CNIL publication on its website
When a user accepts or refuses cookies on a site or application, his or her choice is generally stored on the device used (computer, telephone, etc.). This means that the same user connected to the same service may have made different choices on different devices: for example, refusing on his mobile and accepting on his computer. This fragmentation represents a technical and commercial challenge for data controllers, who have to manage these multiple choices. On the user side, the repetition of consent requests per device can become tiresome and degrade the browsing experience. To address this issue, some players are considering so-called cross-device consent mechanisms: i.e., solutions that centralize the user’s choices at the account level, so that they are automatically applied to all their connected devices, without them having to express them separately.
Against this backdrop, the CNIL has published a set of draft recommendations designed to provide a framework for the practical implementation of such consent in “logged” environments. Here are the key points:
- Cross-device management must also apply to the refusal and withdrawal of consent.
Data controllers cannot use a differentiated mechanism depending on whether the user accepts or rejects trackers. If the management of users preferences is centralized at account level for all devices, this must apply both to consent to trackers and to their rejection (as well as to subsequent withdrawal of consent).
- Users must be informed of the scope of their choice.
Prior information must clearly state that the choices made with regard to cookies will apply to all connected devices. Additional information must be displayed when a new device is authenticated for the first time, reminding users of the choices applied and the possibility of modifying them at any time.
- In the event of a contradiction between logged and unlogged universes for the same user, there are two possible options: give preference to the last choice made, or to the account’s pre-existing parameters.
It may happen that a user accesses a service without having authenticated himself or herself – for example, from a new device or after having manually deleted trackers. In this case, the service cannot recognize the user and apply the preferences associated with his or her account. The user will thus be presented with a new consent request, with the risk that he or she will make a different choice from the one made as a logged-in user. To resolve this contradiction once the user has logged back in, the CNIL leaves it up to data controllers to decide whether to give preference to the last choice made (in unauthenticated mode) or to the pre-existing settings linked to the account.
Whichever option is chosen, data controllers must :
- Inform users of the logic followed and remind them that they can modify their choices at any time.
- Apply the same rules to all devices.
- Do not share directly identifying data to CMPs.
Cross-device management of cookies choices requires technical subcontractors – in particular Consent Management Platforms (CMPs) – to be able to distinguish authenticated users from others. However, they must not receive any directly identifying data (surname, first name, etc.). The CNIL recommends sharing only pseudonymized technical identifiers, in line with the principle of minimization.
- The logged and unlogged universes must remain independent.
Choices made in an authenticated universe should not automatically overwrite those saved locally in non-authenticated mode. This distinction preserves the diversity of uses on shared devices – such as a television or a family computer – without the preferences of one connected user imposing themselves on others.
- Switch to cross-device consent = new consent.
If a service migrates to a cross-device consent system, a new consent form is required. Choices previously expressed on a given device cannot be considered valid for all devices, since the user had not previously been informed of the scope of his or her choices.
- Best practice: always enable device-based management.
As a matter of good practice, the CNIL encourages users to always be able to later individualize their preferences according to the devices they use.
One of the most sensitive points in the draft recommendation clearly lies in the articulation between logged and unlogged environments. In practice, distinguishing these two universes may require separate technical devices – for example, two distinct cookies – to avoid overlapping or conflicting preferences.
It is also worth noting that the CNIL does not present cross-device consent as an obligation, nor even as a good practice to be generally promoted. No implicit encouragement is expressed, even though such a mechanism could help address the user fatigue caused by repeated consent requests across devices. This cautious stance underlines that the implementation of such solutions remains entirely at the discretion of data controllers, who must assess their relevance in light of the associated technical and legal challenges.
The draft remains open for consultation until June 5, 2025.
