Skip to main content
C
CookieBeam
Back to Guides
Compliance6 min read

CNIL Cookie Guidelines: France's Strict Rules Explained

France's CNIL enforces some of the toughest cookie rules in Europe — and has the fines to prove it. Learn the CNIL's specific requirements, what it has penalised, and how to make your banner France-ready.

Why the CNIL Sets the Pace in Europe

The Commission Nationale de l'Informatique et des Libertés (CNIL) is France's data protection authority, and on cookies it has been the most assertive regulator in Europe. While the GDPR and ePrivacy Directive set the European baseline, each national authority interprets and enforces them — and the CNIL has issued detailed, prescriptive guidance plus some of the largest cookie-specific fines on record.

If your site reaches French visitors, the CNIL's interpretation effectively sets your floor: it is stricter than the bare text of the law, and meeting it generally means you are compliant across the EEA. This guide breaks down what the CNIL actually requires, what it has penalised, and how to make your banner France-ready. For the wider legal backdrop, start with our guides on GDPR and the ePrivacy Directive.

The Guidelines and Recommendation

The CNIL's framework rests on two instruments adopted in 2020: binding guidelines (lignes directrices) setting out the legal rules, and a practical recommendation on how to obtain consent. After a transition period, the CNIL began active enforcement in spring 2021, giving organisations time to update their banners first.

The official texts and plain-language summaries are published on the CNIL's own site, including its dedicated cookies and trackers guidance. The core principles distilled from them are below.

The Core CNIL Requirements

1. Consent before any non-essential cookie

Non-essential cookies — analytics, advertising, social — must not be placed or read until the user has actively consented. No tracker fires on page load before the choice is made.

2. Refusing must be as easy as accepting

This is the CNIL's signature rule. If your banner has an "Accept all" button, it must offer an equally simple way to refuse — ideally a "Reject all" button on the same layer, with the same number of clicks. Making refusal harder than acceptance is the violation the CNIL has fined most aggressively.

3. No pre-ticked boxes

Consent requires a clear affirmative act. Pre-checked boxes and default-on toggles are invalid, consistent with the CJEU's Planet49 ruling.

4. Continued browsing is not consent

Scrolling or clicking a link does not count. The CNIL explicitly rejected the old "by continuing to browse you accept" approach.

5. Granular and informed choice

Users must be told who is setting trackers and for what purpose, and be able to consent purpose by purpose rather than all-or-nothing. The identity of the parties relying on the cookies should be available.

6. Easy withdrawal

Users must be able to change their mind and withdraw consent as easily as they gave it, at any time — typically via a persistent settings link or icon.

7. Proof of consent

Site operators must be able to demonstrate that they obtained valid consent. This means keeping a record of what each user agreed to and when — a consent log. See our guide on consent expiry and re-consent for how long to retain and when to refresh it.

Together these rules describe a banner that gives "yes" and "no" genuine parity — exactly the design philosophy covered in our guide on cookie banner design best practices and the anti-patterns in cookie banner dark patterns.

Enforcement with teeth

In January 2022 the CNIL fined two of the world's largest tech companies €150 million and €60 million respectively — not for the tracking itself, but because users could accept cookies in one click while refusing required several. The CNIL has issued numerous further sanctions on the same principle, making 'refuse as easily as accept' the most expensive rule to get wrong in European cookie compliance.

The Audience-Measurement Exemption

One area where the CNIL offers practical relief is audience measurement (analytics). Under strict conditions, certain analytics tools can be treated as exempt from consent — meaning you may measure traffic without a banner opt-in — provided the configuration is genuinely privacy-protective. To qualify, the measurement must typically:

  • serve only the operator's own statistical purposes (no cross-site tracking, no data sharing with third parties for their own use);
  • produce only anonymous or strictly limited statistics;
  • restrict the lifespan of any identifiers and the data retention period;
  • not enable global tracking of the person across different sites or apps.

The CNIL has published a list of analytics solutions and configurations it considers exemptable. This is a meaningful advantage: it lets you keep basic traffic insight even from visitors who refuse other cookies. Note that the popular default configuration of mainstream analytics platforms generally does not qualify — exemption depends on a hardened, privacy-first setup. Understand which trackers you run with a thorough cookie scan before assuming anything is exempt.

Cookie walls: case by case, not a blanket ban

Unlike a flat prohibition, the CNIL's position on cookie walls is that their lawfulness must be assessed case by case, considering whether a real alternative to access exists. This nuance feeds directly into the 'pay or consent' debate — see our guide on cookie walls and pay-or-consent models for the full picture.

Making Your Banner France-Ready

To satisfy the CNIL specifically, your banner should:

  1. Block all non-essential trackers until a clear affirmative choice is made.
  2. Show Accept all and Reject all with equal prominence on the first layer.
  3. Default every non-essential toggle to off, with no pre-ticked boxes.
  4. Present information in clear French (and any other languages your audience uses) — see multi-language cookie banner localization.
  5. Provide an always-available way to withdraw or change consent.
  6. Log every choice with a timestamp to prove consent on request.
  7. If you rely on the audience-measurement exemption, configure the analytics tool to the CNIL's privacy-protective criteria — and document why it qualifies.

Because the CNIL's bar is higher than the European minimum, a France-ready banner is, in practice, ready for most of the EEA. The reverse is not true: a banner that merely scrapes past the GDPR baseline can still fall foul of the CNIL's symmetry and exemption rules.

CNIL Compliance Checklist

  • No non-essential cookies before consent

    Trackers are blocked on page load until the visitor makes an affirmative choice.

  • 'Reject all' as easy as 'Accept all'

    Equal prominence, same number of clicks on the first layer — the CNIL's most-fined rule.

  • No pre-ticked boxes or default-on toggles

    Every non-essential category defaults to off.

  • No reliance on continued browsing

    Scrolling or clicking a link does not count as consent.

  • Granular, informed purposes

    Users can choose purpose by purpose and see who is setting trackers.

  • Easy, persistent withdrawal

    A standing settings link or icon lets users change their mind at any time.

  • Audience-measurement exemption documented

    If used, the analytics config meets the CNIL's privacy-protective criteria and you can explain why.

  • Consent logged with proof

    Record what each visitor agreed to and when, to demonstrate valid consent.

Pass the strictest test in Europe

Meet the CNIL's requirements — symmetrical choices, no pre-ticks, easy withdrawal, and verifiable consent logs — and you clear the highest enforcement bar on the continent. A consent management platform that blocks trackers until consent and records every decision turns France's strict regime from a risk into a routine.

Back to all guides
CNIL Cookie Guidelines Explained: France's Strict Consent Rules | CookieBeam | CookieBeam