CookiePro Knowledgebase

dot pattern banner

Knowledgebase Regulations CNIL and Cookies


CNIL and Cookies

Last Updated: March 9, 2021

CNIL Cookies

The French Data Protection Authority, The Commission nationale de l’informatique et des libertés (CNIL), is an independent regulatory body. Their primary objective is ensuring the data privacy law is applied to the collection, storage, and use of personal data relating to French cookies.

Their mission is concerned with informing individuals of their data privacy rights including responding to requests made by individuals and companies. On October 1, 2020, the French data protection authority announced that had adopted guidelines and recommendations on the use of cookies and other tracking technologies. Giving companies time to comply, enforcement of cookie guidelines will begin in April 2021.

With the increased use of cookies and other tracking technologies to provide website services and offer personalized experiences to users, the CNIL has prepared guidelines to ensure users have access and control over their data. It’s essential for organizations to understand the implications and ensure they’re prepared to respond to any queries from the Commission in addition to staying compliant.


Enforcement of CNIL Cookies

The use of cookies and other tracking technologies to identify and monitor users has become a popular practice. EU regulatory bodies are concerned data subjects are not always informed and/or have not properly consented to the dropping of cookies on their devices.

The CNIL has been very clear that the authority of their enforcement of cookie guidelines does not just come from their own regulatory recommendations or even the GDPR – but from the e-Privacy Directive itself. Generally, websites that use cookies that store or access user information must obtain that individual’s consent. Few exceptions to consent are when the activity is deemed strictly necessary or is required to deliver a service.

The introduction of the General Data Protection Regulation (GDPR) has clarified the definition of cookie consent. The European Data Protection Board (EDBP), which is composed of all the national data protection authorities from EU member states, clarified the definition of cookie consent in its guidelines issued in May 2020.

The CNIL demonstrated its commitment to uphold these standards and protect users’ data by adopting new guidelines in September 2020 regarding the use of cookies and other tracking technologies. Going further, they issued recommendations that layout clear expectations and principles to illustrate their guidelines with means of practical implementations. Their best practices include examples of the use of cookies and how to present the cookies’ purposes and what consent models should look like.


CNIL Cookies Update from 2019

The CNIL’s cookie guidelines in 2019 banned the use of cookie walls in France. Cookie walls are simply the act of telling users that the continued use of the website means you give consent to the use of cookies. In this “take it or leave it” approach, there becomes many concerns that this is not a valid form of user consent.

Cookie Wall Notice Only Consent

Cookie Wall Challenge

However, many marketing and online e-commerce associations challenged this ban. The Council of State decided the CNIL exceeded its power by placing a ban on cookie walls, therefore allowing the use of cookie walls.

Eventually, the CNIL revised the enforcement of cookie walls but determining that there may be situations in which cookie walls may be used. They declared that in those cases, and subject to the lawfulness of this practice which will be evaluated on a case-by-case basis, users must be clearly informed of the impacts of their choices and that they will not be able to access the content or service without their consent.

Finally, it’s considered best practice in general and for regulatory compliance to not use cookie walls. The CNIL insists that that consent is only valid if the user can freely choose to give or not give consent. Most likely this conflicts with cookie walls because, by definition, users cannot refuse cookies and continue access to a site or service.


CNIL Cookies Main Changes

The CNIL’s guidelines of 2020 replace the guidelines from July 2019. It is the third set of guidance published by the regulatory body, with the first set introduced in 2013.

Some important changes include:

  • browsing a website cannot be considered as valid consent from the user
  • users must provide consent for each cookie and tracking purpose
  • must provide information to the user about how their data will be used and who has access
  • the data controller must be able to provide at all times that it obtained the user’s valid prior consent
  • withdrawing consent by the user must be as easy as it was to give it
  • when several parties are involved in processing data from cookies, roles and responsibilities must be specified to all

Read more about the main changes from 2019 to 2020 guidelines here.


Collecting Valid Consent for Cookie Compliance under French Requirements

As many people may already know, French legal and CNIL cookie requirements apply to businesses and websites that are based in France. However, the regulations also apply to any website or mobile app that targets French visitors regardless of hosting location.

Under Article 82 of the French Data Protection Act and Article 4 of the GDPR, collecting a user’s consent must occur only when consent is:

  • freely Given
  • specific
  • informed, and
  • unambiguous


Inform Users

Cookie compliance and best practices ensure the following information is provided to your users before collecting consent:

  • identity of the data controller(s) and any joint controller(s)
  • the purpose of the processing activities used with the cookies
  • the means to accept or refuse cookies
  • consequences of refusing or accepting cookies, and
  • the option of the user’s right to withdraw their consent

CookiePro Helps

CookiePro is here to help you implement your cookie banner based on the CNIL updated recommendations and guidelines – ahead of the April 2021 enforcement deadline.

No matter where you are in your compliance journey, our toolkit offers resources to understand the CNIL guidelines and support to implement cookie banners in line with the CNIL’s latest recommendations. Sign up today to accelerate your CNIL compliance journey with a complete set of tools and resources to get up and running, including tips and checklists, pre-configured templates, and your first domain free.


Get Toolkit Today!

Onetrust All Rights Reserved