GUIDES / RGPD

Cookies and consent: what the rules say (CNIL)

← All guides
RGPD Beginner 3 Jun 2026 5 min read by Les Techniciens du Net

Cookies and consent: what the rules say (CNIL)

What a cookie is, the difference between essential and non-essential cookies, when consent is mandatory, and how to put up a compliant cookie banner without annoying your visitors.

#cookies#consent#cnil

The infamous cookie banner annoys everyone — often because it is poorly done. Here is the rule, plain and simple, to stay compliant without hounding your visitors.

A cookie is a small file that a website stores in your browser to remember something: a login, a shopping cart, a language, or… your behaviour for advertising purposes.

Two families, two rules

  • Essential cookies: required for the site to work (cart, session, security). No consent needed — they are exempt.
  • Non-essential cookies: advertising, non-exempt audience measurement, social networks, third-party trackers. Consent required before storage.

The question to ask yourself: “Is this cookie essential to the service, or is it there to track me / serve ads?”

The rules for a compliant banner (CNIL)

  1. Inform clearly: which cookies, why.
  2. Prior consent: nothing non-essential before the click.
  3. Refuse = accept: refusing must be just as easy as accepting (two buttons at the same level).
  4. No pre-ticked boxes, no “forced” consent to access the site.
  5. Keep a record of consent, and allow visitors to change their mind.

The simplest approach: have as few as possible

The best way to avoid trouble: limit non-essential cookies.

  • A privacy-friendly audience measurement (cookie-free, or exempt) often avoids the banner altogether.
  • Fewer third-party trackers = a faster site that is simpler to bring into compliance.

A static information site, with no ads or tracking, can often do without a banner — because it stores no non-essential cookies.

In summary

CookieConsent?
Session, cart, securityNo (essential)
Advertising, tracking, social networksYes, before storage

The cookie is not the enemy: it is its tracking use that is regulated. Keep it simple, be transparent, and offer a genuine choice. (More context in our GDPR article.)

Test your knowledge

0 / 4
  1. A cookie is…

  2. For which cookies is consent mandatory?

  3. A compliant cookie banner must allow visitors to…

  4. Until the visitor has consented, non-essential cookies…