CNIL-compliant cookie banner: this guide presents the rules, examples, and best practices for obtaining valid consent, avoiding common mistakes, and securing your website.
A cookie banner is not just a decorative strip. It determines how a site collects data, activates its analytics tools, loads its marketing scripts, and respects visitors’ rights.
For a company, a WordPress site, an e-commerce store, or a business application, the issue often comes up during the first GDPR checks. Cookies are among the most frequently reviewed items because they are visible, easy to test, and sometimes misconfigured.
A web agency and, as DualMedia regularly works on these topics, in website redesign, WordPress optimization, or application development projects. The goal is not just to display a banner, but to technically control what triggers before and after consent.
Why a CNIL-compliant cookie banner is essential
A CNIL-compliant cookie banner is used to inform the user and obtain their consent before placing non-essential cookies. Since the GDPR and the ePrivacy Directive, consent must come before enabling trackers used for analytics, advertising, or cross-site tracking.
A site that loads Google Analytics, an advertising pixel, a retargeting tool, or certain social media widgets must therefore manage consent precisely. Conversely, certain technical cookies may be set without prior consent when they are strictly necessary for the requested service.
The key point lies in timing. If a marketing or analytics cookie is already present before the user has clicked “Accept,” the banner is not doing its job, even if its design looks compliant.
Understanding cookie types before configuring the banner
The first step is to identify what the site actually places in the browser. Many compliance gaps come from scripts added over time: WordPress plugins, chat tools, embedded videos, advertising tags, or audience measurement modules.
A fictional SME called Nova Atelier illustrates the problem well. Its showcase website seemed simple, but an audit revealed an analytics tool, an advertising pixel, and a social sharing plugin that were placing trackers before any consent.
Strictly necessary cookies
Strictly necessary cookies allow the site to function properly. They can, for example, maintain a login session, keep a shopping cart, secure a form, or balance server load.
They generally do not require consent, because the requested service cannot function without them. On the other hand, an audience measurement or advertising cookie never becomes “necessary” simply because it is useful for marketing management.
Audience measurement cookies
Analytics cookies are used to understand traffic, pages visited, and certain browsing behaviors. They require consent, except under the strict exemption conditions provided by the CNIL.
To qualify for an exemption, the tool must in particular limit its purpose to audience measurement, anonymize the data, avoid sharing with third parties, and be clearly documented. Some configurations of Matomo or AT Internet may be suitable, whereas a standard Google Analytics setup generally does not fall within this framework.
Marketing and advertising cookies
Marketing cookies are used to measure conversions, personalize advertising, track a visitor across multiple sites, or build audiences. They always require explicit consent.
This applies to advertising pixels, remarketing tools, trackable social buttons, and retargeting campaigns. To better understand these uses, DualMedia’s article on retargeting explains how these mechanisms use browsing signals.
CNIL criteria for valid consent
CNIL expects consent to be freely given, informed, specific, and unambiguous. This means the user must understand what they are agreeing to, be able to refuse easily, and express a clear choice through a positive action.
Simply continuing to browse does not count as consent. Pre-checked boxes are also excluded, because they turn silence into implicit acceptance.
- Consent must be freely given, without undue pressure or unjustified blocking of access.
- The information must be clear, with the purposes, partners, and consequences of the choice.
- The choice must be specific, especially between statistics, personalization, and marketing.
- The action must be positive, for example clicking an acceptance button.
- Withdrawal must remain possible at any time, with permanent access to preferences.
The retention period for the choice must not be unlimited. CNIL's recommendation sets a maximum period of 13 months before asking the user again.
Anatomy of a CNIL-compliant cookie banner
A compliant banner must present a balanced choice at the first level of information. The “Accept all” button must not be more prominent or more visible than “Reject all”.
It must also provide access to preferences, to allow a choice by purpose. This granularity avoids grouping very different uses, such as audience measurement and behavioral advertising, under the same consent.
| Banner element | CNIL-compliant best practice | Frequent errors |
|---|---|---|
| Choice buttons | Display “Accept all” and “Reject all” with equivalent visibility | Show only an “Accept” button at the first level |
| Preferences | Allow settings by purpose: statistics, marketing, personalization | Offer an overall opt-in without actionable detail |
| Third-party scripts | Block non-essential trackers before consent | Load Google Analytics or an advertising pixel as soon as the page opens |
| User information | Explain the purposes, partners, and retention period | Use vague wording like “we imporove your experience” |
| Consent withdrawal | Provide permanent access to the choice panel | Hide the withdrawal option in a hard-to-find page |
A good design is not meant to push the user toward acceptance. It must make the choice clear, fair, and understandable, including on mobile.
Examples of text for a CNIL-compliant cookie banner
The banner text should remain short, but sufficiently precise. It should explain why cookies are used and immediately offer the three main actions: accept, refuse, or customize.
