Skip to main content

Cookies and tracking technologies

The French Data Protection Authority (CNIL) recently issued guidelines for the use of cookies and tracking technologies and the cookie consent requirements necessary to comply with the GDPR. As the guidelines are based on the ePrivacy Directive that sets rules for cookie compliance, all companies in the EU should take note. While the CNIL has set a compliance deadline of 31 March 2021 for entities under its jurisdiction, other European data protection authorities are very likely to follow suit and conduct checks to ensure organizations’ compliance with the requirements.

What are cookies?


Cookies are small text files stored on a device, such as a PC, a smartphone or any other device that can store information. They serve several important functions, including remembering users and their previous interactions with a website and identifying users when they log into banking services and other online services. These cookies or any other tracking technologies—like local storage objects (LSOs) or “flash” cookies; software development kits (SDKs); pixel trackers or gifs; “like” buttons and social sharing tools; and device fingerprinting technologies—generally require the user’s consent, following the requirements of the ePrivacy Directive and the GDPR.

CNIL’s guidelines


The CNIL’s guidelines regarding the use of cookies and other tracking technologies by the publishers of websites and mobile applications derive from both Directive 2009/136/EC (aka the Cookie Law) and the GDPR.
In 2020, the CNIL launched an awareness campaign to encourage private and public organizations to carry out audits of their websites and mobile applications to ensure they met regulatory requirements. Following the publication of its guidelines and recommendation on the use of cookies, the CNIL has set a compliance deadline of 31 March 2021 for the French entities under its jurisdiction. Additionally, in early 2021, the CNIL revealed its three priority areas for audits and enforcement for 2021, consisting of cybersecurity, the security of health data, and adherence to the requirements relating to the use of cookies and other tracers.

Key recommendations:


User consent:
  • Website browsing does not constitute cookie consent by a user. Consent should be expressed by a clear and positive action (such as clicking on "I accept" in a cookie banner) following the GDPR’s requirements.
  • It should be easy for a user to withdraw consent at any time.
  • If a cookie is used to store a record that a user has provided cookie consent, this cookie should have a lifespan of six months.
Cookie banner:
  • Users must be clearly informed of the purposes of cookies before consenting, as well as the consequences related to the acceptance or rejection of cookies.
  • Users must also be informed of the identity of all actors using cookies subject to consent.
  • Refusing cookies should be as easy as accepting them.

In addition, organizations should examine the role of any third-parties using cookies and similar technologies on their website or applications to determine (joint) controllership or other data processing relationships. Where necessary, organizations should put the appropriate third-party data processing agreements in place to comply with the GDPR requirements.

How can Deloitte help?


Deloitte’s data protection advisory specialists and dedicated services can help you clarify the impact of these requirements, identify any gaps, suggest potential solutions, and take the necessary steps to put these solutions in place.

Deloitte can help you structure your activity to develop new products and adapt to regulatory and market demands.

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey