How do you make your website comply with CNIL’s cookie guidelines in France?

France enforces some of the strictest cookie consent rules in Europe. The CNIL – France’s data protection authority – requires explicit user consent before any non-essential cookies are set, bans dark patterns in consent interfaces, and has issued fines totalling nearly €500 million in 2025 alone. This page covers what the law requires, what CNIL has been penalizing, and how to get your website or app into compliance.

Cookie compliance in France is more critical than ever, with the French Data Protection Authority (CNIL) enforcing stricter regulations on how cookies are used across websites and mobile apps. Unlike some other European countries that have taken a more lenient approach to enforcement, France has positioned itself as one of the strictest regulators when it comes to cookie consent and digital privacy.

The CNIL has been particularly active in monitoring digital platforms and has demonstrated its willingness to impose substantial penalties on businesses that fail to comply with cookie regulations. These enforcement actions aren’t limited to French companies – multinational corporations including Google, SHEIN, and Facebook have all faced significant fines for violations of French cookie laws.

As a digital marketer or website owner, understanding and complying with cookie laws in France isn’t just about avoiding fines – it’s about building trust with your users and optimizing your digital strategy. A well-implemented cookie consent process demonstrates respect for user privacy and can actually become a positive differentiator in the competitive French market.

The legal framework for cookie compliance in France is built upon multiple layers of legislation, with the French Data Protection Act (Loi Informatique et Libertés) serving as the primary national law governing data privacy, in conjunction with the European Union’s General Data Protection Regulation (GDPR).

Article 82: the core of French cookie regulation

Article 82 of the French Data Protection Act specifically regulates the use of cookies and online trackers on user devices. The article requires you to obtain explicit consent from users before any cookies are stored or accessed on their devices. This applies to both websites and mobile apps, ensuring that all digital platforms uphold the user’s right to control their personal data.

This legal text establishes several fundamental principles:

  • Prior information requirement
    Users must be clearly informed about cookies before they are set.
  • Transparency obligation
    The information provided must be comprehensive and understandable.
  • Purpose specification
    The specific purposes of cookies must be explained.
  • Opt-out mechanism
    Users must be provided with clear means to reject cookies.
  • Explicit consent
    Cookies can only be set after the user has given their consent.

The interesting thing about Article 82 is that it applies to all types of electronic communications terminal equipment, which means these rules cover not just traditional web browsers but also mobile apps, connected devices, and any other technology that might use cookies or similar tracking technologies.

  • Cookie banners must be clearly visible to all users
  • Banners should not disappear until the user makes a choice
  • Accessibility standards should be met for users with disabilities
  • Banners should be available in all languages in which the website/app/service is offered

Relationship with the GDPR

While Article 82 provides the specific legal basis for cookie regulation, it operates within the broader framework of the GDPR, thus covering every aspect of cookie usage, from the initial consent request to the final deletion of collected data. This means that all the GDPR principles apply to cookies when they process personal data, which most cookies do. These principles include:

  • Lawfulness, fairness, and transparency
    Cookie usage must be lawful, fair, and transparent to the data subject.
  • Purpose limitation
    Cookies should only be used for specified, explicit, and legitimate purposes.
  • Data minimization
    Only the minimum necessary data should be collected via cookies.
  • Accuracy
    Data collected through cookies should be accurate and kept up to date.
  • Storage limitation
    Cookie data should not be kept longer than necessary.
  • Integrity and confidentiality
    Appropriate security measures must protect cookie data.
  • Accountability
    Organizations must be able to demonstrate compliance with these principles.

The CNIL has established specific, detailed guidelines for cookie consent that all businesses operating in France must follow. These guidelines have evolved since their initial publication in 2013, with significant updates in 2020 that reinforced the importance of transparency and introduced strict rules against dark patterns.

The CNIL’s current cookie guidelines, accessible on their official website, include the following key requirements:

Explicit consent mechanism
  • Users must provide clear, informed, and unambiguous consent before non-essential cookies are set
  • Continuing to browse a website is not considered valid consent
  • Pre-ticked boxes are prohibited
  • Cookie walls (forcing users to accept cookies to access content) are generally not allowed
Ban on dark patterns

One of the most significant aspects of the latest guideline update is the explicit prohibition of dark patterns in cookie consent interfaces – known as cookie banners, cookie popups, etc. Dark patterns are design choices that manipulate or mislead users into making unintended decisions. CNIL specifically prohibits:

  • Making the “accept all” button more prominent than the “reject all” button
  • Requiring more clicks to refuse cookies than to accept them
  • Using confusing colors or designs that emphasize acceptance
  • Using manipulative wording that pushes users toward acceptance
  • Creating unnecessarily complex cookie settings interfaces
Granular consent requirements
  • Users must be able to accept or reject specific categories of cookies
  • Categories commonly include:
    • Essential/necessary cookies (these are responsible for ensuring the normal functioning of the website/app, so don’t require consent)
    • Performance/analytics cookies
    • Functional cookies
    • Targeting/advertising cookies
    • Social media cookies
  • Each category must include a clear explanation of its purpose
Cookie banner design requirements
  • Banners must be clearly visible and not obstruct essential content
  • Information must be provided in simple, understandable language
  • The purpose of each cookie category must be clearly explained
  • Banners must include information about data recipients and retention periods
  • “Accept” and “Refuse” options must be equally accessible
Consent records and proof
  • Businesses must maintain records of user consent
  • Consent proof must include when and how consent was obtained
  • Records should be available for audit by CNIL upon request
Cookie lifespan limitations
  • CNIL recommends limiting cookie lifespans to 13 months maximum
  • User consent for cookies should be renewed at least every 13 months
  • Analytics cookies should have shorter lifespans when possible

What does the EDPB add on top of CNIL’s requirements?

The European Data Protection Board (EDPB) issued comprehensive guidelines in 2023 that have direct implications for cookie compliance in France. These recommendations align with and in some cases strengthen CNIL’s approach to cookie banners, reinforcing the need for transparency and user control.

The EDPB’s 2023 Report of the work undertaken by the Cookie Banner Taskforce emphasizes several critical aspects of cookie consent that you must consider:

  • Cookie banners must be clearly visible to all users
  • Banners should not disappear until the user makes a choice
  • Accessibility standards should be met for users with disabilities
  • Banners should be available in all languages in which the website/app/service is offered

2. Equal prominence of Accept/Reject options

  • “Accept” and “Reject” buttons must be presented with equal prominence
  • Both options should be displayed at the same level and with the same visual impact
  • Color schemes should not emphasize one option over the other
  • The language used should be neutral and not influence the user’s choice

3. Layered information approach

  • First layer: Basic information about cookies and clear consent options
  • Second layer: Detailed information accessible via links for users who want more information
  • Both layers must be easily accessible and understandable
  • Separate consent must be obtained for tracking across different devices
  • The purpose of cross-device tracking must be clearly explained
  • Users should be able to refuse cross-device tracking while still using the service
  • Cookie consent should be renewed periodically
  • The EDPB endorses CNIL’s 13-month maximum cookie lifespan recommendation
  • Changes to cookie practices require obtaining fresh consent

By incorporating EDPB’s cookie banner recommendations, you can ensure you’re fully compliant with both local and EU-wide privacy standards.

In December 2025, the CNIL published final recommendations on multi-device consent – an amendment to its existing cookie guidance. The recommendations address how consent works when users access services across multiple devices while logged into the same account.

Implementing multi-device consent is optional: there is no obligation to offer it. But if you do, several conditions must all be met:

  • Symmetry of choices: if consent can be applied globally across devices, refusal and withdrawal must have exactly the same scope. You cannot globalize consent without offering the same symmetry for rejection.
  • Enhanced prior information: before any choice is made, users must be told that their preference will apply across all devices linked to the same account. Without this, consent is not considered informed.
  • First-layer disclosure: details of the multi-device mechanism must appear at the first level of the consent interface – not buried in settings.
  • Conflict resolution: if a user makes a choice on a new device before logging in, and their account already has a saved preference, they must be clearly informed of the conflict and which choice will apply.
  • Non-authenticated environments: choices made while logged in must never override preferences expressed outside an authenticated session – particularly relevant for shared devices.

Looking ahead, the CNIL has announced it will launch work in 2026 on cross-domain consent – a framework for collecting a single consent valid across multiple sites or media properties belonging to the same group. Recommendations will be published for public consultation. This is particularly relevant for media groups, multi-brand businesses, and organizations that operate multiple web properties.

Recognizing the importance of mobile apps in digital privacy, CNIL has expanded its privacy recommendations to mobile apps. These guidelines are just as stringent as those for websites and require careful implementation.

CNIL’s updated guidelines for apps published in 2021 include the following key requirements:

Consent before data collection
  • Apps must request consent before setting any non-essential cookies or trackers
  • Consent must be obtained before any user tracking begins, including during onboarding
  • The same standards of freely given, specific, informed, and unambiguous consent apply to mobile apps and games
Mobile-specific implementation guidelines
  • Consent interfaces must be adapted to smaller screens without sacrificing clarity
  • Touch targets (buttons) must be sufficiently large and easy to tap
  • Information must be readable on mobile devices without excessive scrolling
  • Consent options should not interfere with core app functionality
In-app consent management
  • Apps must provide an easily accessible method to manage cookie preferences
  • Consent management can be implemented through:
    • In-app settings menu
    • Persistent link to privacy controls
    • Periodic consent renewal prompts
  • Changing consent must be as easy as providing initial consent
Specific technical requirements
  • Software Development Kit (SDK) tracking must be disclosed and consented to
  • Advertising identifiers – like Apple’s identifier for advertisers (IDFA) or Google’s Advertising ID (GAID) – require explicit consent
  • Device fingerprinting techniques require the same level of consent as cookies
  • App analytics tools must only be activated after obtaining user consent
Cross-app tracking
  • If data is shared across different apps or services, this must be clearly disclosed
  • Users must be able to reject cross-app tracking while still using the app
  • The purpose and extent of cross-app tracking must be explained in simple terms