Example suited to a showcase website: “We use cookies to measure site traffic and improve your experience. You can accept, refuse, or customize your choices at any time.”
Example suited to an e-commerce site: “Some cookies are necessary for the store to function. Others help us measure traffic or personalize our communications, only with your consent.”
Example suited to a platform with advertising: “We use cookies to offer you personalized content and measure our campaigns. You can manage your preferences by purpose or refuse non-essential trackers.”
In each case, the text must be linked to a more detailed cookie policy. This page describes the trackers used, their purposes, their lifespan, and the partners involved.
Set up a CNIL-compliant cookie banner step by step
Configuration is not limited to installing a plugin. You need to inventory the trackers, classify them, block the relevant scripts, test the site's actual behavior, then document the choices.
On WordPress, this step requires special attention, because themes, plugins, and page builders can add scripts without the administrator realizing it. A technical audit is often more reliable than simply reviewing the list of plugins.
- Scan the site in private browsing mode to identify cookies placed before any click.
- Classify each tracker according to its purpose: necessary, preference, statistics, or marketing.
- Choose a consent management platform compatible with the CMS and the scripts used.
- Block non-essential cookies before explicit acceptance.
- Write a clear cookie policy that is accessible from the banner.
- Test the “Accept All,” “Reject All,” and “Customize” scenarios.
- Keep technical proof of consent: timestamp, banner version, and recorded choice.
DualMedia often handles these settings during a redesign or technical optimization. The topic naturally connects performance, UX, and compliance, especially when a site must remain fast despite the integration of marketing tools.
For WordPress sites, optimizing scripts and plugins can also reduce the risk of uncontrolled placements. The DualMedia guide to optimizing a WordPress site is a useful complement to this approach.
Consent management tools for a compliant cookie banner
Several solutions make it possible to manage consent, but they are not equal depending on the complexity of the site. The choice depends on the number of pages, the number of third-party scripts, the CMS, and the expected level of reporting.
Axeptio is often appreciated for its clear interface and educational approach. Cookiebot is well suited to sites that require regular scans and detailed tracker mapping.
Tarteaucitron.js remains a relevant option for technical teams that want to keep control of the code. However, it requires real integration rigor, because a poor configuration can allow scripts to run before consent.
| Solution | Suitable profile | Highlight | Point of vigilance |
|---|---|---|---|
| Axeptio | Showcase websites, blogs, small e-commerce sites | Readable and user experience polished | Configuration to verify for each third-party script |
| Cookiebot | Sites with many trackers | Automatic scan and detailed reports | Sometimes more technical setup |
| Tarteaucitron.js | Developers and custom projects | Highly customizable open-source solution | Demanding implementation on the code side |
| OneTrust or Didomi | Large organizations and multi-country sites | Advanced consent management | More significant budget and governance |
The best tool is still the one that actually blocks non-essential trackers before consent. An elegant interface never makes up for a technical execution flaw.
Common mistakes that make a banner non-compliant
The first mistake is to display an “Accept” button without an equivalent “Reject” button at the same level. This approach creates an imbalance that pushes users toward acceptance.
The second mistake appears in preferences with pre-checked boxes. Consent must come from a voluntary action, not from an option already enabled by default.
The third mistake is more technical: cookies are set before the choice. To detect it, it is often enough to open the site in private browsing, inspect the cookies, and check whether elements like “_ga” or “_fbp” appear before consent.
Cookie walls are also a problem when they block access to the service as long as the user refuses non-essential trackers. Certain exceptions exist in specific business models, but they must be justified, proportionate, and accompanied by a clear alternative.
Finally, withdrawing consent is still too often overlooked. Users must be able to change their choices as easily as they made them, without going through several obscure pages.
Concrete examples: Google Analytics, YouTube, and Facebook Pixel
Google Analytics, especially in its standard configuration, requires consent before activation. Google’s consent mode can help manage certain signals, but it does not replace clear user-choice management.
Embedded YouTube videos can also place trackers. Using the youtube-nocookie.com domain reduces some of these deposits, but it does not always eliminate the need for an analysis based on the integration context and enabled features.
Facebook Pixel must remain blocked by default and only load after marketing consent has been accepted. In an e-commerce funnel, this constraint must be implemented without degrading performance or skewing key conversion metrics.
In this type of project, the challenge is to balance digital marketing, proof of consent, and quality of experience. It is precisely the kind of trade-off that an experienced web team can secure during an audit or a redesign.
Ensuring the comporiance of a cookies banner with CNIL guidelines
Reliable verification combines manual testing, automated scanning, and a review of the cookie policy. Manual testing remains essential because it checks what the user actually experiences during their first visit.
The basic scenario is simple: open the site in private browsing, confirm that the banner appears, inspect the cookies, refuse, reload, then accept to observe the differences. No statistical or advertising tracker should appear before a positive choice is made.
