CNIL 2026 11 min read·

Non-Compliant Cookie Banner: The 7 Costly Mistakes

Cookies are the top source of CNIL sanctions. In 2025, more than 60% of formal notices concerned consent management. Seven mistakes recur systematically — and each one alone can trigger a procedure.

Why cookies remain CNIL's #1 target

Since the CNIL guidelines of September 2020, reinforced by those of May 2022, cookie regulation is one of the most concrete and verifiable aspects of GDPR. Unlike other obligations (processing register, DPAs), the cookie banner is publicly visible — anyone, including CNIL agents, can check it in seconds from a browser.

The CNIL has developed automated monitoring tools that scan thousands of French sites each month, detecting cookies deposited before consent, asymmetric banners and poorly documented purposes. The result: a 3x increase in cookie-related formal notices between 2021 and 2025.

Sanctions don't just hit Amazon or Google. In 2024 and 2025, e-commerce stores, online media, B2B SaaS and institutional sites received fines between €15,000 and €200,000 for mistakes you'll recognize in this article.

The regulatory framework for cookies in France

  • Article 82 of the French Data Protection Actany non-strictly-necessary tracer deposit requires prior and informed user consent.
  • GDPR Art. 4(11) and Art. 7consent must be freely given, specific, informed and unambiguous (positive action, no pre-checked box).
  • CNIL cookie guidelines (2020, revised 2022)refusing must be as simple as accepting, consent duration 13 months max, list of processors in privacy policy.
  • CNIL recommendation on CMPs (2024)consent management platforms must be regularly audited and their DPAs signed.

Is your cookie banner really compliant?

RGPDScan checks in 60 seconds if cookies are deposited before consent and if your banner meets CNIL 2026 requirements.

The 7 mistakes documented by the CNIL

1
'Refuse' button less visible than 'Accept'

This is the most sanctioned mistake by CNIL. A colored 'Accept' button versus a gray 'Refuse' link, different sizes, or the refuse button relegated to page 2 — all constitute an explicitly prohibited 'dark pattern'. Typical sanction: formal notice with publication. Correction: harmonize size, color and hierarchy level of both buttons.

2
Pre-checked boxes for non-essential purposes

GDPR explicitly prohibits pre-checked boxes for obtaining consent (Recital 32). Presenting advertising or analytics purposes with an already-checked box is illegal — consent must be active. This mistake was common before 2022; in 2026, it leads to near-automatic sanction.

3
Scroll or continued navigation = implied consent

"By continuing to browse you accept our cookies" — a phrase still found on hundreds of French sites in 2026. It has been illegal since 2020. Consent can only result from a positive and deliberate action. A banner that closes on scroll, a footer mention without real choice, or no banner with a CGU mention are all non-compliant.

4
Consent storage duration exceeding 13 months

CNIL recommends a maximum duration of 13 months for consent cookies (the tracer that stores the user's choice). Durations of 24 months, 36 months, or even indefinite have been flagged during CNIL inspections. Beyond 13 months, consent must be collected again. Check your CMP cookie expiration in DevTools.

5
Vague or absent purposes in the banner

"We use cookies to improve your experience" is not a purpose under GDPR. Users must know precisely what they're consenting to: audience measurement, targeted advertising, personalization, social media sharing. Each purpose must be readable, separate and allow granular choice. Overly generic banners were specifically targeted in 2024 CNIL reports.

6
Cookie deposit before clicking 'Accept'

This is technically the most serious violation. Even with a beautiful compliant banner, if Google Analytics, Meta Pixel or Hotjar cookies are deposited on page load (before any click), the consent has no value. CNIL checks this with automated tools that intercept network requests. Cdiscount (€100,000) and dozens of others were sanctioned on this point alone.

7
No consent withdrawal mechanism

The right of withdrawal is as important as the right to consent. Users must be able to withdraw consent at any time, as easily as they gave it (GDPR Art. 7-3). A discreet link in the legal notices accessible in 4 clicks does not meet this condition. Minimum requirement: a 'Manage my cookies' or 'Withdraw my consent' link visible from all pages, typically in the footer.

Checklist: your banner in 10 points

  • Refuse button as visible as Accept (identical size, color, hierarchy)
  • No pre-checked boxes for non-essential purposes
  • Zero non-essential cookie deposited before Accept click (test DevTools > Network > cookies)
  • Purposes listed precisely: analytics, advertising, personalization, social media separately
  • Consent cookie expiring within 13 months maximum (check in DevTools > Application > Cookies)
  • 'Manage my cookies' link visible from all pages (footer)
  • DPA signed with your CMP (Axeptio, Didomi, Cookiebot, etc.)
  • No dark patterns: no guilt pop-ups, no gamification to accept
  • Banner automatically reactivated after 13 months
  • Monthly automated audit to detect any regression (third-party script added without consent)

Going further

Frequently asked questions

Does my cookie banner need to appear on every visit?
No. It must appear on the first visit and whenever consent has expired (13 months maximum according to CNIL guidelines). If the user has given valid consent, don't solicit them again for 13 months. However, if you add new purposes or processors, new consent is required.
Does the 'Refuse' button need to be at the same visual level as 'Accept'?
Yes, this is an explicit requirement of the 2022 CNIL guidelines. Both buttons must be presented with the same ease of access — same size, same visual hierarchy level. A text link to refuse versus a colored button to accept is non-compliant. This asymmetry is the most sanctioned mistake by CNIL.
Can scrolling or navigation be used as consent?
No. GDPR and CNIL guidelines require positive and explicit consent. Continuing navigation, page scrolling or simply closing the banner do not constitute valid consent. The user must perform a positive action (clicking an accept button) for consent to be legally collected.
What is the maximum duration for storing consent?
13 months according to CNIL recommendations. Beyond that, consent must be collected again. This period runs from the deposit of the tracer cookie linked to consent collection. Durations exceeding 13 months have been flagged by CNIL as breaches during inspections.
Do purposes need to be detailed in the cookie banner?
Yes. Under Article 82 of the French Data Protection Act and GDPR (Art. 13), users must be informed of purposes before giving consent. A banner simply stating 'We use cookies to improve your experience' without detailing purposes (advertising, analytics, personalization) is insufficient.
Does my CMP (Axeptio, Didomi, Cookiebot) automatically protect me?
Partially. A properly configured CMP covers banner presentation and consent management. But compliance also depends on your specific configuration: cookies loaded before consent (technical side), up-to-date purpose list, DPA signed with the CMP, no pre-selected purposes. A badly configured CMP can give a false impression of compliance.

Detect your cookie banner mistakes in 60 seconds

RGPDScan analyzes your site as CNIL would: cookies before consent, button asymmetry, non-compliant durations.