Meet France's Article 82 and CNIL cookie rules: prior consent, and refusing must be as easy as accepting.
In France, the "cookie law" is Article 82 of the Loi Informatique et Libertés (Law n°78-17 of 6 January 1978, as amended), which transposes Article 5(3) of the ePrivacy Directive (2002/58/EC). It requires prior, informed consent before any non-essential cookie or tracker is written to or read from a user's device. The rules are enforced and interpreted by the CNIL (Commission nationale de l'informatique et des libertés), whose September 2020 guidelines and recommendation make France one of the strictest cookie-enforcement regimes in the EU, with record fines against Google, Meta, and Microsoft.
Article 82 LIL requires free, specific, informed and unambiguous prior consent before reading or writing non-essential cookies; refusing must be as easy as accepting.
Applicable laws
€150M
CNIL fine against Google for making cookie refusal harder than acceptance (31 Dec 2021)
CNIL / cnil.fr
€60M
CNIL fine against Facebook Ireland (Meta) for the same cookie-refusal failure (31 Dec 2021)
CNIL / cnil.fr
€60M
CNIL fine against Microsoft over Bing advertising cookies without valid consent (22 Dec 2022)
CNIL / cnil.fr
€135M
Combined CNIL fines against Google (€100M) and Amazon (€35M) for cookie violations (Dec 2020)
CNIL / cnil.fr
Under Article 82 LIL, no advertising, analytics, or other non-essential cookie may be read or written before the user has given consent. Strictly necessary cookies for a service the user expressly requested are exempt. Cookies must not fire on page load before a choice is made.
The CNIL requires that rejecting cookies be as simple as accepting them, typically a reject button at the same level as accept. The 2021 fines against Google and Meta turned precisely on the absence of an equally simple refuse option.
Consent must meet the GDPR standard (Articles 4(11) and 7): given by a clear positive act, never by pre-ticked boxes, continued browsing, or acceptance of general terms. Users must be told who sets cookies and for what purposes before consenting.
The CNIL expects users to be able to consent or refuse by purpose (e.g. advertising, audience measurement, social sharing) rather than a single all-or-nothing toggle, and to identify the third parties involved.
Withdrawing consent must be as easy as giving it, with a persistent way to revisit choices. Operators must be able to demonstrate valid consent was obtained, which means keeping records of what was collected and when.
France does not regulate cookies through a standalone statute but through Article 82 of the Loi Informatique et Libertés, the national law that implements Article 5(3) of the EU ePrivacy Directive. The article establishes a simple principle with broad reach: any operation that reads information from, or writes information to, a user's terminal requires the user's prior consent, unless the operation is strictly necessary to deliver a service the user explicitly asked for, or exists solely to enable an electronic communication.
Consent under Article 82 is not a lower standard than the GDPR. The CNIL ties it directly to Articles 4(11) and 7 of the GDPR, meaning consent must be free, specific, informed, and unambiguous, expressed through a clear affirmative action. Acceptance buried in general terms and conditions, pre-checked boxes, or mere continued browsing do not count. This combination of ePrivacy and GDPR standards is what gives the CNIL its enforcement teeth.
The CNIL hardened its position with guidelines and a recommendation adopted on 17 September 2020, which spelled out practical expectations: a visible reject option, granular choices by purpose, clear identification of the parties setting cookies, and easy withdrawal. It then gave organisations until spring 2021 to comply before moving to sanctions.
Enforcement has been among the most aggressive in Europe. On 31 December 2021 the CNIL fined Google a total of €150 million and Facebook Ireland €60 million because users could accept all cookies with a single click but had to navigate further to refuse them. A year later, on 22 December 2022, it fined Microsoft €60 million over advertising cookies set on Bing without a comparably simple refusal path. Each decision carried daily penalties for failure to fix the interface, signalling that interface design itself is a compliance issue.
The CNIL's fines did not hinge on whether a banner existed; they hinged on cookies firing before consent and on refusal being harder than acceptance. CookieSentry loads your site as a real visitor would and detects every cookie and tracker that fires before any consent is given, naming the source so you can see exactly which scripts breach Article 82. The free public scan needs no signup and produces an exportable report and PDF evidence you can keep on file.
CookieSentry is not a consent banner or CMP, so you keep the banner you already use. Alongside the pre-consent audit, it can generate GDPR documents such as privacy and cookie policies aligned to national requirements, helping you maintain the records and transparency the CNIL expects. Together that gives you proof of what your site does before consent and the documentation to back it up.
The data subject's consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
France's cookie rule lives in Article 82 of the Loi Informatique et Libertés (Law n°78-17 of 6 January 1978, amended), transposing Article 5(3) of the ePrivacy Directive. It mandates prior consent for reading or writing non-essential information on a user's terminal.
The Commission nationale de l'informatique et des libertés (CNIL), at cnil.fr, supervises and enforces French cookie law. Its 17 September 2020 guidelines and recommendation define how valid cookie consent must be collected and remain the practical benchmark for compliance.
France issues some of the EU's largest cookie fines: Google €150M and Facebook €60M (Dec 2021), Microsoft €60M (Dec 2022), and Google €100M plus Amazon €35M (Dec 2020), mostly for making refusal harder than acceptance or setting cookies before consent.
CookieSentry scans your live site and flags every cookie and tracker that fires before consent — the failure CNIL is most likely to act on — and names the source so you can fix it. Run the free public scan to get exportable evidence of what fires before consent, mapped to France's rules. It is not a consent banner — keep your banner and add the audit and evidence layer on top.
Cookie consent in France is governed by Article 82 of the Loi Informatique et Libertés (Law n°78-17 of 6 January 1978, as amended), which transposes Article 5(3) of the EU ePrivacy Directive (2002/58/EC). It is enforced by the CNIL and applies alongside the GDPR's consent standard.
Yes. The CNIL requires that refusing cookies be as easy as accepting them. The 2021 fines against Google (€150M) and Facebook (€60M) were imposed specifically because users could accept all cookies in one click but had to take extra steps to refuse, which the CNIL treated as invalidating consent.
The CNIL (Commission nationale de l'informatique et des libertés) enforces French cookie law. It is among the most active EU regulators, having issued fines including €150M to Google, €60M each to Facebook and Microsoft, and €135M combined to Google and Amazon, largely over pre-consent cookies and unequal accept/reject choices.
CookieSentry scans your live site like a real visitor and flags every cookie or tracker that fires before consent, naming each source, which is exactly what the CNIL penalises. It produces an exportable report and PDF evidence, and can generate localized GDPR documents. It is not a banner or CMP, so you keep your existing banner.
Operating across the EU? The rules differ by market — check the country that applies to you.
Run a free CookieSentry scan on your live pages, catch cookies firing before consent, and export evidence mapped to France's rules — no signup required.
Run a free scan →Last reviewed 2026-06-14. General information on France cookie rules, not legal advice; verify current requirements with CNIL or qualified counsel.