What happens if you don’t comply? Recent CNIL fines

Non-compliance with CNIL’s cookie guidelines carries real financial risk. The CNIL has been steadily escalating enforcement since its action plan began in 2019 – and 2025 marked a record year. The authority issued 83 sanctions totalling approximately €486.8 million, with cookie violations and advertising trackers accounting for the bulk of that figure. Below are the most significant cookie enforcement actions to date.

The following more recent cases demonstrate CNIL’s commitment to enforcing cookie regulations and the serious consequences of non-compliance:

American Express: €1.5M (November 2025)

Inspectors found three separate failures: advertising cookies placed before the user made any choice, cookies placed despite an explicit refusal, and cookies that continued to run after consent was withdrawn. This case is instructive beyond its fine size – it confirmed that withdrawal of consent must actually stop cookies from firing, not just update a preference record.

Read more: CNIL’s American Express fine decision

Google: €325M (September 2025)

The CNIL fined Google €325 million as part of its ongoing cookie action plan. This followed previous Google fines of €100M in 2020 and €150M in 2021 – a trajectory that shows how repeated non-compliance leads to progressively higher penalties.

Read more: CNIL’s Google fine decision

SHEIN: €150M (September 2025)

Advertising cookies were firing on visitor devices the moment they arrived on shein.com – before any interaction with the consent banner. The banner included a “Reject all” button, but clicking it didn’t prevent new cookies from being placed. Previously deposited cookies also kept running after users withdrew consent. With 12 million monthly French visitors, the scale of processing contributed to the fine amount.

Read more: CNIL’s SHEIN fine decision

Yahoo!: €10M (December 2023)

CNIL fined Yahoo! €10M for placing advertising cookies on users’ devices without obtaining prior consent and for making it difficult for users to withdraw consent. The investigation found that Yahoo!’s cookie banner did not provide clear information about the purposes of cookies and made it difficult for users to reject cookies.

TikTok: €5M (December 2022)

TikTok received a €5M fine for inadequate cookie consent mechanisms on its website. CNIL determined that TikTok made it difficult for users to refuse cookies, with the refusal option being less visible and requiring more steps than the acceptance option.

Facebook (Meta): €60M (December 2021)

CNIL fined Facebook €60M for not allowing users to refuse cookies as easily as accepting them on its French website. The investigation found that while users could accept cookies with a single click, rejecting them required multiple steps, violating the principle of freely given consent.

What these fines can teach digital marketers in France

These enforcement actions highlight several critical lessons for digital marketers operating or targeting users in France:

  • Equal ease of consent: making it easier to accept cookies than to reject them likely leads to penalties
  • Prior consent is mandatory:setting non-essential cookies before obtaining consent is explicitly not allowed
  • Clear information: failing to clearly explain cookie purposes and data processing is penalized
  • All businesses are subject to enforcement: both French and international companies must comply
  • Continuous monitoring: CNIL actively monitors websites and apps for privacy compliance
  • Withdrawal of consent must technically stop cookies, recording a preference change while cookies keep firing is a violation in itself.
  • Repeated non-compliance attracts progressively higher fines.

Implementing fully compliant cookie consent on your websites and mobile apps doesn’t have to be complicated. Here are the key steps and best practices to ensure your digital platforms meet CNIL’s cookie requirements:

  • Identify all cookies and trackers used on your website or app
  • Categorize cookies by purpose (necessary, analytics, marketing, etc.)
  • Document the lifespan and data controller for each cookie
  • Remove any unnecessary or unused cookies

Does your website use cookies?

Find out which cookies and trackers are collecting data on your website.

