France's privacy watchdog just changed how cookies work across your devices

France's data protection authority CNIL today published its final recommendations on cross-device consent mechanisms for cookies and trackers, marking the conclusion of a public consultation process that began in April 2025. The guidance establishes concrete requirements for organizations seeking to implement consent systems that apply across multiple user devices.

The recommendations, adopted on December 18, 2025, address a practice that has become increasingly common as users access websites and mobile applications through computers, phones, tablets, and connected televisions. According to the CNIL documents, the guidance received contributions from 10 stakeholders during the consultation period, including three professional associations, one civil society organization, and six private companies.

What cross-device consent means

Cross-device consent allows users to express their choices about cookies and trackers once, with those preferences automatically applying to all devices connected to their account. According to the CNIL, this mechanism means choices are no longer tied to a specific terminal but rather to the user's account associated with a website or mobile application.

When a user accesses a service and expresses their choices on one device connected to their account, those preferences automatically apply to other environments through which they might connect, such as tablets, computers, or connected televisions. The user can manage the choices attached to their account regardless of which device they're using.

The CNIL published a synthesis document summarizing contributions received during the consultation. The contributions helped the authority verify the operational nature of the draft recommendation given the constraints, particularly technical ones, that organizations face.

Mandatory requirements for implementation

Organizations implementing cross-device consent must meet specific conditions to comply with GDPR requirements. The CNIL states that user choices must have identical scope to ensure compliance with the rules. If consent can be given once for multiple devices, the same must apply to refusal or withdrawal of consent.

Users must be informed about the scope of consent before exercising their choice to ensure it remains informed. According to the recommendations, information must specify that choices will be applied to all devices on which the user's account is authenticated.

Information can be provided through the consent management platform (CMP), directly at the first level of information. The CNIL modified its recommendation following the consultation to emphasize that information about the cross-device nature must appear at the first level of the CMP to ensure consent remains informed.

The authority recommends displaying a temporary information banner after authentication when connecting from a new device. This banner should remind users of the scope of their previously made choices and the possibility to modify them. According to the synthesis document, one contributor considered implementing such a banner unnecessary if the data controller's system ensures clear, complete, and easily accessible information when consent is collected. However, the CNIL maintained this recommendation to ensure the informed nature of consent given at the CMP level.

Managing conflicting choices

The recommendations identify a specific challenge: users might express and record different choices on their device before authenticating compared to choices already recorded on their account. According to the CNIL, it falls to the data controller to handle this situation in a manner that is clear and loyal to the user.

The authority identifies two main modalities for resolving this contradiction. Under the first modality, choices made on the new device before account authentication (at the level of the last consent window displayed) override those previously recorded within the account. The new recorded choices apply to all other devices connected to the account, ensuring the user's most recently expressed choice is taken into account regardless of device.

Under the second modality, choices recorded within the account prevail over choices made on the new device before account authentication. For this modality to be effective, it requires distinguishing user navigation tracking depending on whether they're authenticated or not, for example through two different cookies and/or identifiers.

Several contributors suggested keeping only the modality where account-recorded choices prevail. They proposed eliminating the modality where choices made on the new device before account authentication override previously recorded account choices. However, the CNIL chose to preserve both modalities since neither is inherently unlawful. The data controller must choose which modality they wish to prioritize and inform concerned individuals appropriately.

Once authenticated, users must be clearly informed about any contradiction between choices just made and those already associated with the account. For the first modality, information must indicate whether account-associated choices were recorded or modified. For the second modality, information must explain the existence of a contradiction between recently expressed choices and those already associated with the account, and that the latter will continue to apply within the account.

Regardless of modality, information must specify means available to users for modifying their choices. This can take the form of a temporary banner, which can be the same as referenced in the information section, provided the information is adapted and specific to contradiction management.

Interaction with non-authenticated environments

The recommendations address how cross-device consent interacts with non-authenticated browsing. According to the CNIL, in a cross-device consent system, user choices in authenticated environments must not impact choices previously recorded in non-authenticated environments, such as through a cookie deposited within a browser.

For devices shared among multiple users—for example, a family computer or connected television within a household—individual choices associated with a given account (possibly expressed on another individual device) must not impact all users of the shared device when they're not authenticated by that same account (browsing in non-authenticated environment).

One contributor highlighted that the recommendation would impact a currently widespread practice of linking a device on which a user has already authenticated to that user even when they're no longer authenticated. The CNIL maintained the section dedicated to interaction with non-authenticated environments, reaffirming that in cross-device consent systems, choices are necessarily associated with an account and users must log in for their choices to apply. Once they disconnect, account-associated choices no longer apply, but rather choices associated with their device.

Data minimization with service providers

The CNIL recommends attention to personal data exchanged with service providers who might intervene in data processing when implementing cross-device consent systems. According to the recommendations, in line with principles of minimization and data protection by design and by default under Article 25 of GDPR, the authority recommends not transmitting the user's account identifier when it contains personal data in clear text provided by the user—such as a pseudonym containing first name or even last name, or an email address—to the consent management platform provider.

The CNIL recommends systematically substituting a technical identifier to allow the provider to reconcile the user's different devices.

Transition requirements

When consent collection evolves into a cross-device consent mechanism for a website or mobile application, data controllers must collect new consent that is free, specific, informed, and unambiguous. According to the recommendations, consent expressed on a given device before transitioning to cross-device consent management cannot be considered valid for other devices, as the user was not informed about the cross-device scope of expressed consent.

