---
title: "AI Voice Agents in France: CNIL, Bloctel & Cold Calling Compliance (2026)"
description: "Complete 2026 guide to AI cold calling in France. CNIL rules, Bloctel registry, Loi Naegelen hours (Mon-Fri 10-13h, 14-20h), GDPR Article 6, EU AI Act disclosure, fines and enforcement."
url: "https://ainora.lt/blog/ai-voice-agents-france-cnil-bloctel-compliance-2026"
---

# AI Voice Agents in France: CNIL, Bloctel & Cold Calling Compliance (2026)

> **TL;DR:** France is one of the most regulated cold calling markets in Europe. AI voice agents calling French numbers must respect the **Bloctel** opt-out registry for B2C, call only on weekdays between 10:00-13:00 and 14:00-20:00 (Loi Naegelen, reformed 2023), cap solicitations at **4 attempts per 30 days**, disclose AI nature under EU AI Act Article 50, secure a GDPR Article 6 lawful basis (consent for B2C, legitimate interest possible for B2B), obtain two-party consent for recording, and follow CNIL retention guidance (3 years from last contact). Fines under GDPR can reach EUR 20 million or 4 percent of global turnover; specific Bloctel violations carry administrative fines up to EUR 75,000 per legal entity.

## AI Cold Calling in France: 2026 Overview

France treats unsolicited telephone marketing as a high-risk activity. Three layers of regulation overlap whenever an AI voice agent dials a French number: the [Code de la consommation](https://www.legifrance.gouv.fr/codes/texte_lc/LEGITEXT000006069565) (consumer code, articles L223-1 to L223-7 on demarchage telephonique), the General Data Protection Regulation enforced domestically by the [CNIL](https://www.cnil.fr/en), and the [EU AI Act (Regulation 2024/1689)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689), whose transparency obligations on AI systems begin applying in stages from 2025-2026.

Two government bodies do most of the enforcement work. CNIL handles GDPR breaches, illegitimate processing of personal data, and call recording violations. The **DGCCRF** (Direction generale de la concurrence, de la consommation et de la repression des fraudes) handles Bloctel and consumer code violations, including the demarchage hour rules. Both have taken visible action against telemarketing operators in the last three years.

For background on how France compares to other European markets, see our [country-by-country GDPR cold calling guide](/blog/ai-cold-calling-gdpr-compliance-europe-guide) and our [AI caller disclosure laws by country](/blog/ai-caller-disclosure-laws-by-country-2026) overview.

## What Does CNIL Require for Voice AI?

The CNIL is France's independent data protection authority, founded under [Loi Informatique et Libertes (Law No. 78-17 of 6 January 1978)](https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460). For AI voice agents, CNIL expectations follow GDPR but add specific French interpretations:

- **Lawful basis under GDPR Article 6.** CNIL distinguishes between B2C (where prior consent is the safer route, given the consumer code overlay) and B2B (where legitimate interest under Article 6(1)(f) can apply, provided a documented Legitimate Interests Assessment supports it).
- **Information to the data subject (Articles 13-14 GDPR).** Callers must identify the controller, the purpose, the lawful basis, retention period, recipients, and the data subject's rights, at the start of the call.
- **Right to object (Article 21 GDPR).** The AI must recognise opt-out language and immediately stop processing for prospecting purposes.
- **Data minimisation and retention.** CNIL [recommends 3 years from last contact](https://www.cnil.fr/en/sheet-ndeg14-define-data-retention-period) for prospect data and tighter limits for call recordings (typically 6 months for quality assurance).
- **DPIA for large-scale automated processing.** Voice AI campaigns at any meaningful volume usually qualify under [CNIL DPIA criteria](https://www.cnil.fr/en/PIA-privacy-impact-assessment-en): systematic monitoring, large-scale processing, innovative technology.

