What French and EU retailers need to know about running giveaways that don't violate GDPR, CNIL guidelines, or consumer protection law. With a compliance checklist.

Running a giveaway in the EU without thinking about GDPR is one of the most common — and most expensive — mistakes SMB retailers make. The fines are real, the CNIL is active, and the legal exposure compounds with each non-compliant participant whose data you collected. This guide walks through what GDPR actually requires for a retail giveaway, where most generic giveaway tools fail, and how to run a compliant campaign without sacrificing the viral mechanics that make giveaways worth running.

The core principle: a giveaway is a marketing activity that collects personal data (name, email, sometimes address). Under GDPR, that requires a lawful basis (almost always consent), specific information to the participant about how their data will be used, the ability to withdraw consent later, and the right to erase the data. None of this is optional, and "I'm running a small business" is not a defense — the CNIL has fined SMBs for GDPR violations on giveaways smaller than €500 in prize value.

The five GDPR requirements your giveaway must meet. First, consent must be specific and informed — the participant must know exactly what data you're collecting and why. A generic checkbox saying "I agree to be contacted" doesn't satisfy this; you need separate explicit opt-ins for the giveaway entry itself and for any future marketing communications. Second, the consent must be unbundled — a participant cannot be required to agree to marketing emails as a condition of entering the giveaway. Third, you must have a documented data retention policy (when will entrant data be deleted?). Fourth, you must provide a clear path to data deletion (email request, form, or self-service). Fifth, if you're processing data on EU residents, you need a privacy policy that's actually accessible from the giveaway page.

Cookie consent is separate. If your giveaway page sets any tracking cookies (Google Analytics, Meta Pixel, anything beyond strictly-necessary cookies), you need a CNIL-compliant cookie banner. Most generic giveaway tools don't provide one. The CNIL has specific guidance — banners must have clear accept/reject buttons of equal prominence, the rejection must be as easy as acceptance, and prior consent is required before any non-essential cookie is set.

Where generic giveaway tools fail. KingSumo, SweepWidget, RafflePress, ViralSweep — all American-origin tools — were built for the US legal context. They handle the giveaway mechanics fine, but they don't ship GDPR-compliant entry flows. You can usually configure them to be compliant if you understand the rules, but configuration is your responsibility. EU-built tools (or tools with explicit GDPR features like liflio's giveaway module, which was built in France with RGPD compliance as a foundational requirement) emit compliant consent flows by default.

What about French consumer protection law (Code de la Consommation)? Beyond GDPR, French retailers running giveaways must publish a "règlement" (official rules) and may need to deposit it with a "huissier" (court bailiff) for prize values above certain thresholds. The rules must include the giveaway period, eligibility criteria, the winner-selection mechanism, the prize, and how to claim. For SMB-scale giveaways (prizes under ~€500), the deposit requirement is usually skippable, but the published rules are not.

The GDPR compliance checklist for retail giveaways

Explicit, specific, unbundled consent at entry (separate checkboxes for entry vs. marketing emails)
Clear information about what data is collected and how it will be used
Documented data retention policy (when will entrant data be deleted?)
Self-service or easy-request data deletion mechanism
Linked privacy policy accessible from the giveaway page
CNIL-compliant cookie banner if any tracking cookies are used
Equal-prominence accept/reject buttons on consent banner
Right of erasure honored within 30 days of request

Common giveaway mistakes that trigger CNIL action

Requiring marketing-email opt-in as a condition of entry (bundled consent — illegal)
Pre-checked consent boxes (consent must be active and opt-in)
Cookie banner with 'reject' hidden behind extra clicks or in a secondary menu
No documented mechanism for data deletion after the giveaway ends
Storing entrant data indefinitely 'for future campaigns' without renewed consent
Using entrant data for marketing without the explicit separate opt-in

The 'règlement' (official rules) — what must be in it for French campaigns

French Code de la Consommation requires every giveaway to publish official rules accessible to participants. The rules must specify: the organizer's full legal identity (company name, SIREN, address), the giveaway start and end dates, the eligibility criteria (age, residence), the entry mechanism, the prize description and value, the winner-selection method, when and how winners will be notified, and the contact for inquiries. For prizes above ~€500 some operators historically deposited the règlement with a huissier (bailiff) — this is no longer always required but the published rules document is. Generic giveaway tools rarely include a règlement template; EU-built tools usually do.

Pro Tip

Before launching any EU-targeted giveaway, save your privacy policy and giveaway règlement as PDFs and link them prominently from the entry page. If the CNIL or a participant ever asks, you have documented evidence of compliance. Most CNIL complaints don't result in fines if the retailer can show a paper trail of good-faith compliance.

GDPR-Compliant Giveaways: A 2026 Guide for French & EU Retailers

The GDPR compliance checklist for retail giveaways

Common giveaway mistakes that trigger CNIL action

The 'règlement' (official rules) — what must be in it for French campaigns

Pro Tip

Related Articles