The French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), is one of the strictest and most active regulators in Europe. It’s known for taking a proactive approach to privacy enforcement and has a history of levying large penalties for violations.
CNIL consent requirements can be tricky because they go beyond a high-level interpretation of European Union law. Instead of providing you with flexible guidelines for compliance, they focus on how you manage user consent in practice.
This article explains the CNIL requirements that marketers need to know and why they matter. We also provide the eight core principles you should follow to achieve and maintain cookie compliance.
At a glance
- The CNIL is one of Europe’s most active regulators, and obligations can apply to any business processing French residents’ data, regardless of business location.
- According to the regulator, you can only set strictly necessary cookies without consent, while all other categories must be blocked until users opt in.
- Dark patterns, misleading labels, pre-checked options, or unbalanced design can invalidate CNIL consent.
- Your banner must offer true choice. That means accept and reject options need equal prominence, users need granular controls, and withdrawing consent must be as easy as giving it.
- To achieve compliance, keep auditable consent logs, renew consent regularly, avoid cookie walls, and use a CMP with automated blocking and location-specific banners.
Why do CNIL cookie rules matter for marketers?
The CNIL is responsible for enforcing the General Data Protection Regulation (GDPR) and ePrivacy Directive guidelines in France.
Compared to some other GDPR countries, the CNIL takes a stringent approach to enforcing EU data privacy laws. It has a narrow view of what qualifies as “freely given consent” and sets specific requirements for how you can obtain cookie consent from individuals.
Additionally, the CNIL regularly updates its guidelines as GDPR and cookie requirements evolve.
Importantly, the CNIL doesn’t just apply to companies based in France. Any business that processes the data of French residents falls within its scope, regardless of where the company is headquartered. Simply having website visitors or app users within the country is enough to trigger CNIL obligations.
Real-life CNIL cookie compliance enforcement examples
The first step to reducing your risk of infractions is understanding how GDPR cookie consent is interpreted in France. The CNIL is an active enforcer and issued 331 corrective measures in 2024 alone. It also frequently calls on the European Data Protection Board (EDPB) to take a stricter approach to practices like the use of cookie walls.
The CNIL often works alongside other agencies to investigate potential violations. It made headlines in 2025 for following up on a complaint made by digital rights nonprofit noyb about Google’s failure to obtain valid consent for cookies. The CNIL ultimately fined the tech company EUR 325 million, plus a daily penalty of up to EUR 1,000.
While the CNIL is known for holding big corporations accountable for noncompliance, it also takes enforcement action against smaller businesses. For example, it recently fined a company engaged in distance selling EUR 3,000 for improper cookie consent procedures.
Which cookies does the CNIL require consent for?
The CNIL’s consent requirements for cookies are based on the cookies’ intended purposes as per EU law. Specifically, it recognizes the following four categories of trackers:
Strictly necessary
Any cookies that are essential for your website or app to function or for your business to provide a service.
Preferences
Cookies that enable a website to remember user choices, such as what language or currency they use.
Statistics
A type of analytics cookie that tracks website or app performance, like the number of visitors to a specific page.
Marketing
Cookies that track a user’s online activity to help you target your audience and personalize the customer experience.
Under the CNIL, you can only set strictly necessary cookies without prior consent. You must either obtain explicit user consent for all non-essential cookies or prevent tracking scripts from running.
8 key principles of CNIL cookie compliance
The following eight principles will help you understand and comply with CNIL and other EU consent requirements.
1. Prior consent is necessary for nearly all cookies
The CNIL requires a lawful basis for processing any personal data, as per Art. 6 GDPR. One of those lawful bases is valid consent, as per Art. 7 GDPR.
In practice, this means you can’t activate any cookies or similar tracking technologies on digital platforms until the individual user has explicitly agreed to them. It doesn’t matter if they provide consent the next time they visit your site; it still counts as a GDPR violation if you permit any unauthorized data processing prior to obtaining consent.
Compliance tip: Configure software to block cookies and other trackers by default. You can use a consent management platform (CMP) like Usercentrics to prevent trackers from running across your websites and apps until users accept cookies.
2. Options to accept or decline consent must be equally accessible
While the GDPR states that user consent must be informed and freely given for EU cookie compliance, the regulation doesn’t specify what a consent banner should look like. The CNIL, on the other hand, does have requirements for how the refusal option should appear.
It must be as easy for users to reject cookies as it is to accept them. Present the options to accept and refuse cookies on the same layer of the consent banner, give them equal prominence on-page, and require the same number of steps to access either choice. (It must also be easy to withdraw previously granted consent in the future.)
Compliance tip: Include both “Accept” and “Reject” options on the first layer of your cookie consent banner. Make both options equally visible, clickable, and accessible. Usability testing can help you see whether there are any potential issues with your cookie banner design that make it more challenging to decline.