User control as best practice

As a best practice, the CNIL encourages data controllers to leave users the possibility to review their choices device by device, allowing them to differentiate their uses and management of their personal data depending on contexts in which they access the service and therefore devices they use.

In practice, this possibility could be accessible through the configuration panel that enables management and withdrawal of account-associated consent through a preference center. The recommendation was amended following consultation to specify that the possibility of reviewing choices device by device could be accessible in a preference center.

A majority of contributors encouraged the fact that users could always make device-by-device choices. Conversely, a minority of contributors considered this best practice should be eliminated, believing it empties the rest of the recommendation of substance or should be promoted through means other than the recommendation. The CNIL decided to preserve this paragraph since best practices, though not imposed by regulations, strengthen protection of user rights.

Scope limitations

The recommendation concerns cross-device consent collection when users are authenticated to an account, referred to as "logged environments." It applies to all environments (device, browser, or application) from which users authenticate.

Some contributors questioned the recommendation's scope. Some suggested it address consent collection for using offline data (purchases, etc.) and that it integrate cross-device consent regarding non-logged environments.

Regarding offline data, the CNIL chose not to modify the recommendation's scope. In logged environments, data used to build individual profiles and adapt online advertising don't only come from browsing but also from customer relationship management (CRM) software data, including offline purchase data for commerce. According to the synthesis document, consent given through the CMP generally covers—subject to proper user information to ensure consent validity—processing of this data for purposes to which individuals consent through the CMP.

The recommendation doesn't intend to cover consent that might be necessary under other provisions where consent isn't generally collected through the CMP but in other contexts, such as forms when creating accounts.

Regarding non-logged environments, the CNIL maintains this outside the recommendation's scope. Cross-device consent within non-logged environments would involve intrusive processing to recognize the same user across multiple devices and raises specific questions.

Public consultation process

The CNIL launched a public consultation on the draft recommendation on April 24, 2025, to gather potential interpretation difficulties raised by the text. Contributions fed into the authority's work toward publishing the final recommendation version.

The synthesis document presents the most important observations and response elements the CNIL decided to provide. The 10 contributors during the public consultation included varied actors from the digital ecosystem.

While the vast majority of contributors considered cross-device consent could be possible subject to conditions recalled in the draft recommendation, one actor considered such practice unlawful under regulations. The CNIL reaffirms that data protection regulations (GDPR, "Informatique et Libertés" law) don't oppose users' consent being given for multiple devices. However, legality of such a system depends on its implementation conditions, which are detailed in the recommendation.

One actor requested clarification that user information about cross-device consent scope (as a consent legality condition) could imply users would have choice between consent limited to one device and cross-device consent. The CNIL clarifies that data controllers can choose to offer only a cross-device model, provided they respect conditions set by the recommendation.

Next steps for the authority

The CNIL will launch work in 2026 on cross-property consent collection (also called "cross-domain"), which refers to single consent collection for multiple sites or media, particularly when they belong to the same group. According to the announcement, the goal is to provide a framework for limiting redundant requests, especially in media groups or multi-brand universes, while protecting user privacy and freedom of choice.

The authority will publish recommendations, which will be subject to public consultation, to establish conditions under which such practice can be implemented in compliance with regulations.

Industry implications

The new recommendations modify and complete the CNIL's existing guidance on cookie and tracker usage by proposing concrete recommendations on valid cross-device consent collection modalities. The guidance represents the culmination of consultation with professionals and civil society associations.

Implementation of cross-device consent remains optional and doesn't constitute an obligation for data controllers. The recommendations apply specifically to authenticated environments where users connect to accounts across multiple devices.

Organizations must ensure that if consent can be given once for all devices, users must also be able to refuse or withdraw consent with the same simplicity and scope. This requirement aims to prevent cross-device consent from making exercise of user rights more difficult—accepting, refusing, or changing one's mind must have the same effects across all devices.

The authority's approach balances user convenience with privacy protection, recognizing that with the proliferation of connected objects, consent requests for cookie and tracker usage have become more frequent. The recommendations provide a path for organizations to streamline consent processes while maintaining GDPR compliance and user control.

For the marketing community, these guidelines establish clear parameters for implementing consent systems that work across the increasingly complex device ecosystems that users navigate daily. Organizations must now evaluate their current consent mechanisms against these requirements and potentially redesign their approaches to ensure full compliance with the CNIL's final recommendations.

Timeline

• April 24, 2025 – CNIL launched public consultation on draft cross-device consent recommendation
• December 18, 2025 – CNIL adopted final recommendations on cross-device consent
• January 16, 2026 – CNIL published final recommendations and consultation synthesis
• 2026 – CNIL plans to launch work on cross-property (cross-domain) consent guidance

Summary

Who: France's data protection authority CNIL issued guidance affecting organizations that collect cookie consent across multiple user devices, with input from 10 stakeholders including professional associations, civil society groups, and private companies.

What: The authority published final recommendations establishing requirements for cross-device consent mechanisms, including mandatory user information, equal scope for consent and refusal, two modalities for handling conflicting choices, and data minimization requirements for service providers.

When: The CNIL adopted the recommendations on December 18, 2025, and published them today, January 16, 2026, following a public consultation that began on April 24, 2025.

Where: The recommendations apply to authenticated environments (logged universes) across websites and mobile applications accessed through various devices including computers, phones, tablets, and connected televisions in France and under French data protection jurisdiction.

Why: The guidance addresses the proliferation of consent requests as users access services across multiple devices, providing organizations a framework for streamlining consent processes while maintaining GDPR compliance and ensuring users retain control over their data across all their devices.