CNIL Releases Recommendations On Multi-device Consent For Cookies And Trackers – Privacy Protection

Lewis Silkin are most popular:

within Cannabis & Hemp, Law Practice Management and Transport topic(s)
in United Kingdom
with readers working within the Retail & Leisure industries

As users increasingly engage with digital services across a wide
range of devices, often while logged into a personal account,
online service providers are increasingly looking for ways to
obtain user preferences for the use of cookies and other similar
‘storage and access’ technologies via a single consent and
to have each user’s choices applied automatically across all
authenticated environments they use.

Recognising this shift, the Commission nationale de
l’informatique et des libertés (CNIL), France’s data
protection authority, has published recommendations on how such
multi‑device consent mechanisms can be implemented in a way
that is both legally compliant and user friendly. The
recommendations aim to help organisations adapt to users’
expectations of consistency as they switch between phones,
computers, tablets and connected televisions. This overview
summarises the CNIL’s position and considers how it compares
with the current approach of the UK’s ICO.

Scope and core expectations

The recommendations focus on authenticated environments that the
CNIL refer to as “logged-in universes”, where consent is
linked to the user’s account rather than to the specific device
they are using. The guidance is relevant not only to websites and
mobile applications but also to connected televisions, gaming
consoles, voice assistants and connected vehicles, all of which may
require consent under Article 82 of the French Data Protection
Act.

Ensuring transparency for users

The CNIL emphasises the importance of transparency and clear,
timely user information. Details of any multi‑device consent
mechanism should be provided on the first layer of the consent
interface, ensuring that users understand from the outset how their
preferences will be applied. Where a user logs in on a device that
has not previously been linked to their account, organisations
should display a temporary notification indicating that the consent
choices saved to the account now apply to that device, or that
those choices have been updated. This approach helps users remain
aware of how their preferences operate as they move between
devices.

The recommendations also address situations where conflicting
preferences arise – for example, where a user expresses a
choice on a device before authenticating that differs from the
settings stored in their account. In such cases, the CNIL accepts
two possible approaches: either the most recent choice made on the
device takes precedence, or the preference associated with the
authenticated account prevails. Regardless of the approach adopted,
organisations must clearly explain how any conflict is resolved so
that users understand which choice ultimately applies. The CNIL
further encourages convergence towards a common industry approach
to reduce user confusion.

Finally, the CNIL draws a clear distinction between
authenticated and non-authenticated environments. Preferences
expressed outside of an authenticated session must not be
overridden by account level settings. This is particularly
important for shared devices, such as family computers or connected
televisions, where applying one individual’s account-based
preferences could adversely affect other users. The recommendations
therefore stress that authenticated consent choices should not be
propagated to such shared, non-authenticated contexts.

Data minimisation and moving to multi device
models

In line with the GDPR principles of data minimisation and
privacy by design, the CNIL requires organisations to avoid sharing
clear text personal identifiers, such as email addresses or
usernames, with consent management providers. Instead,
organisations should rely on technical or pseudonymous identifiers
to link devices securely, reducing the exposure of directly
identifiable data.

Where an organisation implements a new multi‑device
consent model, the recommendations make clear that fresh user
consent is required. Consent previously obtained cannot be relied
upon, as users will not have been informed that their choices could
be applied across multiple devices. Earlier consent is therefore
invalid for this form of cross‑device processing.

Although not mandatory, the CNIL also encourages organisations
to offer users the ability to manage their preferences on a
device-by-device basis through a dedicated preferences centre. This
reflects the practical reality that individuals may use different
devices for different purposes and may wish to exercise more
granular control over how their personal data is processed.

Position of the UK ICO

In contrast to the CNIL, the UK ICO has not issued guidance that
specifically addresses multi‑device consent mechanisms or the
cross‑device synchronisation of cookie and other ‘storage
and access’ technology preferences.

It remains to be seen whether the ICO will develop its guidance
in this area, but meanwhile organisations looking to develop a
multi‑device consent model may wish to align with the
CNIL’s expectations for the purposes of the UK’s Privacy
and Electronic Communications Regulations 2003 (PECR). The ICO has
consistently emphasised the need for clear and comprehensive user
information, consent obtained before any tracking takes place,
transparency around the use of tracking technologies, and the
ability for users to withdraw consent easily. These principles
align closely with a multi‑device approach that is built
around informed user choice and effective control.

Future developments

Looking ahead, the CNIL has indicated that its work in this area
will continue. In particular, it plans to examine
“cross‑domain” consent models during 2026, which
would address scenarios where a single consent choice could apply
across multiple websites or services operated within the same
corporate group. If developed carefully, this approach could
further reduce repetitive consent requests while preserving
meaningful user choice and control.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.