Scan your website for free

  • Ensure equal prominence of accept and reject options
  • Use clear, simple language that explains cookie purposes
  • Implement granular consent options for different cookie categories
  • Make sure the banner’s interface works on all devices (responsive design)
  • Configure your website/app to block non-essential cookies until consent is given – some cookie consent tools like Cookie Information do this automatically for you
  • Implement a consent management platform (CMP) that stores user preferences
  • Ensure that the marketing and analytics tools you’re using respect user choices
  • Set up processes to refresh consent (every 13 months maximum)
  • Keep records of consent collection methods
  • Document all changes to your cookie policy and consent practices
  • Be prepared to demonstrate cookie compliance to CNIL if requested
  • Regularly review and update your processes as regulations evolve

Our cookie banner tools are specifically designed to help you comply with France’s strict cookie laws. Our consent management solution offers:

icon-layout

CNIL-compliant banners

Pre-configured templates that meet all current consent requirements in France

icon-settings

Allow users to easily accept or reject different types of cookies

icon-refresh

Automatic updates

Stay aligned with CNIL’s latest guidelines through regular updates

icon-eye

Full transparency

Provide clear information on how cookies are used

icon-cookie

Easy withdrawal

Our cookie consent widget provides a simple tool for users to change preferences at any time

icon-integration

Cross-platform support

Solutions for both cookie banners for websites and mobile app consent

icon-brush

Customizable design

Adapt the banner appearance to match your brand while maintaining privacy compliance

icon-cloud

Maintain documentation of user choices for compliance audit purposes by CNIL

Frequently asked questions

What are the main cookie laws in France?

Cookie usage in France is primarily regulated by the French Data Protection Act (Loi Informatique et Libertés), particularly Article 82, which implements the ePrivacy Directive, together with the GDPR. These laws require explicit consent before setting non-essential cookies on users’ devices.

How long can cookies be stored under French law?

CNIL recommends limiting cookie lifespans to a maximum of 13 months. Additionally, user consent for cookies should be renewed at least every 13 months, even if the cookie itself has a longer technical lifespan.

Are there any cookies exempt from consent requirements in France?

Yes, strictly necessary cookies that are essential for website or app core functionality don’t require consent. These include cookies used for user authentication, shopping carts, and security purposes. However, analytics cookies, even those used for measuring audience, require consent under CNIL guidelines.

What is the CNIL?

The CNIL (Commission Nationale de l’Informatique et des Libertés) is France’s data protection authority responsible for enforcing data privacy laws and ensuring compliance with the GDPR and French Data Protection Act.

What are CNIL cookie recommendations for compliant cookie banners?

Key recommendations include:

  • Ensuring “Accept” and “Reject” buttons are equally visible.
  • Using clear and transparent language.
  • Avoiding pre-set cookies before user consent.
  • Making the rejection process as simple as the acceptance process.
  • Conducting regular cookie audits to monitor compliance.
Does CNIL’s consent framework now apply across multiple devices?

It can. In December 2025, CNIL published recommendations on multi-device consent – a framework for applying a user’s consent choices automatically across all devices linked to the same account. This is optional, not mandatory. But if you implement it, strict conditions apply: choices must be symmetrical (refusal applies just as broadly as consent), users must be informed upfront that their preference applies across devices, and conflicts between device-level and account-level preferences must be disclosed clearly. CNIL has also announced it will address cross-domain consent (a single consent valid across multiple sites in the same group) in 2026.

Is it enough to record a consent withdrawal, or must cookies actually stop?

Cookies must actually stop. The November 2025 American Express fine made this explicit: cookies that continue to run after a user withdraws consent are a violation, even if the withdrawal is correctly recorded in your consent management system. Your implementation must technically prevent the cookies from firing – not just update a preference flag.

Can I use a cookie wall on my website in France?

Cookie walls, which block access to content unless users accept cookies, are generally considered non-compliant by CNIL. They may be allowed in very limited circumstances where a genuine alternative without cookies is available to users, but these exceptions are rare.

How quickly must I implement changes after CNIL updates its guidelines?

CNIL typically provides a grace period after publishing new guidelines. However, you’re expected to implement changes as soon as reasonably possible. For major updates, CNIL may specify a compliance deadline, usually between 3-6 months from publication.

Does CNIL require specific language in cookie banners?

CNIL doesn’t mandate exact wording but requires that the language is clear, understandable, and non-misleading. Information about cookie purposes, data controllers, and user rights must be included, but you have flexibility in how you phrase this information.

What happens if a website doesn’t comply with CNIL cookie guidelines?

CNIL enforces compliance through both scheduled audits and responses to user complaints. They may first issue formal notices requiring changes within a specified timeframe. If businesses fail to comply, CNIL can impose fines of up to €20 million or 4% of global annual revenue, whichever is higher.

What are dark patterns in cookie banners?

Dark patterns are manipulative design practices that nudge users into accepting cookies without providing a genuine choice. Examples of dark patterns in cookie banners include unequal button visibility, misleading wording, and cumbersome rejection processes.

How can I make my cookie banner compliant with cookie guidelines in France and French privacy laws?

Use a website consent management platform like Cookie Information to create customizable, compliant cookie banners. Features include cookie audits, equal button prominence, and real-time consent monitoring. Start free 14-day trial.