast, image alt text, keyboard navigation, captions on video, and form labels. A small business with a five-page site can audit itself in an afternoon using the WebAIM checklist. The BTG article on 2026 accessibility obligations cites a WebAIM scan that found 95.9% of the top one million home pages have at least one detectable WCAG failure, so the base rate for serious issues is not subtle.
If your site is older than three years, it almost certainly fails. Fixing it is mostly small edits to colour contrast, alt text, and form structure. None of it requires a redesign.
Most small businesses can reach a defensible compliance level in two focused days. Order matters:
That sequence covers roughly 80% of what the regulators look for. The remaining 20% is edge cases specific to your activity (regulated professions, large-scale processing, third-country data transfers).
The penalties are real but unevenly enforced. The CNIL publishes its annual report each year and most of the formal notices go to small companies. Average fine for a first offence on cookies: a few thousand euros. Repeat or wilful: up to 4% of global revenue or 20 million euros, whichever is higher. In practice, the regulator prefers to publish the offender's name and force a remediation period. The reputational cost is usually worse than the fine.
Accessibility is enforced less visibly today, but the wave of EAA complaints is starting to arrive through consumer associations. Litigation risk is real for any business selling across borders.
The honest framing: most small business sites are partly compliant and partly not. Closing the gap is not a matter of installing a magic plugin. It is an afternoon of structured edits, followed by a habit of asking "is this legal?" before adding the next feature.
If you want a starting point, the Lumevel studio walks small businesses through the legal stack as part of a site rebuild. The audit is shorter than most agencies quote and the fix list comes out in plain English.