Published on 30 January 2020 by Laure Marolleau

The French Data Protection Authority releases a recommendation on cookies

As part of its action plan on targeted advertisement, the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés or “CNIL”) is proposing a consultation on a draft recommendation on practical procedures for collecting user consent for the use of online trackers[1].

Following the guidelines recalling the legal provisions that govern the use of cookies and other trackers adopted on July 4, 2019[2], the CNIL conducted a consultation during the fall of 2019, in order to prepare a draft recommendation proposing operational procedures for obtaining consent. This draft is now subject to public consultation until February 25, 2020. At the end of this period, a final version of the recommendation will be presented for final adoption.

Adaptation to applicable law

The application of the General Data Protection Regulation[3] (“GDPR”) has strengthened the requirements for the validity of consent. The mere continuation of navigation on a website can no longer be regarded as a valid expression of consent to the use of cookies, which must now be the result of an unambiguous positive action on the part of the Internet user. Furthermore, the GDPR expressly provides that actors must be able to prove that they have indeed obtained valid consent from Internet users.

As the risk associated with obtaining consent is quite significant (the GDPR provides for the possibility of imposing on non-compliant companies heavy fines of up to 4% of their annual turnover), the CNIL announced an action plan to align its recommendations with the new rules on consent governing the use of cookies and other trackers for audience measurement, user profiling and targeted advertisement.

The recommendation is not intended to be prescriptive. Its main purpose is to provide practical examples for the implementation of the regulations. Some of these examples are addressed below.

Consent collection
  • Informed consent:

The purpose(s) of the trackers must be presented to the Internet user before he/she is given the opportunity to consent or not to consent to their use.

The Internet user must be able to find out the identity of all those responsible for the processing operation(s) before being able to give consent or to refuse to give consent.

  • Free consent:

Consent can only be valid if the Internet user is able to exercise his/her choice freely, under the conditions described in the guidelines.

In practice, a request for consent could take the form of boxes that the Internet user may choose to check to express his/her consent. He/she may also have the choice between two buttons presented at the same level and in the same format, with for example the words “accept” and “refuse”.

In addition, in order to allow the Internet user not to make a choice, the person responsible for the processing operation(s) may integrate a closing cross on the interface for collecting consent, or allow the user to make it disappear by clicking outside the interface.

  • Specific consent:

The Internet user must be given the opportunity to give independent and specific consent for each separate purpose.

For example, the mere acceptance of general terms of use or general terms of sale does not constitute specific consent.

It is possible to offer the Internet user the ability to consent globally for a range of purposes under certain conditions.

  • Unambiguous consent:

Consent must be expressed by a clear positive action on the part of the Internet user.

Concretely, by its presentation, the mechanism for obtaining consent must enable the data subject to be aware of the goal and scope of the action enabling him/her to signify his/her agreement or disagreement.


The CNIL recalled that the consent requirement does not apply to operations, the exclusive purpose of which is to carry out the transmission of a communication over an electronic communications network or which are strictly necessary for the provision of an online communication service explicitly requested by the Internet user.

It specified that “In the light of the practices brought to the Commission’s attention, the following trackers may, in particular, be regarded as exempted:

  • the trackers keeping the choice expressed by the Internet user on the use of trackers or the will of such user not to express a choice;
  • trackers intended for authentication to a service;
  • trackers designed to keep track of the content of a shopping cart on a merchant site;
  • user interface customization trackers (e.g. for the choice of the language or presentation of a service), where such customization is an intrinsic element of the service expected by the Internet user;
  • trackers allowing load balancing of equipment contributing to a communication service;
  • trackers allowing paying sites to limit free access to their content to a predefined quantity and/or over a limited period of time;
  • trackers enabling audience measurement, within the framework specified by Article 5 of the Guidelines on cookies and other trackers.”
Withdrawal and duration of consent

Internet users who have given their consent to the use of trackers must be able to withdraw it at any time. The CNIL recalled that it must be as simple to withdraw consent as it is to give consent.

Since those who gave consent at a given time may forget that they have done so, the CNIL recommends that consent be renewed at appropriate intervals without waiting for the user to withdraw consent. The length of time during which consent remains valid will depend on the context, the scope of the initial consent and the expectations of the internet user.

In general, the CNIL considers that a period of validity of six months from the expression of the Internet user’s choice is appropriate.

Proof of consent

The data controllers must be able to demonstrate that the Internet user has given his/her consent.

In practice, the CNIL recommends the implementation of the following mechanism:

  • The recording of the information allowing the consent to be properly taken into account could be done at the level of the consent collection mechanism, i.e. the tracker in case of a web browser, or the parameter used to store the consent information in case of a mobile app., etc.
  • The data thus recorded could include a timestamp of the consent, the context in which the consent was collected (identification of the website or mobile app.), the type of consent collection mechanism that has been used, and the purposes to which the user has consented.

From the beginning of 2020, the CNIL’s actions will initially be limited to compliance with the principles previously set out in the 2013 recommendation. Corrective measures, including penalties, may be adopted in the event of non-compliance with the obligations, the scope of which is specified since 2013 and which remain applicable in the new recommendation.

Monitoring missions on the application of the new framework will then be carried out at the end of the adaptation period announced by the CNIL, i.e. six months after the final publication of the recommendation. These inspections will focus in particular on those actors who have a particularly significant impact on the daily lives of citizens and whose practices raise serious compliance issues.


The CNIL indicated that it is competent to control and, if necessary, sanction the implementation of the provisions set forth in Article 82 of the French Data Protection Act for all services that deposit and access cookies or trackers on terminals located in France.


[2] Cf. article entitled The French Data Protection Authority releases new guidelines for cookies published on our Blog in September 2019. While the CNIL has, with its guidelines, put an end to the valid consent through continued navigation, it has decided to tolerate this practice until mid-2020. This decision was the subject of (i) a petition for summary proceedings requesting the Council of State to suspend its application, and (ii) a petition for annulment. These petitions were dismissed pursuant to orders dated August 14, 2019 and October 16, 2019 respectively.

[3] Cf. article entitled GDPR: How to ensure compliance by May 25, 2018? Published on our Blog in March 2018