# [What marketers need to know about CNIL cookie rules in France and how to comply](https://usercentrics.com/knowledge-hub/cnil-cookies/)

**A simple guide to CNIL cookie compliance including consent rules, banner requirements, and practical steps to avoid fines and penalties.**

By [Celestine Bahr](https://usercentrics.com/person/celestine-bahr/) · 9 min read · Feb 12, 2026

---

The French data protection authority, the *Commission nationale de l'informatique et des libertés* (CNIL), is one of the strictest and most active regulators in Europe. It's known for taking a proactive approach to privacy enforcement and has a history of levying large penalties for violations.

CNIL consent requirements can be tricky because they go beyond a high-level interpretation of European Union law. Instead of providing you with flexible guidelines for compliance, they focus on how you manage user consent in practice.

This article explains the CNIL requirements that marketers need to know and why they matter. We also provide the eight core principles you should follow to achieve and maintain cookie compliance.

### At a glance

- The CNIL is one of Europe's most active regulators, and obligations can apply to any business processing French residents' data, regardless of business location.
- According to the regulator, you can only set strictly necessary cookies without consent, while all other categories must be blocked until users opt in.
- Dark patterns, misleading labels, pre-checked options, or unbalanced design can invalidate CNIL consent.
- Your banner must offer true choice. That means accept and reject options need equal prominence, users need granular controls, and withdrawing consent must be as easy as giving it.
- To achieve compliance, keep auditable consent logs, renew consent regularly, avoid cookie walls, and use a CMP with automated blocking and location-specific banners.

---

## Why do CNIL cookie rules matter for marketers?

The CNIL is responsible for enforcing the General Data Protection Regulation (GDPR) and ePrivacy Directive guidelines in France.

Compared to some other GDPR countries, the CNIL takes a stringent approach to enforcing EU data privacy laws. It has a narrow view of what qualifies as "freely given consent" and sets specific requirements for how you can obtain cookie consent from individuals.

Additionally, the CNIL regularly updates its guidelines as GDPR and cookie requirements evolve.

Importantly, the CNIL doesn't just apply to companies based in France. Any business that processes the data of French residents falls within its scope, regardless of where the company is headquartered. Simply having website visitors or app users within the country is enough to trigger CNIL obligations.

The first step to reducing your risk of infractions is understanding how GDPR cookie consent is interpreted in France. The CNIL is an active enforcer and issued 331 corrective measures in 2024 alone. It also frequently calls on the European Data Protection Board (EDPB) to take a stricter approach to practices like the use of cookie walls.

The CNIL often works alongside other agencies to investigate potential violations. It made headlines in 2025 for following up on a complaint made by digital rights nonprofit noyb about Google's failure to obtain valid consent for cookies. The CNIL ultimately fined the tech company EUR 325 million, plus a daily penalty of up to EUR 1,000.

While the CNIL is known for holding big corporations accountable for noncompliance, it also takes enforcement action against smaller businesses. For example, it recently fined a company engaged in distance selling EUR 3,000 for improper cookie consent procedures.

### Real-life CNIL cookie compliance enforcement examples

**2025:** Fined Google EUR 325 million for breaching French cookie and privacy laws by placing advertising cookies and displaying advertisements in Gmail without obtaining valid user consent, and steering users toward accepting personalized cookies without clear information.

**2020/2021:** Fined Google EUR 100 million in 2020 and EUR 150 million in 2021 for other breaches of cookie consent and consent-mechanism requirements.

---

## Which cookies does the CNIL require consent for?

The CNIL's consent requirements for cookies are based on the cookies' intended purposes as per EU law. Specifically, it recognizes the following four categories of trackers:

### Strictly necessary

Any cookies that are essential for your website or app to function or for your business to provide a service.

### Preferences

Cookies that enable a website to remember user choices, such as what language or currency they use.

### Statistics

A type of analytics cookie that tracks website or app performance, like the number of visitors to a specific page.

### Marketing

Cookies that track a user's online activity to help you target your audience and personalize the customer experience.

Under the CNIL, you can only set strictly necessary cookies without prior consent. You must either obtain explicit user consent for all non-essential cookies or prevent tracking scripts from running.

---

## 8 key principles of CNIL cookie compliance

The following eight principles will help you understand and comply with CNIL and other EU consent requirements.

### 1. Prior consent is necessary for nearly all cookies

The CNIL requires a lawful basis for processing any personal data, as per Art. 6 GDPR. One of those lawful bases is valid consent, as per Art. 7 GDPR.

