France's CNIL Issues Formal Notices for Cookie Noncompliance

July 30, 2021 - Ensighten

France’s data protection authority, the Commission Nationale de L’informatique et des Libertés (CNIL), has issued formal notices of noncompliance to 40 organizations for noncompliant cookie consent banners. Namely, the targeted organizations failed to allow users to refuse cookies as easily as they can accept them.

These 40 notices come after a round of 20 notices of noncompliance issued in May 2021. All of the organizations notified in that round were able to bring their consent banners into compliance in the 30 days allotted.

In a press release, the CNIL said it will adopt “new corrective measures against non-compliant bodies” if organizations notified in this round do not comply by Sept. 6th.

What Companies were impacted?

The CNIL did not name names, but it did list the specific industry sectors involved:

  • Four major platforms in the digital economy
  • Six major hardware and software editors
  • Six companies selling consumer goods online
  • Two major players in the online tourism industry
  • Three car rental companies
  • Three major players in the banking sector
  • Two major local authorities
  • Two online public services
  • One energy company.

What happens if organizations do not comply?

If the notified organizations do not comply it is possible for the CNIL to grant fines of up to 2% of turnover.

What about future enforcement action?

In the press release, the CNIL said that it would “continue its checks, and adopt, if necessary, new corrective measures against non-compliant bodies.” T

The CNIL specifically noted that new campaigns to “ensure respect for the privacy of French internet users” will be carried out in autumn.

What are the CNIL’s recommendations for cookie compliance?

In October 2020, the CNIL released guidance on cookie compliance that gave clear-cut recommendations for handling user consent for cookies and other tracking technologies. The CNIL’s guidance says that:

  • Soft opt-in, or implied consent, is not considered as a valid expression of the user's consent. I.e., simply navigating a website, or scrolling away from a consent banner does not express consent.
  • Users can only consent to tracking through a clear positive act (such as clicking on "I accept" in a cookie banner).
  • Default opt-in is not allowed for any cookie or tracker that is not essential to the operation of the service. Tracking cookies must be opted out upon loading the page and may only be fired with the express consent of the user.
  • Users should be able to withdraw their consent easily and at any time, and an option should be made readily available for them to do so.
  • Refusing cookies should be as easy as accepting them. A “refuse all” button is recommended.
  • Users must be clearly informed of the purposes of the cookies before consenting, as well as the consequences of opting in or out.
  • Users must be informed of the identity of all actors using tracking subject to consent.
  • The organizations operating cookies and other tracking must be able to provide, at any time, proof of the valid collection of the free, informed, specific and unambiguous consent of the user.

Who needs to comply with the CNIL’s recommendations?

Any website or application that targets French visitors must comply with the CNIL’s requirements. That means if you offer goods or services in France through your website, you must be compliant with the CNIL’s guidelines. (e.g., offering content in French, or shipping or buying in France) is subject to French cookie requirements. Similar steps are required in all EU nations under the GDPR.

How Ensighten can help

As guidelines and regulations continue to evolve, marketers and site owners must remain vigilant in updating and maintaining compliance. Ensighten offers organizations a solution to help build a fully compliant website and simplify compliance with the GDPR, CCPA, LGPD, and many more laws and frameworks.

With Ensighten Consent Management Plus (CMP+), you can set up customizable consent banners for and give your customers a clear-cut choice on how their data is used, or whether it is collected at all.

Unlike most consent management platforms, Ensighten CMP+ offers real-time enforcement, so user preferences are applied instantaneously, and no cookies or tracking measures are fired before consent is given.

And it’s easy to use. Our low-code, zero-integration deployment means Ensighten CMP+ can be added to every iteration of your website with a simple line of code.

You can also use Ensighten to perform a full audit of your website—up to 5000 pages—so you can understand which cookies and tracking technologies are in use and identify potential security or compliance issues.

Request a demo today to see how Ensighten can help your organization stay compliant with evolving regulations worldwide.



Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now