3. Consent must be freely given
The GDPR requires that it be completely optional for users to accept cookies. Putting pressure on visitors in any way (dark patterns) to get them to agree to cookies for non-essential purposes invalidates consent.
The CNIL takes this a step further by assessing not only how you phrase consent collection, but also your interface, to check whether consent was freely given. The CNIL looks at the design, language, and context, not just the presence of choices.
Compliance tip: Follow CNIL cookie guidelines by reading the regulator’s list of recommendations. These guidelines provide examples of acceptable ways to obtain consent. They also provide examples of dark patterns to avoid, such as:
- Pre-selected boxes and toggles
- Confusing language like ‘Okay’ instead of “Accept All”
- Any wording that frames consent as necessary
- Visual imbalances between the options to accept and reject
4. Granular consent options are required
CNIL requirements state that you must give users granular options to agree to some cookie categories and decline others. That means you can’t present all types of cookies as a single “yes” or “no” bundle. While you can’t take an all-or-nothing approach, you can present an “Accept all” option, provided you also have a “Reject All” choice.
Compliance tip: Configure your cookie banner to include granular options for consent. You can list cookies and trackers according to type and give a short description of what each one does in plain language. However, regularly review these options to ensure they reflect your website’s current cookie practices, as they’re likely to change over time. Or, even better, use a consent management platform that automatically scans your site and updates the cookies and trackers in use.
5. It must be easy to withdraw consent at any time
Users must be able to withdraw consent for non-essential cookies at any point, not just when you display the consent banner. It must also be just as easy as giving consent as required by both GDPR requirements and CNIL guidelines. For example, users shouldn’t have to complete forms or contact you directly to opt out of tracking.
Compliance tip: Clearly display options on your website or app that enable users to easily withdraw consent. The CNIL recommends either providing a link with a clear label, such as “manage my cookies,” or displaying a settings link on every page.
6. You may be required to provide proof of consent
Art. 5 GDPR explicitly states that data controllers should be able to demonstrate that their data processing activities are compliant at any time.
Essentially, you need to be able to prove that each individual user gave you permission for each type of cookie you use to track them. The CNIL doesn’t add to these requirements, but it does actively enforce them during audits and investigations.
Compliance tip: Use a CMP to automatically record consent preferences for every user, including changes over time. For example, Usercentrics generates a time-stamped log that updates as visitors update or withdraw consent.
7. Cookie lifetime must be proportionate
Organizations must only keep cookies and other tracking tools active for as long as is appropriate. The idea is that users may not remember what they’ve agreed to over time, meaning the consent is no longer valid and you can’t use any data collected.
While the CNIL doesn’t impose hard limits, they recommend you regularly renew consent. They suggest a period of six months but say that you should consider factors like what the user originally agreed to and the scope of processing.
Compliance tip: Keep an eye on cookie expiration settings. Balance caution with providing a smooth user experience. Users don’t want to see a cookie banner every time they visit your site. Additionally, check that you automatically disable trackers once they reach their expiration date.
8. Cookie walls aren’t always permitted
The CNIL has taken a restrictive stance on the use of cookie walls. That means you cannot request consent from users in exchange for access to online features and services under most circumstances. Cookies are also only permitted if you provide “a fair and real alternative” for people to access the same content.
Compliance tip: Avoid using cookie walls to obtain consent. Instead, focus on building user trust so they feel more comfortable agreeing to cookies. Write clear, understandable explanations in your brand voice and match the design of your banner to the rest of your website.
This signals to users that it’s your company that manages these notifications and pop-ups, not an anonymous third-party.
How Usercentrics can help you achieve CNIL cookie compliance
The main challenge of meeting CNIL requirements is in using consent mechanisms such as banners and pop-ups that meet the regulator’s strict standards. An automated consent management platform like Usercentrics can help you do just that.
The CMP supports CNIL consent compliance with the following features:
Geolocation-based cookie banner variations
Automatically display the specific banner configurations required by the CNIL to customers visiting your website from France.
Pre-consent auto-blocking
Prevents non-essential tracking elements, such as scripts and cookies, from loading until the visitor has provided explicit and active consent.
Accept and reject symmetry templates
Pre-designed banner layouts help you comply with CNIL requirements by displaying balanced, clear choices to accept or reject data processing.
Customizable design to avoid dark patterns
Enables you to create transparent and user-friendly banner designs that match your brand identity and build trust while strictly avoiding user manipulation.
Granular, purpose-built category setup
Uses automated scanner technology to categorize services, enabling a granular setup in which users can choose to consent to specific data processing purposes.
Consent logs with audit trails
Maintain secure and comprehensive consent history records to provide an auditable trail of user decisions that can be downloaded for compliance reporting to the CNIL.
Withdrawal widgets
Provide users with an easy and accessible way to revisit and update or withdraw their consent preferences at any time.
Together, these features empower businesses to meet CNIL consent requirements with confidence, and provide transparency to their audiences to build user trust.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
