GDPR Privacy FAQs: What are the major differences between the Information Commissioner’s Office guidance on cookies and the CNIL’s guidance on cookies?

November 25, 2019

The Information Commissioner’s Office or the “ICO” is the British supervisory authority charged with enforcing GDPR.  The Commission Nationale de l’informatique et des libertes (the “CNIL”) is the French supervisory authority.  Both authorities have published guidance on the use of cookies under GDPR and the ePrivacy Directive recently—specifically, the ICO published its guidance on July 3 and the CNIL published its final guidance on July 18 of this year.1  Although each guidance interprets essentially the same regulatory framework, there are meaningful differences between them.  Below is a brief summary of some of the most noteworthy divergences:

  • Enforcement: Perhaps the most noteworthy difference is the “grace period” put in place by the CNIL.  While the ICO’s guidance is effective and enforceable immediately, the CNIL has stated that companies are expected to comply within six months “after the publication of the future recommendation.”  This “future recommendation” has yet to be published.2
  • Analytic Cookies: The ICO has taken the position that analytics cookies must always be “consented”—that is, such cookies cannot be deployed unless and until a data subject has opted-in to their use.  The CNIL has adopted a more a nuanced position, and has laid out specific requirements for permissible use of analytic cookies even where the data subject does not consent, subject to certain conditions.
  • Cookie Walls: Cookie walls have now been the subject of guidance from three separate supervisory authorities. Dutch authorities previously indicated that so-called “cookie walls,” which prevent engagement of full engagement with a site unless all cookies are accepted, were not compliant.  The CNIL has agreed, indicating that cookie walls that cause data subjects to suffer adverse consequences are not compliant.  The ICO’s guidance in this regard was somewhat more equivocal, stating that a wall is “unlikely to be valid” but suggesting that a balancing test may be possible.3
  • Duration of Cookies Following Acceptance: The CNIL has identified specific periods of time by which certain cookies must be “re-consented” or deleted. The ICO has stated that the lifespan of cookies must be “proportionate in relation to your intended outcome; and limited to what is necessary to achieve your purpose.”4



This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.



3. (at p. 31-32).

4. (at p. 42).

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.