Recommendation adopted on December 18, 2025, proposing practical methods for ensuring compliance with multi-device consent
The CNIL has just published the final version of its recommendations on the collection of multi-device consent for cookies and other trackers. Adopted on 18 December 2025, this text takes the form of an amendment to the CNIL’s pre-existing cookie recommendation, with the aim of framing consent-collection mechanisms in the context of the widespread use of multiple screens.
Scope: limited to authenticated environments
The CNIL regulates multi-device consent within a clearly defined perimeter: authenticated environments, i.e. situations in which a user logs into the same account from several devices (computer, smartphone, tablet, connected television, etc.).
Outside of these “logged-in” environments, the multi-device consent mechanism is not intended to apply.
Principles of multi-device consent
Multi-device consent is based on a logic of centralising choices at the account level rather than at the device level: when an authenticated user gives consent, refuses consent, or withdraws consent, that choice may be automatically applied across all devices from which the user connects to the same account. The objective is to ensure consistency of user preferences and to avoid the systematic repetition of consent banners on each device.
As a matter of good practice, however, the authority encourages organisations to offer users a way to apply different choices depending on the device, for example via a dedicated preference centre within the account. This approach is intended to take into account the diversity of usage contexts (e.g. personal versus professional devices).
The CNIL also recalls that implementing multi-device consent is optional. It does not constitute an obligation for data controllers under any circumstances.
Strict conditions to ensure the validity of consent
The implementation of multi-device consent requires compliance with several cumulative conditions:
- Unity and consistency of choices: if consent can be given globally for several devices, refusal and withdrawal must have the same scope. It is therefore not possible to globalize consent alone, without offering perfect symmetry for other choices.
- Enhanced prior information: before making any decision, the user must be informed that their choice will apply to all devices connected to the same account. Otherwise, consent cannot be considered informed.
- Traceability and intelligibility: the information must appear at the first level of the consent management platform (CMP). It must also be repeated when the user first logs in from a new device, for example by means of a temporary information banner.
The delicate balance between authenticated and non-authenticated environments
The CNIL devotes a significant portion of its recommendations to managing situations of contradiction between choices expressed before and after authentication.
When a user expresses preferences on a device in an unauthenticated environment and then logs in to an account that already has choices recorded, two mutually exclusive options can be chosen:
- Either give priority to the last choice expressed, i.e., the one made before authentication on the new device.
- Or give priority to the choices associated with the account, in which case the previous preferences specific to the terminal are not retained.
In all cases, the user must be clearly informed of the existence of this contradiction, the effects of the option chosen, and the means available to them to change their choices.
Furthermore, the CNIL emphasizes a fundamental principle: choices made in an authenticated environment must not impact pre-existing choices in an unauthenticated environment, particularly to take into account the fact that several users may share the same device. This requirement implies being able to distinguish between authenticated and unauthenticated uses of the same device, which can be operationally complex.
Operational points to note
Several additional details deserve the attention of stakeholders:
- The transition to a multi-device consent mechanism requires a new choice to be made. Previous consent, which did not inform the user of this multi-device scope, cannot be reused.
- The data controller must avoid sharing raw identifiers relating to authenticated users with its subcontractors, in particular CMPs. The CNIL recommends the use of pseudonymized technical identifiers.
These recommendations are in line with the CNIL’s long-standing work on regulating practices related to cookies and other trackers. They illustrate the authority’s desire to gradually refine its reference framework to cover different use cases. The CNIL is now expected to move quickly to a phase of monitoring these new multi-device consent mechanisms.
Finally, the authority has already announced that it will continue its work in 2026 on cross-domain consent, which would aim to allow a single consent to be collected that is valid for several sites or media belonging to the same group.