> “The use of artificial intelligence systems must comply with the GDPR. Innovation and protection of fundamental rights are not opposed - they reinforce each other when companies build accountability into their systems from the start.”Marie-Laure DenisPresident, CNIL, [CNIL public communication on AI](https://www.cnil.fr/en/ai-how-to-sheets)

## Bloctel: The Mandatory Opt-Out Registry

[Bloctel](https://www.bloctel.gouv.fr/) is the French national do-not-call list, established by the Loi Hamon of 17 March 2014 and operational since 1 June 2016. Any consumer can register a French phone number free of charge for three years (renewable). Once a number is on Bloctel, marketing calls to that number are prohibited unless one of the limited exceptions applies (existing contractual relationship, press subscription survey, charitable solicitation under specific conditions).

### The Operator's Obligation

Under [article L223-2 of the Code de la consommation](https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000047625810), every professional carrying out telephone canvassing must scrub their prospect lists against Bloctel **before** any calling campaign and at minimum once per month during ongoing campaigns. Scrubbing is performed by submitting the list to Bloctel's service and removing the matched numbers.

### Who Bloctel Covers

- **B2C numbers:** fully covered. Mobile and landline consumer numbers can be registered.
- **B2B numbers:** not covered as a general rule, since Bloctel is a consumer protection mechanism. However, sole proprietors using a single line for both personal and professional purposes are practically protected if they register.
- **Pre-existing contracts:** a company can call its own clients about contract-related matters even if they are on Bloctel, provided the call remains within the scope of the existing relationship.

### What Counts as a Bloctel Violation

A B2C call to a registered Bloctel number, where no exception applies, is a violation. Each call to a registered number is a separate offence. The administrative fine is up to **EUR 75,000 for legal entities** and EUR 15,000 for natural persons (Code de la consommation L242-16).

## Loi Naegelen and the 2023 Reform

The **Loi Naegelen** (Law No. 2020-901 of 24 July 2020) tightened cold calling rules across the board. It was reinforced in 2022-2023 by [Decree No. 2022-34 of 13 October 2022](https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000047999673), which entered force on 1 March 2023. Together they introduced three structural changes to demarchage telephonique:

- **Calling hours restricted to weekdays only.** Saturday, Sunday, and public holiday calls are now prohibited for cold prospecting (the previous Saturday morning window was removed).
- **Daily windows fixed.** Calls are permitted only Monday to Friday, between 10:00 and 13:00 and between 14:00 and 20:00.
- **Frequency cap.** No more than four calls within a 30-day period to the same person, unless that person has explicitly agreed to be contacted again.

The renovation, energy-efficiency, and CPF (compte personnel de formation) sectors received additional restrictions: cold calling for these activities to consumers is essentially banned (Loi 2020-901 article 9 and Loi 2022-1158).

## Calling Hours and Frequency Limits (2026)

Below is the current rule set as of 2026, mapped for AI dialer configuration.

The frequency limit is per person, not per number, and tracking is the controller's responsibility. CNIL has signalled that operators relying on multiple sub-contractors must aggregate the call counts across all of them; siloed counters that allow a 5th call from a different vendor are a compliance gap.

## GDPR Article 6 Lawful Basis for Cold Calls

A French AI cold call processes personal data in at least three ways: it dials a phone number, it records the conversation, and it stores the resulting transcript or CRM note. Each of those processes needs a lawful basis under [Article 6 GDPR](https://gdpr-info.eu/art-6-gdpr/).

### Consent (Article 6(1)(a))

The cleanest route for B2C: a prospect explicitly opts in via a web form, lead magnet, or event registration. Consent must be specific, informed, freely given, and as easy to withdraw as it is to give. Pre-ticked boxes are invalid (CJEU Planet49 ruling, C-673/17, confirmed by CNIL).

### Legitimate Interest (Article 6(1)(f))

The route generally relied on for B2B prospecting in France. The European Data Protection Board [2025 guidelines on legitimate interest](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012025-processing-personal-data-based-article_en) require a documented three-step test: legitimate purpose, necessity, balancing of rights. For voice AI, the balancing test must address the additional intrusiveness of an automated system: targeted business roles only, professional numbers only, easy opt-out, immediate suppression.

### Contract (Article 6(1)(b))

Available when calling existing customers about their existing contract (renewal, payment, service issue). It does **not** cover cross-selling unrelated products, which falls back to consent or legitimate interest.

