France

Can you place cookies without consent?

No. Article 5(3) of Directive 2002/58/EC, amended in 2009, establishes the principle of prior consent of the user before storing information on their terminal or accessing information already stored on it; except if these actions are strictly necessary for the provision of an online communication service expressly requested by the user or have the sole purpose of enabling or facilitating communication by electronic means.

Article 82 of the French Data Protection Act transposes these provisions into French law.

The French Data Protection Authority (the “CNIL”) underlines that the consent provided for by these provisions refers to the definition and conditions set forth in Articles 4(11) and 7 of the GDPR. The consent must therefore be freely given, specific, informed and unambiguous, and the user must be able to withdraw it at any time. It must be as easy to withdraw as to give consent.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes. The CNIL carries out online investigations. Since the end of 2020, the CNIL has imposed several fines for violations of cookie rules. As the CNIL is very active in terms of enforcement, rules are followed in practice. From December 2022 to December 2023, the CNIL issued combined fines of more than €85 million for breaches of Article 82 of the French Data Protection Act. These fines were mainly due to companies not respecting users' cookie preferences and preventing users from easily refusing cookies. The most recent and largest fine was imposed on 29 December 2023. A company was fined €10 million for disregarding users' choices to reject cookies on its website and for not allowing users to freely revoke their consent to cookies. These enforcement actions illustrate the CNIL's keen interest in this area.

Are there any exemptions if consent is required?

Yes. Some cookies are exempt from requiring consent to place them. These are cookies which are strictly necessary for the provision of an online communication service expressly requested by the user or cookies that exclusively aim to allow or facilitate the communication by electronic means. These cookies do not require the consent of the users, but the users must be informed of their use, and you must remind users that browser settings can allow them to block cookies, but with potentially negative effects for the functioning of the website.

List of exempt cookies that do not require consent:

  • Cookies recording the choice expressed by the users on the placement of cookies;
  • Cookies intended for authentication of a user that attempts to access a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts;
  • Cookies intended to keep track of the contents of a shopping cart on a merchant site or to invoice the user for the product(s) and/or service(s) purchased; 
  • Cookies for personalizing the user interface (for example, for the choice of language or the presentation of a service), when such personalization constitutes an intrinsic and expected element of the service;
  • Cookies used for the purposes of load balancing traffic to a website; 
  • Cookies allowing paying websites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period); and
  • Certain types of analytics cookies (“cookies de mesures d’audience”), under certain conditions. Notably they must be first party cookies and the personal data collected must not be cross-referenced with other processing operations or shared with third parties. 

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

No. Only cookies strictly necessary for the provision of an online communication service expressly requested by the user or cookies, that exclusively aim to allow or facilitate a communication by electronic means, as well as certain types of analytics, can be placed automatically. Please see our answer above.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No. According to the CNIL Guidelines of September 2020 and Article 29 Working Party Guidelines about consent of 10th April 2018, continuing to browse on a website can no longer be considered as a valid expression of the user’s consent to the deposit of cookies. In the absence of consent expressed by a clear positive act, the user must be considered to have refused the cookies. 

Can you set cookies without a cookie notice? 

No. According to the CNIL’s Guidelines, Articles 4(11), 7 and 13 of the GDPR and Article 82 of the French Data Protection Act, the user must consent in an informed manner i.e. they must have access to clear and complete information on what they consent to.

The information must be drafted in simple terms that can be understood by all and that allows users to be duly informed of the different purposes of the cookie used. The information must be complete, visible and highlighted. For example, a reference to the General Conditions of Use is not sufficient.

The following information must be provided to users:

  • Identity of data controllers (an exhaustive and regularly updated list of all data controller must be provided to the users);
  • Purposes; 
  • Categories of cookies;
  • How to accept/ refuse cookies; 
  • Consequences that result from the refusal of cookies; and 
  • The right to withdraw consent, and how to withdraw it in practice. 

