CNIL-Compliant Cookie Banner: Complete Guide 2026
Your cookie banner is probably non-compliant. This is not a provocation: in 2025, CNIL (French data protection authority) imposed nearly 487 million euros in fines, a massive share of which was related to cookie legislation violations. Google was fined 325 million euros, Shein 150 million. Compliance is no longer a theoretical issue — it is a financial, legal and reputational risk that every website publisher must take seriously.
This guide details the exact requirements from CNIL (French data protection authority) for a compliant cookie banner in 2026, the most common mistakes, prohibited dark patterns, and practical solutions to get into compliance.
What CNIL (French data protection authority) requires exactly
The legal framework rests on two complementary texts: Article 82 of the French Data Protection Act (transposing the ePrivacy Directive) and the GDPR, notably its Articles 4(11) and 7 on consent.
The CNIL (French data protection authority) recommendation of September 17, 2020 (deliberation No. 2020-092) remains the reference text. It was updated in December 2025 to integrate cross-device consent rules. Here are the fundamental principles every publisher must master.
1. Consent must be a clear positive action
Simply continuing to browse does not constitute consent. The user must explicitly click an acceptance button. No non-essential cookie may be placed before this action.
In practice, this means that scrolling, closing the banner with a cross, or clicking a link on the site does not constitute valid consent. CNIL (French data protection authority) explicitly ruled out these practices in its September 2020 recommendation. Only a deliberate click on a button clearly identified as an act of acceptance is admissible.
This requirement has direct technical consequences: your site must be able to function normally without any non-essential cookies as long as the user has not made their choice. Third-party scripts must be technically blocked, not simply hidden behind a visual overlay.
2. Refusing must be as easy as accepting
This is the point where the majority of sites fall short. CNIL (French data protection authority) requires that the refusal mechanism be accessible on the same screen and with the same ease as the acceptance mechanism. A colored “Accept” button and a gray “Settings” link are not sufficient.
The requirement goes beyond the simple presence of a refuse button. CNIL (French data protection authority) expects genuine symmetry: same font size, same visual weight, same number of clicks required. If acceptance requires a single click, refusal must also require a single click. If the “Accept all” button is green and prominent, the “Refuse all” button must have equivalent visual treatment.
In January 2022, it was precisely this asymmetry that earned Google a 150 million euro fine and Facebook a 60 million euro fine. Both sites offered a one-click acceptance button, but refusal required navigating through sub-menus and unchecking options one by one.
3. Information must be clear and complete
The user must know, before consenting:
- Who places the cookies (identity of data controllers and third parties)
- For what purposes (targeted advertising, audience measurement, content personalization, social media sharing)
- How to withdraw consent later
- What retention period is planned for the cookies placed
This information must be written in clear and accessible language, not in incomprehensible legal jargon. CNIL (French data protection authority) insists that consent must be “informed” — which presupposes that the user has genuinely understood what they are consenting to. A list of 200 advertising partners presented as a block of text does not meet this clarity requirement.
4. Consent must be specific
The user must be able to consent purpose by purpose. Global consent (“accept all”) is possible, but it must not be the only option. Category-level detail must remain accessible.
In practice, this means offering at minimum the following categories: audience measurement cookies, advertising cookies, personalization cookies, social media cookies. The user must be able to accept audience cookies while refusing advertising cookies, for example. This level of granularity is a right, not an option.
Grouping distinct purposes under a single checkbox is a violation of the specificity principle. Each purpose must correspond to a distinct and independent choice.
5. The retention period for choices is regulated
CNIL (French data protection authority) recommends retaining user choices (consent or refusal) for a period of 6 months. Beyond that, the banner must be displayed again. For audience measurement trackers exempt from consent, the recommended lifespan is 13 months maximum.
This 6-month period is a recommendation, not a strict legal obligation. However, in the event of an inspection, CNIL (French data protection authority) expects the publisher to be able to justify the chosen duration. A period of 12 or 24 months would be difficult to defend given the minimization principle and the need to ensure consent remains current.
It is important to note that this duration applies to both consent and refusal. If the user refused cookies 6 months ago, it is legitimate to offer the choice again — but without dark patterns or harassment.
6. Zero scripts before consent
No non-strictly-necessary cookie may be placed before consent is collected. This is the most violated rule: CNIL (French data protection authority) sanctioned Shein in September 2025 precisely because advertising cookies were placed upon arrival on the site, before any interaction with the banner.
The technical difficulty is real. Many sites integrate third-party scripts in the <head> of their HTML pages: Google Analytics, the Facebook pixel, live chat scripts, A/B testing tools. These scripts place cookies as soon as they load, before the banner is even displayed.
To be compliant, your CMP (Consent Management Platform) must technically block the execution of these scripts. Not a cosmetic block (displaying the banner on top) — a real block verified by network traffic inspection. This is exactly what CNIL (French data protection authority) tests during its online inspections.
7. Proof of consent is mandatory
Article 7 of the GDPR is explicit: the data controller must be able to demonstrate that the individual has consented. This means retaining timestamped, identifiable and verifiable proof of each user’s choice.
