The French Data Protect Authority, the CNIL, is pursuing its global strategy to ensure compliance of companies that use cookies. In a press release published on Monday, July 19, the Commission announced a second series of formal notices targeting approximately forty companies whose websites and cookie banners still do not comply with the recommendations and guidelines that came into force on April 1, 2021. The second series of notices have been issued after the first series in May 2021, issuing notices to at least twenty companies. The CNIL aims to continue its controls and will adopt, if necessary, new corrective measures against companies that do not comply with its latest recommendations and guidelines. 

Despite the first set of warnings in May, some organizations are still not compliant with the regulatory requirements on cookie management. According to the CNIL, “This situation is not acceptable”. As a result, the president of the CNIL has decided to issue new formal notices to 40 companies that have from July 19 until September 6, 2021, to comply.   

Sign up today for OneTrust’s CNIL Cookie Compliance Toolkit  

Which organizations are affected by these notices?  

Without revealing the names of the companies and organizations concerned, the CNIL listed the following types of companies that received notices:  

  • Four major platforms in the digital economy 
  • Six major manufacturers of computer hardware and software 
  • Six companies selling consumer goods online 
  • Two major players in online tourism 
  • Three car rental companies 
  • Three major players in the banking sector 
  • Two major local authorities 
  • Two online public services 
  • An energy company 

Companies face fines of up to 2% of their revenues 

The Commission insists that these measures are complementary to the procedures underway before its restricted formation (body in charge of imposing sanctions). They could lead to heavy fines of up to 2% of the company’s revenues.  

CNIL controls are permanent, and companies must comply to avoid heavy repercussions. Other verification and corrective measures will be carried out in the fall to ensure the respect of French Internet users’ privacy. The CNIL has been carrying out rigorous work for the past two years, which culminated on October 1, 2020, with the adoption of Guidelines and a Recommendation. Companies have had six months to comply with them (the deadline was April 1, 2021).  

 Reminder of the recommendations published on October 1, 2020  

The CNIL’s recommendations provide more context on how the CNIL expects companies to handle cookies and other electronic communication data in France.  

The CNIL has put forward the following guidelines and recommendations:   

  • Browsing the website (“Soft opt-in”) no longer constitutes the expression of a valid consent, and the deposit of cookies other than those strictly necessary for the functioning of the service are conditioned to a clear positive act from the user,     
  • A “Refuse all” button is recommended, from the first layer of information,    
  • The purposes must be clearly presented from the first layer of information,     
  • Visitors should be provided with a mechanism to update their preferences and withdraw their consent at any time, for example by using a static button to access the cookie settings,    
  • Visitors should have access to an up-to-date and structured list of actors using the trackers,     
  • Organizations, including their third-party actors, must be able to demonstrate at all times the validity of the consents collected to use the trackers,    
  • Some trackers, such as authentication cookies, traffic statistics cookies or cookies that limit the presentation of free content, are not subject to consent.  

 Are the CNIL guidelines relevant to your website?  

Any website or mobile application that targets French visitors (e.g., offering content in French, or shipping or buying in France) is subject to French cookie requirements. Therefore, if your international website or mobile application targets (among others) the French market or users, you must ensure that you comply with the requirements set forth by French law and CNIL guidelines and recommendations.  

How does OneTrust help?  

Wherever you are in your compliance journey, OneTrust’s toolkit provides resources to understand the CNIL recommendations and helps you implement compliant cookie banners. Download your toolkit today to fast-track your compliance program with a comprehensive set of tools and resources, including tips and checklists, pre-configured templates, and your first domain for free.   

Resources include:    

  • eBook: CNIL Cookie Compliance: What’s Changed?    
  • White Paper: CNIL Recommendations: A Practical and Legal Guide   
  • Checklist: Cookies and CNIL: Guidelines and checklist   
  • Infographic: How to start your cookie consent management program 
  • First free domain
  • Step-by-step implementation guides
  • 24/7 support for both deployment and maintenance  


Relevant Resources : 

Read the blog post: OneTrust CNIL Cookie Guidelines Toolkit

Watch the webinar: CNIL Issues Fine for Emails Sent without Consent

Read the blog: France: CNIL’s cookies guidelines and recommendations enter into force