In practice, this means you can't activate any cookies or similar tracking technologies on digital platforms until the individual user has explicitly agreed to them. It doesn't matter if they provide consent the next time they visit your site; it still counts as a GDPR violation if you permit any unauthorized data processing prior to obtaining consent.

**Compliance tip:** Configure software to block cookies and other trackers by default. You can use a consent management platform (CMP) like Usercentrics to prevent trackers from running across your websites and apps until users accept cookies.

### 2. Options to accept or decline consent must be equally accessible

While the GDPR states that user consent must be informed and freely given for EU cookie compliance, the regulation doesn't specify what a consent banner should look like. The CNIL, on the other hand, does have requirements for how the refusal option should appear.

It must be as easy for users to reject cookies as it is to accept them. Present the options to accept and refuse cookies on the same layer of the consent banner, give them equal prominence on-page, and require the same number of steps to access either choice. (It must also be easy to withdraw previously granted consent in the future.)

**Compliance tip:** Include both "Accept" and "Reject" options on the first layer of your cookie consent banner. Make both options equally visible, clickable, and accessible. Usability testing can help you see whether there are any potential issues with your cookie banner design that make it more challenging to decline.

### 3. Consent must be freely given

The GDPR requires that it be completely optional for users to accept cookies. Putting pressure on visitors in any way (dark patterns) to get them to agree to cookies for non-essential purposes invalidates consent.

The CNIL takes this a step further by assessing not only how you phrase consent collection, but also your interface, to check whether consent was freely given. The CNIL looks at the design, language, and context, not just the presence of choices.

**Compliance tip:** Follow CNIL cookie guidelines by reading the regulator's list of recommendations. These guidelines provide examples of acceptable ways to obtain consent. They also provide examples of dark patterns to avoid, such as:

- Pre-selected boxes and toggles
- Confusing language like 'Okay' instead of "Accept All"
- Any wording that frames consent as necessary
- Visual imbalances between the options to accept and reject

### 4. Granular consent options are required

CNIL requirements state that you must give users granular options to agree to some cookie categories and decline others. That means you can't present all types of cookies as a single "yes" or "no" bundle. While you can't take an all-or-nothing approach, you can present an "Accept all" option, provided you also have a "Reject All" choice.

**Compliance tip:** Configure your cookie banner to include granular options for consent. You can list cookies and trackers according to type and give a short description of what each one does in plain language. However, regularly review these options to ensure they reflect your website's current cookie practices, as they're likely to change over time. Or, even better, use a consent management platform that automatically scans your site and updates the cookies and trackers in use.

### 5. It must be easy to withdraw consent at any time

Users must be able to withdraw consent for non-essential cookies at any point, not just when you display the consent banner. It must also be just as easy as giving consent as required by both GDPR requirements and CNIL guidelines. For example, users shouldn't have to complete forms or contact you directly to opt out of tracking.

**Compliance tip:** Clearly display options on your website or app that enable users to easily withdraw consent. The CNIL recommends either providing a link with a clear label, such as "manage my cookies," or displaying a settings link on every page.

### 6. You may be required to provide proof of consent

Art. 5 GDPR explicitly states that data controllers should be able to demonstrate that their data processing activities are compliant at any time.

Essentially, you need to be able to prove that each individual user gave you permission for each type of cookie you use to track them. The CNIL doesn't add to these requirements, but it does actively enforce them during audits and investigations.

**Compliance tip:** Use a CMP to automatically record consent preferences for every user, including changes over time. For example, Usercentrics generates a time-stamped log that updates as visitors update or withdraw consent.

### 7. Cookie lifetime must be proportionate

Organizations must only keep cookies and other tracking tools active for as long as is appropriate. The idea is that users may not remember what they've agreed to over time, meaning the consent is no longer valid and you can't use any data collected.

While the CNIL doesn't impose hard limits, they recommend you regularly renew consent. They suggest a period of six months but say that you should consider factors like what the user originally agreed to and the scope of processing.

**Compliance tip:** Keep an eye on cookie expiration settings. Balance caution with providing a smooth user experience. Users don't want to see a cookie banner every time they visit your site. Additionally, check that you automatically disable trackers once they reach their expiration date.

### 8. Cookie walls aren't always permitted

The CNIL has taken a restrictive stance on the use of cookie walls. That means you cannot request consent from users in exchange for access to online features and services under most circumstances. Cookies are also only permitted if you provide "a fair and real alternative" for people to access the same content.

