The new CNIL guidelines and recommendations on cookies and tracers of all types.

The guidelines (deliberation 2020-091) and the CNIL recommendations (deliberation 2020-092) of September 17, 2020 specify the rules on consent, in the extension of the ePrivacy Directive (2002/58/EC) and the guidelines of the European Data Protection Board of May 4, 2020 (5/2020), the GDPR and article 82 of the Data Protection Act, previous CNIL deliberations and decisions of the Council of State.

Tracers that are not purely technical must be the subject of information and consent. This is the principle set out in article 82 of the Data Protection Act.

This concerns in particular "HTTP cookies", by which these reading or writing actions are most often carried out, but also other technologies such as "local shared objects" sometimes called "Flash cookies", "local storage" implemented within the HTML 5 standard, identifications by calculation of the terminal fingerprint or "fingerprinting", identifiers generated by the operating systems (whether advertising or not: IDFA, IDFV, Android ID, etc. .), hardware identifiers (MAC address, serial number or other identifier of a device), etc”.

The guidelines specify that this principle applies regardless of whether the data collected is personal or not, without of course excluding the GDPR and the Data Protection Act which remain applicable and have priority on the subject of personal data – “sometimes directly identifying (for example, an email address) and often indirectly identifying (for example, the unique identifier associated with a cookie, an IP address, an identifier of the terminal or of a component of the terminal of the user, the result of the fingerprint calculation in the case of a “fingerprinting” technique, or an identifier generated by software or an operating system)”.

Joint managers:

All of the players involved in audience measurement trackers that process personal data are considered joint controllers and must comply with French regulations.

“The Council of State ruled, in its decision of June 6, 2018, that the obligations incumbent on the site editor include that of ensuring with its partners, on the one hand, that they do not issue, via the publisher's website, trackers that do not comply with the regulations applicable in France and, on the other hand, that of taking any useful steps with them to put an end to shortcomings”.

In terms of subcontracting:

“The Commission recalls that the publisher of a site which deposits tracers must be considered as a data controller, including when it subcontracts to third parties the management of these tracers set up for its own account”, and “that an actor who stores and/or accesses information stored in a user's terminal equipment exclusively on behalf of a third party must be considered a processor. It recalls, in this respect, that if a subcontracting relationship is established, the data controller and the subcontractor must draw up a contract or another legal act specifying the obligations of each party, in compliance with the provisions of the 28 GDPR”.

Consent :

The CNIL indicates that "the possibilities of setting browsers and operating systems cannot, on their own, allow the user to express valid consent".

On cookie walls (the user cannot access the site if he does not accept cookies), the CNIL indicates that the method is lawful but that it should not exempt precise information from being provided on the different purposes pursued by the processing carried out, and thus recommends, as can already be seen on certain sites, that second-level information be provided, allowing the user to personalize his choices.

A global acceptance of the general conditions of use of the site does not respect the principle of specific consent.

Consent implies positive action. Simply continuing to navigate or using default pre-checked boxes is insufficient. However, this is not to interfere with navigation. Refusal and withdrawal of consent must be facilitated.

Guidelines and recommendations give suggestions, indications and examples.

Evidence :

The recommendation suggests solutions for keeping proof of consent, for example, “the different versions of the computer code used by the body collecting the consent can be escrow from a third party, or, more simply, a condensate (or “hash”) of this code can be published in a timestamped manner on a public platform, in order to be able to prove its authenticity a posteriori”.


Cookie law: CNIL recommendations

Data transfer: assessing foreign legislation

Support on IT contracts

Consult a lawyer specializing in computer law


The right to cookies, the draft recommendations

Updated: February 17, 2022:

The new CNIL guidelines and recommendations on cookies and tracers of all types.


The matter is governed by Article 82 of the French Data Protection Act, which transposes Article 5(3) of Directive 2002/58/EC of 12 July 2002 on privacy and electronic communications (e-Privacy Directive on metadata), amended in 2009 (Directive 2009/136/EC).

When the cookie processes personal data, the RGPD and Directive 2016/680 of 27 April 2016, known as the "Police-Justice" Directive, texts that specifically address the issue of processing personal data (as opposed to other types of data), are also applicable. These texts are also transposed or taken up by the Data Protection Act.

The administrative bodies in charge of these matters: CNIL(draft recommendation of 14 January 2020, still in draft form at present), EDPS (European Committee for Data Protection, ex-"G29″ guidelines on consent of 28 Nov. 2017, WP 259 rev. 01)) have delivered their approaches, the CJEU too (CJEU 1 Oct. 2019, aff. C-673/17, Planet49).

It can be noted that, for any type of tracker (and not only the traditional web cookie), the specific and positive consent of the Internet user on the purposes and controllers of the processing, on the exact scope of his or her consent (its duration in particular), is required, in particular with regard to audience trackers.

This requires clear prior information under a specific policy.

Even the merely "technical" cookie, necessary for the proper technical functioning of the service, should not escape this requirement either, according to the CNIL.

Simply referring the Internet user to the browser settings to block or select cookies is not sufficient.

The publisher of an online content will not be able to discharge its responsibility on the technical intermediary or the communication agency which it would call upon, as regards the tracers of audience as well as the tracers deposited by third parties, in the sense that it can always be prosecuted in the first line.

A compliance analysis will therefore focus on qualifying the different types of cookies, their purposes, and their managers, in order to identify the exact legal regime applicable to them, and then to set up the appropriate consent procedures.

A very detailed contract with a consent manager may be necessary, especially as a website is constantly evolving and consents are given for limited periods and purposes, and as trackers may change or be modified: consent will therefore have to be adapted or sought frequently. The user should also be able to withdraw consent at any time.

Proof of consent and compliance will need to be available, involving audits and mechanisms for sequestration and archiving.

The Council of State June 19, 2020 questioned the CNIL's recommendation on wall cookies, suggesting that the ability to deny access to a site if cookies are refused was legitimate.

Commitment to IT charters and contracts