Data protection in France: Publication of amended guidelines and recommendations on cookies and other online trackers – Privacy


To print this article, simply register or connect to


The CNIL recently revised and updated its guidelines on cookies and other online tracking technologies and issued new recommendations to stakeholders. The revised guidelines describe and clarify some important aspects of applicable French law, while the additional recommendations provide practical advice on how to obtain user consent for the use of these technologies. The CNIL has also published a Q&A on guidelines and recommendations.

Legal framework

The obligation and the conditions for obtaining the consent of Internet users to place cookies and other similar technologies on their terminals are based on two main legal texts: the French law on data protection (article 82), which implements the directive. European 2002/58 / EC on the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), and the EU General Data Protection Regulation (GDPR), which is directly applicable to all EU Member States.


The GDPR, which became enforceable in 2018, reinforced the requirements for obtaining valid consent for the use of cookies and other tracking technologies. This change led the CNIL to update its existing guidance from 2013, which was not compatible with the new rules introduced by the GDPR. The revised CNIL repository, published on July 4, 2019, repealed the 2013 CNIL recommendation.

The purpose of these new guidelines was to reflect and clarify the GDPR requirements regarding the collection of consent for cookies and to provide related guidance. A key change, compared to the 2013 recommendation, was the adoption by the CNIL of a clear position according to which the simple navigation on a website by an Internet user could no longer be considered as the expression of consent. valid of the user to place cookies on the user. Navigator.

Following their publication, the 2019 CNIL guidelines were challenged by several professional associations of advertising and e-commerce professionals before the Supreme Administrative Court (Council of State). In a decision rendered in June 2020, the Council of State largely validated the 2019 CNIL guidelines with one notable exception. According to the Council of State, the position of the CNIL according to which the user’s access to a website could not be conditioned on the acceptance of cookies (cookies wall) by the user was incompatible with the RGPD and that the CNIL had exceeded its own competence to issue guidelines by affirming this position.

Following the decision of the Council of State, the CNIL modified its 2019 guidelines and adopted the 2020 guidelines discussed in this opinion.

Scope and types of technologies involved

The CNIL 2020 directives apply in particular to HTTP cookies but also to other technologies, such as local shared objects (also called “flash cookies”), local storage integrated into HTML 5, device fingerprinting and identifiers generated by operating systems (for advertising purposes or not: IDFA, IDFV, Android identifier, etc.), device identifiers (MAC address, serial number or any other identifier of a device), etc.

The 2020 guidelines specifically aim to address the use of these tracking technologies on frequently used devices, such as tablets, smartphones, desktops, laptops, game consoles, smart TVs, vehicles connected, voice assistants, etc.

Key elements of the 2020 guidelines

The CNIL 2020 guide focuses on the following points:

  • Mere browsing on a website cannot be considered as an expression of valid consent. Likewise, continuing to browse, scrolling, displaying pre-checked boxes or accepting the general conditions of use of the website cannot be considered as valid consent to follow-up.
  • To obtain valid consent, you must do all of the following:
    • provide online users with a list of data controllers involved in the use of cookies;
    • list the purposes of cookies / trackers to users and obtain consent for each of them; and
    • retain evidence and be able to demonstrate the collection of valid consent.
  • Users should be able to withhold consent as easily as to give or withdraw consent as easily as they have given it.
  • Consent is not required for all trackers, as described below.

Cookie walls

According to the recently revised guidelines of the CNIL, the legality of wall cookies should be assessed on a case-by-case basis and users should be fully informed whether consent to the use of cookies is a condition of access to particular online content or to a particular online service. The CNIL guidelines emphasize that the use of wall cookies is likely to jeopardize, in certain cases, the freedom of consent.

Information to be provided to users before their consent

Before granting consent, users should be informed:

  • the identity of the data controller (s);
  • the purpose (s) of cookies as well as the right to withdraw consent; and
  • how to accept or refuse cookies and the consequences of such acceptance or refusal.

Silence on the use of cookies considered as a refusal

The revised directives of the CNIL emphasize that valid consent must be expressed through positive action by the user. The user’s silence constitutes a refusal to grant consent to cookies.

Trackers whose use is exempt from the requirement to obtain consent

The CNIL 2020 repository provides examples of trackers whose use is normally considered to be exempt from the obligation of consent:

  • trackers that store the choice expressed by users on their use of cookies;
  • trackers intended for authentication to a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robotic or unannounced access;
  • trackers intended to store the contents of a basket on a merchant site or to invoice the user for products or services;
  • personalization trackers on the user interface (for example, the choice of language or presentation of a service), when personalization is considered an internal and expected element of the service;
  • trackers allowing load balancing of equipment contributing to a communication service;
  • trackers allowing paid sites to limit free access to part of the content requested by users; and
  • some audience measurement trackers.

Examples of acceptable consents provided in the recommendation

The CNIL recommendation complements the 2020 repository and provides practical advice on how to obtain user consent. The examples provided by the CNIL in the recommendation are neither prescriptive nor exhaustive, and other methods of obtaining consent may be used provided that consent is obtained in accordance with applicable French law.

The recommendation focuses on the purposes of cookies and how cookies should be presented to users before accepting or refusing consent. The CNIL offers indicative titles for each object which must be followed by a brief description. The CNIL also provides visual examples of cookie banners and consent forms and suggests how information relating to the identification of data controllers should be provided to users before requesting their consent.

The CNIL emphasizes that users must give their consent separately for each site or application they access.

The CNIL emphasizes that consent must be given independently and specifically for each object. The CNIL does not prohibit the use of a global consent covering all purposes, provided that all these purposes are presented and explained to the user. Regarding the terms of refusal of consent, the CNIL stresses that it must be as easy to refuse cookies as to accept them.

Conclusion and next steps

Companies have six months to ensure that their methods of compliance with the GDPR and the ePrivacy directive are consistent with the CNIL 2020 guidelines and recommendations. The CNIL can start carrying out checks after the six-month grace period . We will continue to monitor developments in this area and help customers understand and comply with these new guidelines.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought on your particular situation.


Schrems II Series: Defense of the United States
Charles Russell Speechlys LLP
Since the CJEU’s Schrems II ruling, businesses have been haunted by the uncertainty surrounding transfers of personal data from the EU to the US. The Privacy Shield has been invalidated …

Cookies and consent: what’s new in France?
Global Alliance of Advertising Lawyers (GALA)
On October 1, 2020, the French Data Protection Agency published a “recommendation” document and guidelines (both published on September 17, 2020) relating to the use of tracking technologies (eg cookies) .

Second largest GDPR fine issued in Germany
Cooley LLP
On October 1, 2020, the Hamburg Data Protection Authority (Hamburg DPA) announced that it had fined a German subsidiary of clothing retailer H&M (H&M Germany) …


Please enter your comment!
Please enter your name here