CNIL continues to crumble cookies: recent enforcement actions, impact on organisations with a French presence, and how to respond.

The French Data Protection Authority (“CNIL”) has long been known for its active enforcement efforts of cookies and similar technologies (“cookies”) rules.

In this article, we explore CNIL’s enforcement actions in the last years and how your organisation should respond to each of the issues raised by the CNIL, if you have a French presence. The CNIL’s recent €50 million fine for breaches of e-Privacy rules and crackdown on misleading cookie banners has reinforced the importance of complying with such rules.

Summary of the CNIL’s enforcement actions 

Between December 2022 and December 2024, the CNIL issued combined fines of over €139 million for breaches of Article 82 of the French Data Protection Act, which implements Article 5(3) of the ePrivacy Directive. This relates to the rules surrounding the use of cookies, when storing or accessing information on user devices.

How to respond to the issues that the CNIL addressed in the enforcement actions

1. Placement/reading of cookies prior to obtaining user consent

How to respond: To be exempted from seeking user consent, you need to ensure that you only place/read cookies which are either (a) used for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network or (b) strictly necessary in order to provide an information society service explicitly requested by the user.

The CNIL has published the following list of exempt cookies that do not require consent:

• Cookies recording the choice expressed by the users on the placement of cookies
• Cookies intended for authentication of a user that attempts to access a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts
• Cookies intended to keep track of the contents of a shopping cart on a merchant site or to invoice the user for the product(s) and/or service(s) purchased
• Cookies for personalizing the user interface (for example, for the choice of language or the presentation of a service), when such personalization constitutes an intrinsic and expected element of the service
• Cookies used for the purposes of load balancing traffic to a website
• Cookies allowing paying websites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period)
• Certain types of analytics cookies (“cookies de mesures d’audience”), under certain conditions. Notably they must be first party cookies, and the personal data collected must not be cross-referenced with other processing operations or shared with third parties.

2. Be prudent when users change their minds

How to respond: If you have placed cookies with the user's consent, and the user subsequently withdraws his consent, you must implement measures to prevent the continued reading of those (previously accepted) cookies.

This is in line with the CNIL's recommendations where the CNIL specified that “for the withdrawal of consent to be effective, it may be necessary to implement specific solutions to guarantee the absence of reading or writing of previously used tracers.” 

In its decision SAN-2024-019, the CNIL indicates that “these solutions can, for example, consist in modifying the lifetime of cookies to indicate that they have expired (by returning an appropriate “set cookie” header in an http response, specifying an expiry date in the past), which will lead to their deletion by the browser, or, in the case of cookies that do not have the “httpOnly” attribute, ensuring their deletion using a script run locally on the terminal, via the use of web browsers' “cookie” application programming interfaces.”

3. Consent not as easy to refuse as to give

How to respond: Make it as simple to withdraw consent as to give it. In its recommendations, the CNIL provides two ways to comply with this obligation: a “refuse all” button or a “continue without accepting” button (usually placed at the top right end corner of the banner). Note that such interpretation only applies to France and other EU data protection authorities might not share the same view.
 

4. Certain multi-purpose cookies can require dissociation or users’ prior consent

A multi-purpose cookie refers to situations where for instance one purpose of the cookie (i) fall within the scope of the consent exemptions (e.g. cookies used for the security of the service/authentication of users) and a second purpose of that same cookie (ii) requires users’ prior consent (e.g. advertising purposes).

The CNIL found that when combining purposes in a single cookie, if some of those purposes are not exempt from consent, prior consent is required. This follows the CNIL’s cookies guidelines^[3] where it says that the use of the same cookie for several purposes, some of which are not exempted from consent, requires the users’ prior consent (see Article 5). The CNIL has flagged that the use of reCAPTCHA cookies (if mixing security purposes with other purposes subject to consent requirements) would fall in this category.

How to respond: Ensure that where multi-purpose cookies are used for both exempted purposes and purposes requiring prior consent, such cookies are either dissociated or treated overall as cookies which require users’ prior consent.

5. Lack of granularity

The CNIL found that it is not enough to state that cookies are placed for analysis and marketing purposes and to improve the user’s website experience as the term “analysis” does not identify the purpose of the analysis nor establish the difference with the purpose attached to the words “to improve your experience on our websites.”

The CNIL also found that the collection of information on users' "browsing habits" to offer them advertisements prevented these advertisements from being qualified as "non-personalised" and that the information provided should match the actual processing carried out.

How to respond: Ensure that the information provided to users in the cookies banner is sufficiently precise to allow users to give informed consent. For instance, avoid using vague labels (e.g., ‘improve your experience of the website’ or ‘help improve our services’) as they do not provide users with sufficient information about the purposes of the cookies.

6. Misleading cookie banners

In December 2024, the CNIL highlighted that in response to numerous complaints from individuals, it issued formal notices to several website publishers, asking them to make changes to their misleading cookie consent banners (see here in French).

The non-compliant practices observed include the following:

• The refusal option is displayed as a clickable link, with choices of color, font size, and type that significantly highlight the acceptance option over the refusal option.
• The refusal option blends in with the informational text due to its placement, making it not easily distinguishable;
• The refusal option is placed next to other paragraphs without sufficient spacing to visually distinguish the refusal of trackers from the rest of the information provided;
• The acceptance option is presented multiple times in the banner, whereas the refusal option appears only once and in non-explicit terms ("I decline non-essential purposes").

How to respond: Check the design of your cookie banner to (i) ensure the refusal option is as prominent and accessible as the acceptance option, (ii) avoid design elements that highlight acceptance disproportionately, (iii) present both options with equal frequency to support genuine user choice and (iv) do not use non-explicit terms such as “I decline non-essential purposes”.

If you have any questions or want to explore how these positions impact your business, please get in touch with Gabriel Voisin or Mihnea Dumitrascu.

[1] For this decision, the CNIL has not distinguished between the amount of the fine for breaches of Article 82 and the amount for other breaches.

[2] The cookies placed without consent included third-party cookies.

[3] See here - only available in French.