French data privacy is governed by the EU’s GDPR, and CNIL offers guidelines and recommendations beyond GDPR. In 2021, new recommendations on cookies and cookie consent came into force. Consent is at the heart of CNIL’s guidelines.
CNIL, or the Commission nationale de l’informatique et des libertés, is an independent French administrative body that oversees data privacy legislation in France. It issues and enforces the rules and regulations regarding data compliance within the territory.
Central to CNIL’s guidelines is the free nature of consent. A website user’s consent must be freely given in accepting cookies. This is a key issue for websites that use cookie walls. Since cookie walls only allow access to a site if the site’s cookies are accepted, they remove any free choice, and a user has to provide consent to proceed.
While CNIL has not introduced a blanket ban on cookie walls, it does have guidelines on what kind of information these walls need to give users in order to make them compliant. As long as a website provides users with accurate and reliable information about accepting or denying consent and what that means, cookie walls are generally allowed.
A website must provide the following to be able to claim they have received a user’s informed consent, and thus adhere to CNIL. CNIL further stipulates that consent must be affirmative, or an explicit click of an “I consent” or “Yes” button – there can be no assumptions or implied consent by a lack of user action. Any inaction from a user must be considered a rejection of site cookies.
Cookie compliance:
Inform transparently about the functions cookies serve
Ability to accept or reject:
How to accept or reject any particular cookie
Enable informed consent about cookies:
What accepting or rejecting these cookies will mean
Cookie data and handling:
Data regarding the identities of cookie administrators and any third parties that may be involved
Right to withdraw:
The user’s right to withdraw consent, and a clear way to do so
Any organization operating a website or application that collects personal data through cookies from users in France must comply with CNIL's cookie rules. This includes businesses based in France, as well as those outside of France that target French users. Essentially, if your website uses cookies that track or collect information about individuals in France, you need to adhere to CNIL's guidelines, which emphasize transparency and user consent.
CNIL is tasked with protecting personal data, with a focus on safeguarding the following consumer rights:
Individuals can request access to their personal data
If data is inaccurate or incomplete, individuals can request corrections
Individuals can request the deletion of their data under certain conditions
Individuals can object to the processing of their data, particularly for marketing purposes
Individuals can request to receive their data in a usable format
Companies must provide clear and transparent information about data collection and processing practices
Individuals can withdraw consent for data processing at any time
CNIL requires a user’s consent to be managed with complete transparency — that is to say, websites can’t request a single consent for cookies that have different functions. Since such consent fails to fully inform users of what they’re actually agreeing to, it restricts their freedom of choice and isn’t regarded as consent in any meaningful way.
When it comes to individual cookie types and their functionalities, websites must grant users precise information about each individual cookie in order for users to grant their ‘informed’ consent. To help clarify the picture, websites must also reveal the identity of any data administrators or third parties who are involved in the creation, or use, of the cookies.
Of equal importance here is that any data a website supplies about its cookies should be delivered in simple, easy-to-understand terms — and not masked behind technical and legal terminology. Once again, a user’s consent must be granted in a meaningful way.
CNIL has imposed a number of massive fines on various companies, so the penalties are not theoretical. CNIL can impose fines of up to 4% of a company’s global annual revenue or 20 million EUR, whichever is higher. In addition, CNIL is empowered to issue formal notices, injunctions and can require companies to simplify their cookie consent mechanisms.
Staying in compliance means proactively thinking about your data privacy posture; here are a few best practices to stay on the right path:
Conduct data audits:
Review current data practices to identify areas that need adjustment to align with CNIL and GDPR
Update privacy policies:
Revise privacy notices to clearly outline data practices, consumer rights, and how to exercise those rights
Implement consent management:
Get effective management and control of cookie use with a comprehensive consent management platform like CookieHub
Employee training:
Offer staff education programs on the importance of data privacy, GDPR and CNIL
CNIL gives consumers explicit control over their cookie consent and demands that companies make consent simple. CookieHub can help you meet these demands with our comprehensive, customizable consent management platform.
Don’t get caught unaware. Get CNIL compliance and consent lined up with CookieHub.
The CNIL is France’s independent regulatory body responsible for ensuring the protection of personal data and privacy. It oversees compliance with data protection laws, including the GDPR, and provides guidance to individuals and organizations on their rights and responsibilities regarding data processing in France.
According to the CNIL, personal data refers to any information that can directly or indirectly identify a natural person. This includes names, email addresses, identification numbers, location data, online identifiers (such as IP addresses), and other information that can be linked to a person.
Sensitive data includes special categories of personal data that require a higher level of protection. This covers information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, and data concerning a person’s sex life or sexual orientation.
The CNIL itself is the national regulatory authority for data protection in France. It operates independently but is recognized and empowered by French law to enforce data privacy regulations and oversee their application.
In general, CNIL rules apply to all entities that process personal data in France. However, purely personal or household activities (e.g., managing personal contacts or photo albums) are exempt from CNIL oversight. Public authorities or organizations with specific legal exemptions may also have limited exclusions under defined circumstances.
You can learn more by visiting the official CNIL website. The site offers resources, guidance, and updates on data protection laws, individual rights, and regulatory compliance.
©2025 CookieHub ehf.
