What are the new requirements of the CNIL for CMPs?

"What matters is not the proof of consent but the proof that it is valid."

On September 17th, 2020, the CNIL (National Commission on Informatics and Liberty) the French data protection authority, issued recommendations to ensure a greater protection of the personal data of Internet users.

The new requirements of the CNIL clarified some specifications  of the GDPR (General Regulation on Data Protection) applicable throughout the European Union since May the 25th, 2018.

They mainly clarify the notion of user consent and therefore deepen the requirements for the use of CMP (Consent Management Platform).

With regards to the collection of consent, the presence of  CMPs on a website is not sufficient in itself as a proof of the publishers' compliance with current regulations.
Their use must above all comply with specific and precise rules issued by the ePrivacy regulation, by the GDPR and recently reminded by the CNIL in France.

What do these recommendations consist of?

We have grouped these recommendations into four distinct requirements based on the will to respect the choice of Internet users as much as possible:

  • The consent must be prior to the deposit of cookies or any other tracer
  • Consent must be a free, specific, unambiguous and informed expression of will.
  • Consent must be easily withdrawn at any time by the user.
  • Proof of consent must be demonstrable

The CNIL, through these recommendations, seeks to protect the personal data of Internet users and to implement a better application of the GDPR and the ePrivacy law by market players.

It should be remembered that what is called a cookie is similar to a small file deposited on a user's hard drive via the browser, when consulting websites.

The purpose of the latter is to store information about the Internet user (including, where appropriate, personal data, such as navigation, pages visited, preferences ...) for later connection as an ID or tracking identifier.

This is why it seemed essential, in order to respect the user's privacy, that consent be a priority and that it be taken into account prior to the deposit of any cookies or other tracking identifiers.


With its new recommendations, the Commission insists again on the conditions for the application of a valid request for consent, reminding that consent must be conditioned on the presence of 4 distinct attributes: free, informed, specific and unambiguous.

Free, means the consent can be valid only if the user is able to freely exercise his choice and that the user must always have the possibility to accept as well as not to accept the reading and/or writing operations.

Informed consent means users must be informed of the purposes of the trackers present on the site they visit in order to be able to consent or not to their use.

Specific, means the user must be able to consent independently and specifically to each distinct purpose and each site visit if applicable.

Finally, the CNIL insists on the fact that consent must be unambiguous. That is to say that the Internet user must have the possibility to carry out an action in a completely voluntary way, which implies, for example, to press the "accept" button consciously.


Users who gave their consent to the use of tracers must be able to withdraw it at any time. Indeed, the Commission reiterates that it must be as simple to withdraw consent as it is to give it.

Users must therefore be informed in a simple and intelligible manner, even before giving their consent, of the solutions available to them for withdrawing it.

In practice, the Commission calls for solutions enabling users to withdraw their consent to be easily accessible at all times.

For example, there are two predominantly used solutions referring to the management of cookies:

  • The provision of a link (privacy) in the menus accessible at all times
  • Or the provision of a button usually at the bottom of the page.

Those responsible for the processing of personal data must be able to demonstrate that the user has given his/her consent and must implement mechanisms that allow them to demonstrate t they have validly collected it.

Also, to ensure greater protection of the choice of Internet users, the CNIL recommends that websites should keep the refusal of Internet users to consent for a period of up to 13 months before being able to offer them again to make their choice.

It is about not re-interrogating the Net surfer each time he is visiting a webiste.

This said, it does get rid off the possibility for the users to modify their choice at any time.

Which are the actors to whom these recommendations will mainly apply?

As stated by the CNIL, the guidelines of September 17, 2020 are mainly applicable to all organizations that use tracers either :

- Publishers of websites and mobile applications;

- Advertising agencies;

- To certain social networks.


Why such a reinforcement?

The CNIL's desire to strengthen the enforcement of the law concerning the protection of personal data, and more specifically consent or the collection of consent, is part of the objective to better inform each Internet user of his rights and freedoms when surfing on the Internet regardless of the equipment used.

The commission also reminded in its recommendations, that in accordance with the jurisprudence of the Council of State of October 16, 2019, the CNIL will be able from March 2021, to prosecute the actors of the digital ecosystem who do not respect the stated requirements concerning the respect of privacy.

What are the issues for players in the advertising and digital marketing sector?

The commission recommended that the interface for collecting consent should no longer include only an "accept all" button, but also the possibility of not giving consent should be left open, under the same conditions.

This requirement may be perceived by the advertising and marketing sector as a brake on its activity insofar as it will limit access to the personal data of Internet users.
The risk is indeed, that the majority of the people visiting a site do not give their consent to the deposit of cookies from now on, because of fear or ignorance of the purposes of these various tracers.

It is from this perspective that the question of the legality of the cookie wall has grown.

This practice, which aims to block access to a site or a mobile application for any user who does not give his consent, raises certain questions, in particular about its respect for the protection of personal data.

Indeed, in 2019, the CNIL had banned the use of cookie walls insisting that it was precisely contrary to the free and informed consent of users. But this ban was considered as an excess of power of the commission, by the Council of State, in a decision rendered on June 19th, 2020.
Today, requests for the practice of cookie walls must be specifically examined by the CNIL before any application.

There are therefore real issues at stake for web players, especially since other tougher measures are expected such like the end of third party cookies in particular.

These cookies, not deposited by the operator of the website but by a third party, may indeed disappear in 2022, following decisions taken in particular by the giant of the web, Chrome. This will force the advertising and marketing industry to change its habits and learn to work differently.

All these current issues surrounding the protection of personal data therefore necessarily implies a general renewal for the entire digital ecosystem, which will have to find the appropriate solutions to the new rules in order to reinvent itself efficiently and quickly.

A solution can already reply to part of these issues : contextual targeting. This technique, used at Sirdata, enables real-time analysis of the content of a page and everything it contains in order to understand the context of the page and deduce the intention of a web user without using any cookie.

Other solutions have also been thought of to overcome these difficulties and have been discussed during several webinars in which our team has participated.

Indeed, we find the mention of these different solutions in the webinar of April 30th, 2020 organized by Yanis Sif, Consultant at Digilityx, with Thibault Montanier, Data Manager & Integration Specialist at Sirdata, and that you can find in his transcript here.

Quel visage pour un monde post-cookies?
Quel visage pour un monde post-cookies?

These topics were also discussed in the webinar organized by Equancy, on December 9th, 2020, with Benoît Oberlé, CEO & Founder at Sirdata, to help the actors of the digital ecosystem to rethink their digital and data strategies!

As well as in the most recent one, held on December 10th, 2020 by Iab France, in which Thibault Montanier and Arnaud Sirjacq, Sirdata Sales Director, participated.

Quel futur pour le ciblage sans cookies-tiers ?
Quel futur pour le ciblage sans cookies?