Valid proof must contain at minimum:
- A technical identifier allowing retrieval of a given user’s choice (not necessarily a name, but a unique identifier)
- A precise timestamp of when consent was collected
- The detail of purposes accepted and refused by the user
- The version of the banner presented at the time of the choice (the informational content displayed)
A local cookie containing consent=true does not constitute admissible proof. The user can delete it, a script can modify it, and above all the publisher cannot present it to CNIL (French data protection authority) as reliable proof. Proof must be stored server-side.
Dark patterns prohibited by CNIL (French data protection authority)
In December 2024, CNIL (French data protection authority) issued formal notices to several publishers for using dark patterns in their cookie banners. Dark patterns are design techniques that manipulate the user to steer them toward a choice that is not in their interest. Here are the practices that constitute characterized violations.
The oversized “Accept” button
Presenting the acceptance button in a bright color, with a large font size, while the refusal button is a simple, barely visible text link. CNIL (French data protection authority) considers that this visual asymmetry biases the user’s choice and invalidates the “free” nature of consent.
For example, a “Accept all” button in green with 16px font and generous padding, next to a “Customize my choices” link in light gray with 12px font, constitutes a dark pattern. Both options must have equivalent visual treatment.
Refusal buried in settings
Forcing the user to navigate through sub-menus or successive pages to refuse cookies, while a single click is enough to accept. This is exactly the criticism leveled at Google and Facebook in January 2022, which cost them 150 and 60 million euros in fines respectively.
The classic pattern: a first screen with “Accept all” and “Customize”, then a second settings screen with categories to uncheck one by one, then a “Save my choices” button. Three clicks to refuse, one to accept. This is prohibited.
Ambiguous language
Formulating refusal in complex terms such as “I decline non-essential purposes” instead of a simple “Refuse all”. Language ambiguity is a dark pattern identified by CNIL (French data protection authority). Vocabulary must be simple, direct and understandable by everyone.
Other problematic formulations include “Continue without accepting” (which suggests a form of waiver), “Later” (which does not constitute a refusal), or “Close” (which does not express a clear choice). CNIL (French data protection authority) expects explicit and unambiguous formulations.
Multiple “Accept” buttons
Presenting multiple acceptance buttons while the refusal button appears only once, buried in the text. For example, an “Accept all” button at the top of the banner and another “Accept and continue” at the bottom, but a single “Refuse” in small text in the middle. This multiplication visually unbalances the options.
Pre-checked boxes
Any pre-checked box for a non-essential cookie invalidates consent. Consent must be a positive action, not a default that the user must actively cancel. This rule comes directly from the Planet49 ruling of the Court of Justice of the European Union (October 1, 2019), confirmed and adopted by CNIL (French data protection authority) in its guidelines.
Recurring banner after refusal
Displaying the banner on every page or after a few seconds when the user has refused cookies constitutes a form of harassment. The user’s choice must be respected for the entire planned retention period (6 months recommended). Insistently requesting consent again after a refusal amounts to exerting pressure that invalidates the “free” nature of consent.
The most common mistakes
Beyond deliberate dark patterns, many sites commit good-faith errors that nevertheless expose them to sanctions.
Mistake 1: Third-party scripts loaded before consent
A Google Analytics tag, a Facebook pixel or a live chat script loaded in the page’s <head>, before the banner is displayed. Even if the banner is present, the damage is done: cookies are already placed.
This error is the most common and the most severely sanctioned. It often results from a defective technical integration: the CMP is installed, but third-party scripts are not conditioned on consent. To verify, open your browser’s developer tools (Network tab), clear all cookies, reload the page and observe network requests before interacting with the banner. If you see calls to third-party domains, your site is not compliant.
Mistake 2: Non-renewable consent
The user has accepted cookies but cannot easily change their mind. CNIL (French data protection authority) requires that the consent withdrawal mechanism be accessible at all times and as simple as the initial consent.
In practice, this means that a link or button allowing the consent banner to be reopened must be permanently accessible — typically via a floating icon, a footer link, or an entry in the privacy policy. The user should not have to manually clear their cookies to be able to make their choice again.
Mistake 3: Absence of proof
Many CMPs (Consent Management Platforms) record the user’s choice in a local cookie but retain no server-side proof. In the event of a CNIL (French data protection authority) inspection, the publisher cannot demonstrate that consent was collected in accordance with requirements.
This is a frequent blind spot: the publisher has invested in a visually compliant banner but has no means of proving that consents were actually collected. Article 7 of the GDPR is unambiguous on this point.
Mistake 4: Overly generous “strictly necessary” cookies
Some publishers classify audience measurement or personalization cookies as “strictly necessary” to avoid asking for consent. CNIL (French data protection authority) has strict criteria: only cookies indispensable to the technical functioning of the service are exempt.
Session cookies, authentication cookies, shopping cart cookies and security cookies (CSRF) are considered strictly necessary. However, a Google Analytics cookie, a content personalization cookie, or a chatbot cookie are not — even if you consider these features “necessary” for your business.
Mistake 5: Lack of updates
Recommendations evolve. The December 2025 update on cross-device consent adds new obligations for sites with authentication. A banner configured in 2021 is probably no longer compliant in 2026.