Can you set cookies without a cookie banner/ management tool?

No. A cookie banner/ management tool must be made available to the user in order to collect and manage its preferences.

The CNIL recommends using a layered approach:

  • 1 st level of information provided through a cookie banner/ pop-up, at the time of consent collection;
  • and - 2 nd level of information (via a drop-down menu, hyperlink or link to the cookie policy).

Further, the tool must be organised in a manner that the users can choose to accept all cookies, to refuse them all, or to personalize their choices. The CNIL highlights that the “buttons and fonts must be the same size, easy to read, and highlighted in the same way” in order to obtain a free and informed consent.

In addition to the first level of information provided via the cookie banner/ pop-up, a more detailed description of the purposes should be easily accessible on the Consent Management Platform (‘CMP’). The detailed description can be provided by a scroll down button that the user can activate which then display a detailed description of the purposes or via a hyperlink.

Interfaces should not incorporate deceptive design practices, such as faded buttons, slider bars that are difficult to understand, sliders activated by default, etc.

Are you able to use cookie walls? 

The CNIL declared the practice of cookie walls illegal in its 2019 Guidelines.

However, the French Highest Administrative Court (Council of State, “Conseil d’Etat”), ruled that the CNIL could not impose a general and absolute ban of the cookie wall practice (Decision from the French Council of State of 19th June 2020).

Following this Decision, the CNIL reviewed its Guidelines in September 2020 and declared that it will determine on a case-by-case basis whether consent from individuals is free and whether a cookie wall is lawful or not. The CNIL indicated that it will pay close attention to the existence of real and satisfactory alternatives, in particular when provided by the same website editor, when the refusal of unnecessary cookies blocks access to the proposed service. The alternatives can include, for instance, a subscription, partial access to content or access to a limited amount of content. In decision SAN-2023-024, the CNIL found that users who chose to withdraw their consent were disadvantaged as they could no longer use the email service since no alternative (e.g., a paid e-mail service) was offered.

Pending a legislation or a ruling Court of Justice of the European Union, the CNIL published in May 2022 remains the criteria for assessing the conformity of cookie walls.  

Is the local regulator currently enforcing decisions against breaches of cookie rules?

Yes. See our answer to question 2 above.

Since 2020 and the adoption of its latest Guidelines and Recommendations on cookies, the CNIL has launched various initiatives to ensure that companies comply with these guidelines including online investigations. These controls led to formal notices (orders to comply) and sanction procedures. As outlined in question 2 above, from December 2022 to December 2023, the CNIL issued combined fines of more than €85 million for breaches of cookies rules.

In 2022, the CNIL received more than 300 complaints concerning websites that did not seem to comply with cookie rules (an increase of 26% over 2021).

Cookie compliance within mobile applications is explicitly mentioned in CNIL’s inspection priorities for 2023. It is also expected that the CNIL will keep monitoring closely compliance with its Guidelines and Recommendations regarding the use of cookies on websites.

Are there any current consultations relating to ad tech/cookies?

CNIL is active in the field of AdTech. It has already opened investigations against AdTech players in France. The CNIL also regularly publishes articles on the AdTech field in its Digital Innovation Laboratory blog (Laboratoire d’Innovation Numérique, ‘LINC’). For instance, the CNIL addressed issues relating to Real Time Bidding in the online advertising industry. CNIL has also been consulted by the French Competition Authority in a competition case related to the deployment by Apple of the “App Tracking Transparency” (or “ATT”). The CNIL has also recently published on its website an article mentioning alternatives to the use of third-party cookies. The CNIL also published in May 2023 the impact of its cookie action plan and the results of surveys carried out.

In addition, the CNIL has initiated a series of workshops with relevant French trade bodies to delve into the subject of pixel tags used in emails. The inaugural workshop was held in September 2023, with the final scheduled sessions expected to take place in the first quarter of 2024. This series of workshops highlight the CNIL's interest in the matter. 

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

None that we are aware of.