**Compliance tip:** Avoid using cookie walls to obtain consent. Instead, focus on building user trust so they feel more comfortable agreeing to cookies. Write clear, understandable explanations in your brand voice and match the design of your banner to the rest of your website.

This signals to users that it's your company that manages these notifications and pop-ups, not an anonymous third-party.

---

## How Usercentrics can help you achieve CNIL cookie compliance

The main challenge of meeting CNIL requirements is in using consent mechanisms such as banners and pop-ups that meet the regulator's strict standards. An automated consent management platform like Usercentrics can help you do just that.

The CMP supports CNIL consent compliance with the following features:

### Geolocation-based cookie banner variations

Automatically display the specific banner configurations required by the CNIL to customers visiting your website from France.

### Pre-consent auto-blocking

Prevents non-essential tracking elements, such as scripts and cookies, from loading until the visitor has provided explicit and active consent.

### Accept and reject symmetry templates

Pre-designed banner layouts help you comply with CNIL requirements by displaying balanced, clear choices to accept or reject data processing.

### Customizable design to avoid dark patterns

Enables you to create transparent and user-friendly banner designs that match your brand identity and build trust while strictly avoiding user manipulation.

### Granular, purpose-built category setup

Uses automated scanner technology to categorize services, enabling a granular setup in which users can choose to consent to specific data processing purposes.

### Consent logs with audit trails

Maintain secure and comprehensive consent history records to provide an auditable trail of user decisions that can be downloaded for compliance reporting to the CNIL.

### Withdrawal widgets

Provide users with an easy and accessible way to revisit and update or withdraw their consent preferences at any time.

Together, these features empower businesses to meet CNIL consent requirements with confidence, and provide transparency to their audiences to build user trust.

---

## Frequently asked questions

### What sanctions have been imposed by the CNIL on Google?

France's CNIL has imposed several significant fines on Google for violations related to cookie use and privacy compliance:

- **2025:** Fined Google EUR 325 million for breaching French cookie and privacy laws by placing advertising cookies and displaying advertisements in Gmail without obtaining valid user consent, and steering users toward accepting personalized cookies without clear information.
- **2020/2021:** Fined Google EUR 100 million in 2020 and EUR 150 million in 2021 for other breaches of cookie consent and consent-mechanism requirements.

### What rules does the CNIL enforce for cookie consent?

The CNIL enforces strict consent requirements for cookies and similar tracking technologies under French law (Article 82 of the French Data Protection Act and the ePrivacy framework).

Websites must provide clear, complete information about cookies and obtain prior, free, and informed consent before placing non-essential cookies on users' devices. Consent must be as easy to refuse as it is to give, without cookie walls or manipulative design patterns.

### How does the CNIL's enforcement affect website operators?

Website operators must ensure that their cookie banners and consent management practices comply with CNIL expectations:

- Offer real choices
- Provide transparent descriptions of tracking purposes
- Enable straightforward opt-out mechanisms

Failing to comply can trigger investigations and significant fines.

### How does the CNIL interpret GDPR requirements for cookie consent?

Under the General Data Protection Regulation (GDPR) and France's implementing laws, the CNIL requires that non-essential cookies are only placed after users have given freely given, specific, informed, and unambiguous consent. In practice, this means users must receive clear information about cookie purposes and have a genuine choice — including an option to refuse that is as easy to access as the option to accept. Consent must be documented and can be withdrawn at any time.

### Can the CNIL enforce GDPR cookie rules against non-French websites?

Yes. The CNIL can take enforcement action against organizations established outside France if their websites target individuals in France or place cookies on users' devices located in France. This approach aligns with the GDPR's extraterritorial scope, which applies to organizations that offer services to, or monitor the behavior of, individuals in the EU. As a result, international websites must consider CNIL guidance when managing cookie consent for French users.

### Does the CNIL only fine large companies like Google?

No. While high-profile fines attract media attention, the CNIL enforces cookie and privacy rules across all sectors and sizes of organizations. Any website that installs non-essential cookies without proper consent or fails to inform users clearly can be subject to compliance actions, including corrective orders or monetary sanctions.

