ICO and CNIL revised cookies guidelines: convergence and divergence

By Gabriel Voisin, Ruth Boardman, Clara Clark Nevola


In July 2019, the UK (ICO) and French (CNIL) Data Protection Authorities published new guidance on the use of cookies. The table below outlines their respective differences and similarities.





Rules applicable to cookies only?

No, both authorities consider that the rules apply to any technology that stores or accesses information on the user’s device (e.g. pixels, SDK in mobile applications, local objects, browser fingerprinting technologies, etc).

Implied consent

Both authorities stress that users must give specific, freely given and unambiguous consent to the cookies prior to the cookie being dropped. Both authorities highlight that a user continuing to browse a website does not amount to that user's consent.

Granular consent

Both authorities are clear that T&Cs cannot be used as a method for obtaining consent, as this breaches art.7(2) of the GDPR (need for clearly distinguishable DP consents). The consent must cover each purpose for which personal data will be processed (i.e. each purpose for which cookies are used). Both authorities accept that organisations can offer a global consent for all cookies for which consent is required in their first consent layers. The CNIL also requires that a second layer allows the user to give specific consent to each purpose separately. This is not spelt out in the ICO guidance but, based on ICO's own practice, is likely to be regarded as best practice.

List of parties

Both authorities make it clear that, in order for consent to be informed, the user must be able to identify all parties placing cookies. This means that organisations should name all parties who will rely on users' consent.

Browser settings

The view of both authorities is that, currently, relying solely on browser settings is not enough to have valid consent. Both consider that in the future, browser settings are likely to be adapted to ensure valid consent can be collected through them.

Territorial scope

The rules on cookies apply even where no personal data is processed. However, where personal data is processed, then the territorial scope rules in Article 3 of the GDPR apply. This is stated in the ICO guidance, but not in the CNIL guidance (although the French law does follow the same approach).This means that the guidance applies to use of cookies carried out in the context of the activities of UK or French established controllers or processors (as applicable) AND to any organisation which is based outside the EEA and which uses cookies in order to monitor the behaviour of individuals in the UK or France where it is apparent that the organisation intends to offer goods or services to such individuals.


Note that Brexit will also affect this. In the event of a no-deal Brexit, then the UK cookie guidance would also apply to EEA based organisations which use cookies to target individuals in the UK etc & the French guidance would apply to UK organisations which use cookies to target individuals in France.


Grace period

Yes, companies are expected to comply with the new rules 6 months after the publication of a (yet to be issued) opinion from the CNIL discussing how to obtain consent in practice. The CNIL expects this opinion to be in a final form in the course of the first quarter of 2020.


Are cookie walls allowed?

No. Cookie walls are not compliant as the user would suffer adverse consequences if they refused to accept.

ICO notes that consent which is forced via a cookie wall is “unlikely to be valid”. However, it also notes that GDPR must be balanced against other rights- including freedom of expression and freedom to conduct a business. ICO seems to be ‘sitting on the fence’ on this – at least for the moment.

Do analytic cookies require consent?

Not always. Certain analytic cookies can be exempted from prior consent requirements if they meet a list of cumulative requirements provided by the CNIL.

Yes, there is no exception. Though ICO states that it is "unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals" and first party analytics cookies are given as an example of cookies that are potentially low risk.

Lawful basis for subsequent processing of personal data

Unlike ICO, the CNIL does not suggest that consent would be the only possible legal basis for the subsequent processing of personal data.

For ICO, in most circumstances, legitimate interest is not the appropriate lawful basis for the processing of personal data relating to cookies. Because consent is required under ePrivacy rules, consent should also be the legal basis under GDPR. Relying on legitimate interests when GDPR-compliant consent is already in place would be unnecessary, and would cause confusion to users.

Legitimate interests would never be available for profiling related processing of personal data.

Prominence of options given to users

No specific guidance. More might be said on this topic in the (yet to be issued) opinion from the CNIL discussing how to obtain consent in practice.

Organisations emphasising the ‘agree’/‘allow’ cookie options over the ‘reject’/‘block’ cookie options influences users towards the ‘accept’ option. This is not a compliant way to collect consent. The same would be true if the ‘reject’/‘block’ option were located in a second layer and the ‘agree’/‘allow’ cookie option were available in the first layer.

Cookie lifespan and retention periods

Analytic cookies benefitting from the CNIL prior-consent exemption must not exceed 13 months. Information collected through the trackers can be kept for a maximum of 25 months.

All other cookies are not subject to a prescribed lifespan requirement.

The lifespan of cookies must be proportionate in relation to the intended outcome and limited to what is necessary to achieve the purpose.

The maximum possible technical duration of a cookie (e.g. “31/12/9999”) would not be regarded as proportionate in any circumstances.