## EU AI Act and CNIL Disclosure Rules

[Article 50 of the EU AI Act](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689) requires that natural persons interacting with an AI system are informed of that fact, in a clear and timely manner, unless it is obvious from the context. For a voice AI cold call, the context is rarely obvious - prospects routinely assume they are speaking to a human - so explicit disclosure is required.

CNIL issued [how-to sheets on AI and GDPR](https://www.cnil.fr/en/ai-how-to-sheets) in 2024 and updates them periodically. Their position on conversational AI agents is consistent with the AI Act: identify the system as AI at the start, allow the person to ask for a human, and document how this disclosure is operationalised.

### What "Disclosure" Looks Like in Practice

- **First sentence of the call:** the AI introduces itself, names the company on whose behalf it calls, and states it is an automated voice assistant.
- **Repetition on request:** if the prospect asks "am I speaking to a human?", the AI must answer truthfully and without evasion.
- **Escalation route:** the prospect must be able to request a human operator; the AI either transfers or schedules a callback.
- **Logged disclosure:** the controller should be able to evidence, per call, that disclosure occurred.

For deeper coverage, see our dedicated guide on [EU AI Act transparency requirements for AI callers](/blog/eu-ai-act-transparency-requirements-ai-callers).

## Recording Consent and Data Retention

France applies a **two-party consent** model to call recording. The legal grounding sits in [article 226-1 of the Code penal](https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000006417929) on the protection of private communications, complemented by Article 5(1) GDPR (lawfulness, fairness, transparency).

In practice, an AI voice agent must:

- Inform the prospect at the beginning of the call that the call may be recorded, the purpose of the recording, and the retention period.
- Obtain a clear verbal "yes" before recording starts, or offer the option to continue without recording.
- Log the consent decision with the call metadata.
- Honour deletion requests under Article 17 GDPR.

### Retention Periods Recommended by CNIL

- **Prospect contact data:** 3 years from last contact (last call answered, last interaction).
- **Call recordings for quality assurance:** typically 6 months, longer only with documented justification.
- **Compliance audit logs:** up to the limitation period for the relevant regulatory action (often 3-5 years).

Automated deletion is the only safe approach at any meaningful volume. Manual purges miss the schedule and create breach exposure.

## Fines, Sanctions and Recent Enforcement

French enforcement against telemarketing operators has accelerated since 2021. The actions cluster around three patterns: Bloctel violations, GDPR breaches around prospect data and consent, and recording without disclosure.

### Recent CNIL and DGCCRF Actions

- **SOLOCAL MARKETING SERVICES, EUR 900,000 (CNIL, December 2021).** The CNIL [sanctioned SMS](https://www.cnil.fr/en/cnil-fines-solocal-marketing-services-eu-900000) for sending unsolicited prospecting messages without valid consent and breaches of cookie rules. The case shows CNIL's willingness to fine seven figures even when the offending channel was electronic prospecting rather than voice.
- **FREE MOBILE, EUR 300,000 (CNIL, December 2022).** CNIL [fined Free Mobile](https://www.cnil.fr/en/free-mobile-fined-300000-euros) for failing to honour the right of access and the right to object, both directly relevant to telephone prospecting opt-outs.
- **HUBSIDE.STORE, EUR 525,000 (CNIL, March 2023).** CNIL [fined Hubside.Store](https://www.cnil.fr/en/telephone-canvassing-cnil-fines-hubsidestore-eu525000) for telephone canvassing using prospect data collected without valid consent, plus illegal data transfers.
- **DGCCRF Bloctel campaigns.** The [DGCCRF reports annually](https://www.economie.gouv.fr/dgccrf/demarchage-telephonique-et-protection-des-consommateurs) on Bloctel enforcement, including hundreds of administrative fines totalling several million euros across the energy renovation, insurance, and CPF sectors.

### Maximum Theoretical Exposure

- **GDPR fines:** up to EUR 20 million or 4 percent of global annual turnover, whichever is higher (Article 83 GDPR).
- **Bloctel and consumer code fines:** up to EUR 75,000 per legal entity, per type of violation.
- **Criminal exposure:** recording without consent under Article 226-1 Code penal carries up to 1 year imprisonment and EUR 45,000 fine for natural persons.
- **Reputational and contractual:** CNIL public sanctions are published by name, and most enterprise procurement frameworks treat them as material.