---

## Products
- [Usercentrics Web CMP](https://usercentrics.com/website-consent-management/)
- [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/)
- [Usercentrics CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/)
- [Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/)
- [Server-side Tagging Solution](https://usercentrics.com/server-side-tracking-solution/)
- [Preference Manager](https://usercentrics.com/preference-management/)
- [Audience Unlocker](https://usercentrics.com/audience-unlocker/)
- [Integrations](https://usercentrics.com/integrations/)
- [Web Compliance Scan](https://usercentrics.com/privacy-compliance-scanner/)
- [App Compliance Scan](https://usercentrics.com/app-data-privacy-audit/)
- [ROAS Calculator](https://usercentrics.com/roas-calculator/)

## Solutions
- [Data Privacy Regulatory Compliance](https://usercentrics.com/data-privacy-regulatory-compliance/)
- [Marketing Performance Optimization](https://usercentrics.com/marketing-performance-optimization/)
- [Migration](https://usercentrics.com/migration/)
- [Media & Publishing](https://usercentrics.com/media-publishing/)
- [Retail & Ecommerce](https://usercentrics.com/retail-ecommerce/)
- [Banking, Finance & Insurance](https://usercentrics.com/banking-finance-insurance/)
- [Healthcare & Pharmaceuticals](https://usercentrics.com/healthcare-pharmaceuticals/)
- [Gaming](https://usercentrics.com/gaming/)
- [Education](https://usercentrics.com/education/)
- [Automotive](https://usercentrics.com/automotive/)
- [Travel & Hospitality](https://usercentrics.com/travel/)

## Regulations & Frameworks
- [GDPR (EU)](https://usercentrics.com/gdpr/)
- [GDPR (UK)](https://usercentrics.com/uk-gdpr/)
- [CCPA (California)](https://usercentrics.com/ccpa/)
- [TCF v2.3 (IAB)](https://usercentrics.com/cmp-for-publishers/)
- [DMA (EU)](https://usercentrics.com/digital-markets-act-dma/)
- [Amazon Consent Signal](https://usercentrics.com/usercentrics-cmp-and-amazon-consent-signal/)
- [Google Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/)
- [Microsoft UET Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-microsoft-consent-mode/)
- [Microsoft Clarity Consent Mode](https://usercentrics.com/usercentrics-cmp-and-microsoft-clarity-consent-mode/)
- [View all regulations](https://usercentrics.com/regulations-and-frameworks/)

## Resources
- [Blog](https://usercentrics.com/knowledge-hub/)
- [Whitepapers](https://usercentrics.com/whitepapers/)
- [Checklists](https://usercentrics.com/checklists/)
- [Courses](https://courses.usercentrics.com/)
- [Case Studies](https://usercentrics.com/case-studies/)
- [Privacy-Led Marketing](https://usercentrics.com/privacy-led-marketing/)
- [Events](https://usercentrics.com/webinar/)
- [CONSENTED Podcast](https://usercentrics.com/consented/)
- [Guides](https://usercentrics.com/guides/)
- [Release Notes](https://releases.usercentrics.com/en)
- [Developer Documentation](https://usercentrics.com/docs/)
- [RFI Template](https://usercentrics.com/resources/usercentrics-rfi-template/)
- [Customer Directory](https://usercentrics.com/usercentrics-customer-directory/)

## Company
- [About Us](https://usercentrics.com/about-us/)
- [Press](https://usercentrics.com/press/)
- [Our Offices](https://usercentrics.com/contact/)
- [Trust Center](https://trust.usercentrics.com/)
- [Careers](https://usercentrics.com/career/)
- [Open Positions](https://apply.workable.com/usercentrics/)
- [Diversity & Inclusion](https://usercentrics.com/dei/)

## Support
- [General Support](https://support.usercentrics.com/hc/en-us)
- [Contact Sales](https://usercentrics.com/book-a-consultation/)
- [Technical Support](https://support.usercentrics.com/hc/en-us/requests/new)
- [Billing & Account](https://support.usercentrics.com/hc/en-us/categories/12253804608156-Account-and-billing)
- [Suggest a Feature](https://support.usercentrics.com/hc/en-us/requests/new?ticket_form_id=10610312381340)
- [Partner Login](https://partnerportal.usercentrics.com/)
- [Partner Program](https://usercentrics.com/partner-program-overview/)
- [Affiliate Program](https://usercentrics.com/affiliates/)

## Legal
- [Terms & Conditions](https://usercentrics.com/terms-and-conditions/)
- [Terms & Conditions USA](https://usercentrics.com/terms-and-conditions-usa/)
- [Privacy Policy](https://usercentrics.com/privacy-policy/)
- [Legal Notice](https://usercentrics.com/legal-notice/)
- [Legal Documents](https://usercentrics.com/legal-documents/)
- [Accessibility Statement](https://usercentrics.com/accessibility-statement-wcag-compliance/)

© 2026 Usercentrics GmbH