ARTICLE
30 January 2026

French CNIL Provides Guidance On Cross-Device Cookie Consent

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
How and when to get consent for cross-device tracking has been a worry for many companies subject to GDPR and similar regimes.
United States Privacy
Liisa M. Thomas and Kathryn Smith
Your Author LinkedIn Connections
Liisa M. Thomas’s articles from Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • with readers working within the Consumer Industries industries
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring and Cannabis & Hemp topic(s)

How and when to get consent for cross-device tracking has been a worry for many companies subject to GDPR and similar regimes. The French data protection authority, CNIL, adopted recommendations about this practice in 2020, and has just updated those recommendations to provide greater detail and more examples and use cases for multi-device consent.

The guidance applies narrowly to situations where users are logged into their account. Namely, where a logged-in user exercises a choice about cookies on one device and the company applies that choice when the user is logged into their account on another device. If the company takes this approach, the guidance stresses that such multi-device consent meet several criteria:

  • There should be both cross-device consent and cross-device opt-out. In other words, make the type of choices people can exercise symmetrical and global.
  • Tell people that choices made on one device when logged in will apply on other devices when logged in. Give people this information at the beginning of the consent process.
  • If someone has two different choices in play, explain clearly what will happen. For example, what should you do if a user opts out while not logged in, then logs in on the same device to an account that is opted in? Should you (a) keep them opted in (i.e., the choice from the account level) or (b) opt them out (the choice expressed before logging in)? Either can be done, but the user should be clearly told which will occur.

Under the recommendation from CNIL, companies should also give people device-level controls as well. For example, in a preference center or other consent tool.

Putting It Into Practice: This guidance is a reminder that the French data protection authority is focusing on cookie consent mechanisms. It has indicated that its next release this year will be a guidance for cross-domain consent. For example, multiple different websites owned by the same company or group of companies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Kathryn Smith
Kathryn Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More