Scanning tools complement this verification by detecting certain third-party cookies or flagging suspicious scripts. However, they do not replace human analysis, especially when tags are conditionally loaded through a tag manager.
A consent log then makes it possible to prove the choices made. Ideally, it should retain the timestamp, the banner version, the accepted or rejected purposes, and the information needed in the event of an audit.
Penalties and risks in the event of a cookies banner that is not comporiant
The risks are not theorical. CNIL has already sanctioned organizations for mechanisms that made refusing more difficult than accepting, the absence of a “Reject all” button, or the placement of cookies before consent.
Large groups attract more attention, but SMBs are not hors radar. A user complaint, an industry-specific audit, or a competitor report can be enough to trigger a review.
Beyond the financial risk, poor cookie management undermines trust. A user who notices a manipulative interface quickly associates the brand with a lack of transparency.
Comporiance should therefore be seen as a driver of credibility. A clear, fast, and honest banner enhances the user experience instead of getting in its way.
Integrating cookie comporiance into a sustainable web project
A cookies banner comporiant with CNIL guidelines must evolve with the site. Each addition of a marketing tool, video module, chatbot, or advertising script can change the tracker map.
In a serious maintenance approach, comporiance must therefore be checked with every significant production release. This logic aligns with best practices in web performance, accessibility, and security.
From the start of a website or application project, DualMedia recommends integrating consent management into the design UX. This avoids late corrections, which are often more costly and technically more fragile.
The same logic applies to mobile projects and business applications. Trackers, analytics SDKs, and measurement tools must be documented, properly activated, and aligned with the user's choices.
To go further into design and development challenges, the DualMedia article on best practices for digital projects apporte a useful complement to web and mobile strategy.
Our opinion
A CNIL-compliant cookie banner should be designed as a functional component of the site, not as a legal formality. It involves technology, design, trust, and data governance.
The best setups are simple for users and rigorous on the development side. They display refusal as accessibly as acceptance, block trackers before consent, and allow clear management of preferences.
For a professional site, the safest approach is to audit cookies, choose a suitable tool, test real-world scenarios, and maintain the configuration over time. This is the method that helps avoid penalties while preserving a smooth user experience.
What is a CNIL-compliant cookie banner?
A CNIL-compliant cookie banner is a mechanism that informs the user and collects their consent before any non-essential cookies are placed. It must allow users to accept, refuse, or customize their choices with the same level of simplicity.
When is a CNIL-compliant cookie banner mandatory?
A CNIL-compliant cookie banner is mandatory as soon as a website uses non-essential trackers. This applies in particular to analytics tools, advertising pixels, social media cookies, or certain integrated third-party services.
Do necessary cookies require consent?
Strictly necessary cookies generally do not require consent. However, they must be limited to the operation of the service, such as the login session, shopping cart, or site security.
Does Google Analytics require a CNIL-compliant cookie banner?
Google Analytics generally requires prior consent. Some audience measurement solutions may be exempt under strict conditions, but a standard Google Analytics setup is not automatically exempt.
Is the Reject All button required on a cookie banner?
Refusal must be as simple as acceptance. A banner that displays an Accept button without an equivalent Reject button exposes the site to a risk of non-compliance.
Can cookies be placed before consent?
Non-essential cookies must not be set before consent. Analytics, advertising, or tracking scripts must remain blocked until the user takes a positive action.
How long should cookie consent be retained?
The CNIL recommends a maximum retention period of 13 months. Beyond that, the site must ask the user again to confirm or change their choices.
Should a CNIL-compliant cookie banner list all partners?
The banner or cookie policy must clearly inform users about the partners involved. The user must understand who may access the data and for what purposes.
Do embedded YouTube videos require cookie consent?
YouTube videos may require consent because they place trackers. The youtube-nocookie.com mode can limit certain placements, but the integration must be tested according to the site context.
How to test a cookie banner in compliance with the CNIL?
The test consists of opening the site in private browsing mode and inspecting the cookies before any click. No marketing or analytics tracker should appear before explicit consent.
Which tool should you choose for a CNIL-compliant cookie banner?
The right tool depends on the site, the CMS, and the number of third-party scripts. Axeptio, Cookiebot, Tarteaucitron.js, Didomi, or OneTrust may be suitable, provided they are correctly configured.
Can DualMedia help with cookie compliance?
DualMedia can support the audit, configuration, and testing of a CNIL-compliant cookie banner. This support can be integrated into a redesign, a WordPress optimization, a mobile project, or a broader UX initiative.
Would you like to get a detailed quote for a mobile application or website?
Our team of development and design experts at DualMedia is ready to turn your ideas into reality. Contact us today for a quick and accurate quote: contact@dualmedia.fr