CNIL recommendations on cross-device Consent
20 Jan 2026
Last week, the French data protection authority (CNIL) has issued its final recommendations on cross-device consent. It modifies and complements the CNIL's existing guidance on cookies and other tracers, completing existing "big picture" framework for obtaining valid consent online.
The guidance is focused on scenarios where users are authenticated to an account. As per CNIL's recommendations, if you implement a one-time consent across a user's devices, you must ensure:
1. Symmetry of Choice: A user must be able to refuse or withdraw their consent as easily and with the same scope as they gave it.
2. Transparent Information: Users must be clearly informed upfront that their choices will apply to all devices connected to their account.
3. Conflict Resolution: A clear and fair method must handle situations where a user's pre-login choices on a new device differ from their account hashtag#privacy settings. The CNIL outlines two valid approaches:
1- Priority to the latest choice: The preference expressed on the new device before login prevails.
2- Priority to the account: The preference saved in the user's account prevails.
Looking Ahead to 2026, the CNIL announced it will launch work in 2026 on cross-domain consent for sites/media within the same group. This aims to limit redundant consent requests while protecting user choice. This future work will critically intersect with two key developments:
1/ EUCommission's Article88b (GDPR Omnibus Draft) aims to create a pan-European standard for expressing consent online via signals from browsers or software. The 2026 consultation will be the threshold for upcoming EU-wide cross-platforms' consent legal & regulatory framework.
2/ Innovations like ID side's patented Tech propose a user-centric platform where individuals can set their data preferences once and broadcast them as an encoded "signal" to websites. As the CNIL consults on cross-domain mechanisms, solutions of this nature could serve as practical technical blueprints for implementing compliant, user-friendly "consent signals" that work across domains and devices, aligning with the goals of both the CNIL and the proposed Article 88b.
In 2026, a humanly controlled Consent is not only a core goal for ID side team. It is clear it became an essential objective for all! Reducing Consent fatigue while upholding genuine user control is the next Privacy & Digital business "big thing". And the upcoming year's dialogue between regulators and technologists, to explore state of the art data protection engineering tools will be crucial both in terms of technical architecture and human-first business opportunities.
The guidance is focused on scenarios where users are authenticated to an account. As per CNIL's recommendations, if you implement a one-time consent across a user's devices, you must ensure:
1. Symmetry of Choice: A user must be able to refuse or withdraw their consent as easily and with the same scope as they gave it.
2. Transparent Information: Users must be clearly informed upfront that their choices will apply to all devices connected to their account.
3. Conflict Resolution: A clear and fair method must handle situations where a user's pre-login choices on a new device differ from their account hashtag#privacy settings. The CNIL outlines two valid approaches:
1- Priority to the latest choice: The preference expressed on the new device before login prevails.
2- Priority to the account: The preference saved in the user's account prevails.
Looking Ahead to 2026, the CNIL announced it will launch work in 2026 on cross-domain consent for sites/media within the same group. This aims to limit redundant consent requests while protecting user choice. This future work will critically intersect with two key developments:
1/ EUCommission's Article88b (GDPR Omnibus Draft) aims to create a pan-European standard for expressing consent online via signals from browsers or software. The 2026 consultation will be the threshold for upcoming EU-wide cross-platforms' consent legal & regulatory framework.
2/ Innovations like ID side's patented Tech propose a user-centric platform where individuals can set their data preferences once and broadcast them as an encoded "signal" to websites. As the CNIL consults on cross-domain mechanisms, solutions of this nature could serve as practical technical blueprints for implementing compliant, user-friendly "consent signals" that work across domains and devices, aligning with the goals of both the CNIL and the proposed Article 88b.
In 2026, a humanly controlled Consent is not only a core goal for ID side team. It is clear it became an essential objective for all! Reducing Consent fatigue while upholding genuine user control is the next Privacy & Digital business "big thing". And the upcoming year's dialogue between regulators and technologists, to explore state of the art data protection engineering tools will be crucial both in terms of technical architecture and human-first business opportunities.