Global Data and Cyber Handbook

France

Select a Topic
Start Comparison
Cookies, Online Tracking and Direct Marketing
Jump to
Cookies, Online Tracking and Direct Marketing Start Comparison
Are there specific requirements for the use of cookies and other online tracking technologies?

Last review date: January 2025

Yes.

The CNIL published on 17 September 2020 a recommendation on "cookies and other tracking technologies," relating to new requirements for obtaining consent as provided for in Article 82 of the amended French Data Protection Act ("Loi informatique et libertés").

The recommendation clarifies and strengthens the applicable legal requirements for obtaining consent from data subjects by website editors. The continued streaming of the website by a user is not an acceptable form of consent anymore. All website editors must be able to demonstrate that the data subject has given a valid consent.

The CNIL has also adopted guidelines on 17 September 2020 revoking the former ones from 4 July 2019.

These recommendation and guidelines have been taken after a public consultation closed on 25 February 2020.

They are completed by a Q&A which provides more details on how to use cookies and other tracking technologies in compliance with GDPR, and which is regularly updated by the CNIL (available here in French).

The CNIL imposes specificities on all aspects of consent by users (including illustrations on how to comply for website editors):

  • the consent must be informed, specific, unambiguous, and given freely
  • the user must be able to opt-out at any moment and the duration of the consent must be determined and proportionate

From 2020 to January 2024, the CNIL has sanctioned fifteen companies with regard to their non-compliance with cookies' legislation with financial penalties ranging from EUR 5,000 to EUR 90 million per undertaking for the alleged violations of Article 82 of the French Data Protection Act (the deposit of cookies without prior consent). Following its guidelines and recommendations, several surveys conducted from 2019 to 2022 show that users are better informed on cookie regulation. However, a large number of users still consider company advertising practices too opaque.

In addition in 2023, the CNIL has issued several guidance and recommendations related to online tracking technologies and cookies and focusing on mobile applications and audience metrics.

The CNIL initiated a public consultation on mobile applications (available here) in September 2023. In the draft recommendation subject to public consultation, the CNIL aims to clarify the division of responsibilities between each of the players involved and their respective obligations regarding the GDPR. Additionally, the draft recommendation wants to promote mobile applications operating offline, without collecting or processing personal data. The Recommendations related to mobile applications were published by the CNIL on 24 September 2024 (link here).

Lastly, the CNIL published several sets of guidance on audience metrics (available here and here). In these guides, the CNIL clarifies the conditions to be met to use of traffic or performance statistics, including the conditions to determine if the cookies placed for this purpose are exempt from the user's consent. The CNIL underlines that hosts may use audience metrics tools that may result in personal data being transferred to inadequate entities or countries. In such cases, according to the CNIL, using a proxy, properly configured following some guidelines, may be an operational solution for complying with the requirements of the GDPR).

On 12 December 2024, the CNIL has issued formal notices to several website editors to modify their cookie banners to make them compliant with the applicable laws and regulations (link here).

In addition, please note that the DSA forbids providers of online platforms to present advertisement to recipients of services, including to minors, based on profiling as defined in the GDPR. The SREN entrusts the CNIL to verify the compliance with this prohibition.

Are there specific requirements related to the use of personal data for direct marketing activities?

Last review date: January 2025

Yes.

☒        email marketing

☒        prior opt-in consent

☒        prior existing business relationship (and subject to other requirements) with opt-out consent

☒        Prospecting is not of a commercial nature (e.g., charitable): with opt-out consent

☒        telephone marketing

☒        opt-out or implied consent

☒        If the individual's number is listed on The French "do not contact list" called "BLOCTEL": no telephone marketing allowed.

☒        SMS/text message marketing

☒        prior opt-in consent

☒        prior existing business relationship (and subject to other requirements) with opt-out consent

☒        Prospecting is not of a commercial nature (e.g., charitable): with opt-out consent

☒        postal marketing

☒        opt-out or implied consent

☒        If the individual's number is listed on The French "do not contact list" called "Stop Publicité" or "Robinson list": no postal marketing allowed.

☒        online behavioral advertising targeting/social media targeting/ad personalization marketing

☒        prior opt-in consent

☒      Sectoral requirements regarding the display of content for direct marketing purposes on social networks

{{ $store.state.loadingScreen.message }} ...