Beyond regulatory changes, your own site evolves: you add new scripts, new advertising partners, new features that place cookies. Each technical modification must be reflected in your consent banner and in your cookie policy.
Mistake 6: Outdated or missing cookie policy
The consent banner links to a cookie policy that has not been updated in years, that does not list the cookies actually used, or that does not mention the third parties placing trackers. This policy must be a living document, updated with each modification to your technical architecture.
Recent sanctions table
The numbers speak for themselves:
| Company | Amount | Date | Main reason |
|---|---|---|---|
| EUR 325M | September 2025 | Cookies placed without consent during account creation | |
| Shein | EUR 150M | September 2025 | Advertising cookies placed before banner interaction |
| EUR 150M | January 2022 | Cookie refusal more complex than acceptance | |
| EUR 60M | January 2022 | Cookie refusal more complex than acceptance | |
| American Express | EUR 1.5M | November 2025 | Non-compliance with cookie rules |
| Conde Nast (Vanity Fair) | EUR 750,000 | November 2025 | Cookies placed despite user refusal |
These sanctions show a clear trend: CNIL (French data protection authority) no longer limits itself to sanctioning digital giants. Companies of all sizes are affected. CNIL (French data protection authority) has explicitly urged all private and public organizations to audit their websites and mobile applications.
How Cookilio meets each requirement
At DPLIANCE, we believe that consent is not an obstacle to circumvent. It is a commitment to honor. Cookilio was designed to specifically meet each CNIL (French data protection authority) requirement.
Explicit consent: the multi-step banner (wizard) guides the user through a clear journey, without manipulation. Each step presents information in a readable and understandable way.
Acceptance/refusal symmetry: the “Refuse all” button is always present at the same level and with the same visibility as “Accept all”. No dark patterns, no visual asymmetry.
Zero scripts before consent: Cookilio technically blocks the execution of all third-party scripts until the user has made their choice. No default cookie placement — a real block verifiable by network inspection.
Server-side consent proof: each choice is recorded server-side with a unique correlation ID and a timestamp. In the event of an inspection, you have complete proof: identifier, date, purpose detail, banner version.
Self-hosting: consent data remains on your own servers. No transit through a third-party service. Total sovereignty over your data.
Ultra-lightweight widget: built in Preact, the Cookilio widget minimizes the impact on your site’s performance. Your Core Web Vitals stay green — an SEO criterion that many CMPs degrade.
Accessible consent withdrawal: a floating widget allows the user to modify their choices at any time, in one click.
Discover Cookilio — starting at EUR 9 excl. tax/month.
FAQ
Is a cookie banner mandatory for all sites?
Yes, as soon as you place non-strictly-necessary cookies. This includes audience measurement cookies (except those exempted by CNIL (French data protection authority) under strict conditions), advertising cookies, social media cookies and personalization cookies. Even a simple Facebook share button or an embedded YouTube widget places trackers that require prior consent.
What are the risks of non-compliance?
CNIL (French data protection authority) can impose fines of up to 4% of annual worldwide turnover. Recent sanctions show that CNIL (French data protection authority) does not hesitate to strike hard: 325 million for Google, 150 million for Shein. SMEs are not spared: CNIL (French data protection authority) announced in 2024 that it was urging all private and public organizations to audit their sites. Beyond the fine, a public CNIL (French data protection authority) sanction has a significant reputational impact — decisions are published on the CNIL (French data protection authority) website and picked up by the press.
Is consent by continued browsing valid?
No. CNIL (French data protection authority) explicitly ruled out this practice in its September 2020 recommendation. Consent must result from a clear positive action, typically a click on a dedicated button. Scrolling, closing the banner, or navigating to another page do not constitute valid consent.
How long does consent remain valid?
CNIL (French data protection authority) recommends 6 months as best practice for retaining user choices. Beyond that, the banner must be displayed again to renew the choice. This duration applies to both consent and refusal. For audience measurement trackers exempt from consent, the cookie lifespan is limited to 13 months maximum.
Can a cookie wall be used to condition site access?
Under strict conditions. The French Council of State ruled on June 19, 2020 that CNIL (French data protection authority) could not prohibit cookie walls in a general manner. But CNIL (French data protection authority) has published strict criteria: there must be an equivalent alternative (for example paid access at a reasonable price), no discrimination in content access, and total transparency about the mechanism. Public services and sites in a monopoly position cannot use cookie walls.
How to verify if my banner is compliant?
Perform a three-step audit. First, visually verify that the refusal button is as visible as the acceptance button, on the same screen, with the same number of clicks. Then, technically verify that no non-essential cookie is placed before banner interaction (browser developer tools, Network tab). Finally, verify that you retain server-side proof of each consent collected. If any of these three points is deficient, your banner is not compliant.
Sources: CNIL (French data protection authority), Cookie recommendation of September 17, 2020 — CNIL (French data protection authority), Cookie rules — CNIL (French data protection authority), Dark patterns in cookie banners — CNIL (French data protection authority), Google EUR 325M sanction — CNIL (French data protection authority), Shein EUR 150M sanction — CNIL (French data protection authority), Cross-device consent recommendation