## B2B vs B2C: Where the Rules Diverge

French law draws a meaningful B2B / B2C line, narrower than many vendors realise.

Two practical traps: first, French sole proprietors (auto-entrepreneurs) routinely use the same number for personal and professional purposes - if that number is on Bloctel, treat it as B2C. Second, CNIL has stated that calling hours rules in the consumer code reflect a public order norm that any reasonable controller should respect even in B2B contexts; calling French managers at 21:30 is a defensible bad idea.

## Compliance Checklist for Voice AI Vendors

Before deploying an AI voice agent against a French prospect list, work through this checklist. Most CNIL and DGCCRF actions trace back to one or more of these points being missing.

1. **Lawful basis documented per campaign.** Consent records for B2C, signed Legitimate Interests Assessments for B2B.
2. **Bloctel scrubbing pipeline.** Lists submitted before each campaign and at least monthly for rolling campaigns. Matched numbers removed automatically.
3. **Calling-hours guard in the dialer.** Hard-coded windows (Mon-Fri 10-13h, 14-20h Europe/Paris), public holiday calendar, automatic pause.
4. **Frequency cap.** Centralised counter per natural person, not per number, aggregated across all sub-contractors. 4 attempts per 30 days hard limit.
5. **AI disclosure script.** First sentence identifies the AI, the company, and the purpose. Recorded and auditable.
6. **Recording consent flow.** Verbal opt-in before recording starts; non-recording fallback path; consent decision logged.
7. **Right-to-object detection.** AI recognises French opt-out language ("ne m'appelez plus", "je ne suis pas interesse", "retirez-moi de votre liste") and immediately suppresses the contact.
8. **Data Processing Agreement (Article 28 GDPR).** Signed with every sub-processor, EU/EEA data residency where possible, breach notification clauses, deletion-on-termination clauses.
9. **Retention policy automated.** Recordings deleted on schedule, prospect data deleted at 3 years from last contact unless lawful basis to retain longer.
10. **DPIA on file.** Updated when call volume or AI capabilities change materially.
11. **Audit trail.** Per-call logs of disclosure, consent, opt-outs, and call timing. Reviewed quarterly.

## How AINORA Approaches French Compliance

AINORA builds its outbound voice product around the assumption that France is the strictest market it operates in, and therefore the baseline against which other markets configure. The compliance posture is not a marketing feature - it is the operating constraint on every campaign.

- **Calling-hours guard by default.** Campaigns targeting French numbers respect Mon-Fri 10-13h and 14-20h Europe/Paris with the public holiday calendar applied automatically.
- **AI disclosure on the first turn.** The voice agent identifies itself as an automated assistant, names the calling entity, and offers a human escalation route - in line with EU AI Act Article 50 and CNIL guidance.
- **Two-party recording consent.** Recording only starts after a clear opt-in; a non-recorded path is always available.
- **Frequency cap and centralised suppression.** Per-person counters, immediate opt-out propagation across all campaigns, audit log of every suppression.
- **EU data residency.** Conversation data and recordings are processed within the EU/EEA, supported by signed DPAs with sub-processors.
- **Retention controls.** Configurable per controller, defaulting to 6 months for recordings and 3 years for prospect data, in line with CNIL guidance.

None of this replaces the controller's own duty to maintain Bloctel scrubbing, document the lawful basis, run a DPIA, and keep its CRM clean. AINORA provides the call-layer controls; the legal basis remains the responsibility of the company running the campaign.

## Frequently Asked Questions

Related on Ainora

Explore the platform and industry pages relevant to this article.

- [AINORA AI voice agentPlatform overview and capabilities](/ai-voice-agent)
- [AI debt collectionCompliant voice for recoveries](/ai-debt-collection)
- [PricingPlans, per-minute, and included minutes](/pricing)
- [How it worksSetup, integrations, and go-live](/how-it-works)