The new CNIL guidelines and recommendations on cookies and tracers of all types.

The guidelines (deliberation 2020-091) and the CNIL recommendations (deliberation 2020-092) of September 17, 2020 specify the rules on consent, in the extension of the ePrivacy Directive (2002/58/EC) and the guidelines of the European Data Protection Board of May 4, 2020 (5/2020), the GDPR and article 82 of the Data Protection Act, previous CNIL deliberations and decisions of the Council of State.

Tracers that are not purely technical must be the subject of information and consent. This is the principle set out in article 82 of the Data Protection Act.

This concerns in particular "HTTP cookies", by which these reading or writing actions are most often carried out, but also other technologies such as "local shared objects" sometimes called "Flash cookies", "local storage" implemented within the HTML 5 standard, identifications by calculation of the terminal fingerprint or "fingerprinting", identifiers generated by the operating systems (whether advertising or not: IDFA, IDFV, Android ID, etc. .), hardware identifiers (MAC address, serial number or other identifier of a device), etc”.

The guidelines specify that this principle applies regardless of whether the data collected is personal or not, without of course excluding the GDPR and the Data Protection Act which remain applicable and have priority on the subject of personal data – “sometimes directly identifying (for example, an email address) and often indirectly identifying (for example, the unique identifier associated with a cookie, an IP address, an identifier of the terminal or of a component of the terminal of the user, the result of the fingerprint calculation in the case of a “fingerprinting” technique, or an identifier generated by software or an operating system)”.

Joint managers:

All of the players involved in audience measurement trackers that process personal data are considered joint controllers and must comply with French regulations.

“The Council of State ruled, in its decision of June 6, 2018, that the obligations incumbent on the site editor include that of ensuring with its partners, on the one hand, that they do not issue, via the publisher's website, trackers that do not comply with the regulations applicable in France and, on the other hand, that of taking any useful steps with them to put an end to shortcomings”.

In terms of subcontracting:

“The Commission recalls that the publisher of a site which deposits tracers must be considered as a data controller, including when it subcontracts to third parties the management of these tracers set up for its own account”, and “that an actor who stores and/or accesses information stored in a user's terminal equipment exclusively on behalf of a third party must be considered a processor. It recalls, in this respect, that if a subcontracting relationship is established, the data controller and the subcontractor must draw up a contract or another legal act specifying the obligations of each party, in compliance with the provisions of the 28 GDPR”.

Consent :

The CNIL indicates that "the possibilities of setting browsers and operating systems cannot, on their own, allow the user to express valid consent".

On cookie walls (the user cannot access the site if he does not accept cookies), the CNIL indicates that the method is lawful but that it should not exempt precise information from being provided on the different purposes pursued by the processing carried out, and thus recommends, as can already be seen on certain sites, that second-level information be provided, allowing the user to personalize his choices.

A global acceptance of the general conditions of use of the site does not respect the principle of specific consent.

Consent implies positive action. Simply continuing to navigate or using default pre-checked boxes is insufficient. However, this is not to interfere with navigation. Refusal and withdrawal of consent must be facilitated.

Guidelines and recommendations give suggestions, indications and examples.

Evidence :

The recommendation suggests solutions for keeping proof of consent, for example, “the different versions of the computer code used by the body collecting the consent can be escrow from a third party, or, more simply, a condensate (or “hash”) of this code can be published in a timestamped manner on a public platform, in order to be able to prove its authenticity a posteriori”.


Cookie law: CNIL recommendations

Data transfer: assessment of foreign legislation

Support on IT contracts

Consult a lawyer specializing in computer law


The right to cookies, the draft recommendations

Updated: February 17, 2022:

The new CNIL guidelines and recommendations on cookies and tracers of all types.


The subject is governed by Article 82 of the Data Protection Act transposing Article 5(3) of Directive 2002/58/EC of July 12, 2002 known as "privacy and electronic communications" (e-Privacy Directive on metadata), amended in 2009 (Directive 2009/136/EC).

When the cookie processes personal data the GDPR, directive n° 2016/680 of April 27, 2016, known as the “Police-Justice” directive, texts which specifically address the subject of the processing of personal data (as opposed to d other types of data), are also applicable. These texts are also transposed or taken up by the Data Protection Act.

The administrative bodies in charge of these matters: CNIL (draft recommendation of January 14, 2020, still in draft form at present), CEPD (European Data Protection Board, ex-"G29" guidelines on the consent of Nov. 28, 2017, WP 259 rev. 01)) delivered their approaches, as did the CJEU (CJEU Oct. 1, 2019, case C-673/17, Planet49).

We can remember that, for any type of tracer (and not only the traditional web cookie), the specific and positive consent of the Internet user on the purposes and the persons in charge of the processing, on the exact scope of his consent (its duration in particular) , is required, especially when it comes to audience trackers.

This presupposes clear and prior information, under a specific “policy”.

Even the simply “technical” cookie, necessary for the proper technical functioning of the service, should not also escape this necessity, according to the CNIL.

The mere referral of the Internet user to the configuration of his browser to block or select cookies is not sufficient.

The publisher of online content cannot be discharged from liability on the technical intermediary or the communication agency which he would call upon, both with regard to audience tracers and tracers deposited by third parties. , in the sense that he can always be prosecuted on the front line.

A compliance analysis will therefore focus on qualifying the different types of cookies, their purposes, their managers, to identify the exact legal regime applicable to them, then to set up the appropriate consent procedures.

A very detailed contract with a consent manager may be necessary, especially since a website is constantly evolving and consents are given for limited durations and purposes, tracers may change or be modified: consent will be therefore to be adapted or requested frequently. The user must also be able to withdraw his consent at any time.

Proof of consent and its compliance must be reportable, involving audits and escrow and archiving mechanisms.

The state Council June 19, 2020 questioned the CNIL's recommendation on wall cookies suggesting that the ability to prohibit access to a site in the event of refusal of cookies had legitimacy.

Support on IT charters and contracts