ConsentLabConsentLab
Get started free
FeaturesPricingFAQDocumentationBlogLog in

CNIL Guidelines on Cookies

Derniere mise a jour : April 14, 2026

The CNIL (Commission Nationale de l'Informatique et des Libertés — France's data protection authority) has published guidelines (deliberation no. 2020-091 of 17 September 2020) and a practical recommendation (1 October 2020) that define the rules to be followed for cookies and trackers in France.

This document summarises the essential points for SMBs. It does not replace reading the official texts but gives you a clear view of what you must do.

1. Consent: the fundamental rules

1.1 Consent must be prior

No non-essential cookie may be set or read before the user has given their consent. This concerns:

  • Google Analytics / GA4
  • Google Tag Manager (if used to load trackers)
  • Facebook Pixel / Meta Pixel
  • Hotjar, Clarity, Crazy Egg
  • Any targeted advertising tool
  • Any A/B testing tool that sets cookies

1.2 Consent must be freely given

The CNIL prohibits the following practices:

  • Cookie walls: conditioning access to the site on the acceptance of cookies (subject to limited exceptions)
  • Pre-ticked boxes: options must be disabled by default
  • Dark patterns: the "Refuse" button must be as visible and accessible as "Accept"
  • Scroll = consent: continued browsing does not constitute consent

1.3 Consent must be informed

The user must know:

  • Who sets the cookies (site publisher and/or third parties)
  • Why (specific purpose: analytics, advertising, personalisation)
  • How to withdraw their consent

The CNIL recommends information in two levels:

  1. Level 1 (banner): summary of purposes + accept/refuse/customise buttons
  2. Level 2 (detailed page): complete list of cookies, purposes, durations, providers

1.4 Consent must be specific

The user must be able to accept or refuse cookies by purpose (analytics, advertising, etc.), not just a global "accept all" or "refuse all". The categories offered must be clear and understandable.

2. Cookies exempt from consent

Some cookies do not require consent because they are strictly necessary for the operation of the site or expressly requested by the user:

  • Session cookies (authentication, basket)
  • Preference cookies (language, accessibility)
  • Security cookies (CSRF, anti-fraud)
  • Load balancing cookies
  • Consent cookies themselves (to remember the user's choice)

Special case: audience measurement

The CNIL grants an exemption for certain audience measurement tools if they comply with strict conditions:

  • Purpose limited to audience measurement
  • Data not cross-referenced with other processing activities
  • Data not transmitted to third parties
  • Cookie limited to 13 months
  • Collected information anonymised

Google Analytics is NOT exempt, even with IP anonymisation. Only tools such as Matomo (with specific configuration) or AT Internet benefit from this exemption.

3. Retention periods

ItemCNIL maximum duration
Cookie lifetime13 months
Consent validity25 months (then ask again)
Retention of consent records5 years (general statutory limitation, Art. 2224 French Civil Code)
Data collected by trackers25 months maximum

4. Proof obligations

The data controller (you) must be able to demonstrate that consent has been validly obtained. This implies:

  • Recording the date and time of consent
  • Identifying the user anonymously (hash or unique identifier)
  • Retaining the choices made (categories accepted/refused)
  • Being able to produce these records in case of CNIL audit

ConsentLab automatically records all this information and allows CSV export at any time.

5. CNIL audits: how they work

The CNIL regularly conducts online audits. It has automated tools that detect:

  • Cookies set before consent
  • The absence of a consent banner
  • Non-compliant banners (no refuse button, dark patterns)
  • Third-party scripts loaded before consent

In case of breach, the CNIL can:

  1. Issue a warning — call to order without sanction
  2. Issue a formal notice — obligation to comply within a deadline
  3. Impose a fine — up to 2% of annual revenue

6. Summary: the 10 rules to remember

  1. No non-essential cookie before consent
  2. Accept and refuse must be equally easy
  3. No pre-ticked boxes
  4. Clear information on the purposes
  5. Consent by category (analytics, marketing, etc.)
  6. Ability to withdraw consent at any time
  7. Cookies limited to 13 months lifetime
  8. Re-request consent every 25 months
  9. Retain consent records for 5 years
  10. Google Analytics still requires consent

7. Compliance with ConsentLab

ConsentLab automatically applies all of these recommendations:

  • Script blocking before consent
  • Accept/refuse buttons of equal visual importance
  • Customisation by category
  • Retention of records with timestamp
  • Configurable consent duration (365 days by default, CNIL recommends 25 months max)
  • Native Google Consent Mode v2
  • CSV export for audits

Make my site compliant — free, 2 minutes

8. Official sources