Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From consent-management-skills
Guides CNIL-compliant cookie consent implementation: equal prominence accept/reject buttons, no cookie walls, 6-month reconsent intervals, essential cookies exemption per Deliberation 2020-091. For EU sites avoiding fines.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin consent-management-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/consent-management-skills:cnil-compliant-cookiesThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
The French Commission Nationale de l'Informatique et des Libertés (CNIL) has been the most aggressive European enforcer of cookie consent rules. In January 2022, CNIL issued a EUR 150 million fine to Google LLC and a EUR 60 million fine to Meta Platforms Ireland Ltd. for cookie consent violations. These enforcement actions, combined with CNIL Deliberation No. 2020-091 (September 17, 2020), esta...
Guides CNIL-compliant cookie consent implementation: equal prominence accept/reject buttons, no cookie walls, 6-month reconsent intervals, essential cookies exemption per Deliberation 2020-091. For EU sites avoiding fines.
Audits A/B tests of cookie consent banners for GDPR/CNIL compliance, ensuring equal accept/reject ease and detecting dark patterns like visual asymmetry.
Guides GDPR-compliant data processing, consent management, privacy controls, and data subject requests for systems handling EU personal data.
Share bugs, ideas, or general feedback.
The French Commission Nationale de l'Informatique et des Libertés (CNIL) has been the most aggressive European enforcer of cookie consent rules. In January 2022, CNIL issued a EUR 150 million fine to Google LLC and a EUR 60 million fine to Meta Platforms Ireland Ltd. for cookie consent violations. These enforcement actions, combined with CNIL Deliberation No. 2020-091 (September 17, 2020), establish the most detailed cookie consent standards in Europe.
Requirement: Users must be able to refuse cookies as easily as accepting them. The "Refuse All" option must be presented with the same visual prominence as the "Accept All" option.
Specific CNIL Requirements:
CloudVault SaaS Inc. Implementation:
┌─────────────────────────────────────────────────────────────┐
│ CloudVault uses cookies to improve your experience. │
│ [Learn more about our cookie use] │
│ │
│ ┌──────────────────┐ ┌──────────────────┐ │
│ │ Accept All │ │ Refuse All │ │
│ └──────────────────┘ └──────────────────┘ │
│ │
│ [Manage Preferences] │
└─────────────────────────────────────────────────────────────┘
Button specifications:
- Both: 200x44px, #2563EB blue background, white text, 16px bold
- Position: side by side, same vertical level
- "Manage Preferences": text link below, #6B7280 grey, 14px regular
Requirement: Access to the website or service must not be conditioned on accepting cookies. Users who refuse all cookies must be able to access the same content and functionality.
Exceptions:
Requirement: Consent must be renewed at appropriate intervals. CNIL recommends a maximum of 6 months between consent requests.
Implementation:
cv_consent_timestamp with the consent dateThe following categories do not require consent per CNIL guidance:
| Category | Examples | Justification |
|---|---|---|
| Authentication | Session cookies, CSRF tokens | Strictly necessary for security |
| Load balancing | Server routing cookies | Strictly necessary for service |
| User preferences | Language, display settings | Strictly necessary for requested functionality |
| Shopping cart | Cart session cookies | Strictly necessary for requested service |
| First-party analytics (limited) | Audience measurement with limited scope | CNIL exemption for first-party, aggregate-only analytics (strict conditions) |
CNIL conditions for first-party analytics exemption:
Before consenting, the user must be informed of:
| Entity | Fine | Date | Deliberation | Key Violations |
|---|---|---|---|---|
| Google LLC | EUR 150,000,000 | Jan 6, 2022 | 2022-013 | No "Refuse All" on first layer; multiple clicks to refuse |
| Meta Platforms | EUR 60,000,000 | Jan 6, 2022 | 2022-014 | "Accept" on first layer, "Refuse" buried in secondary page |
| Microsoft Ireland | EUR 60,000,000 | Dec 22, 2022 | 2022-023 | bing.com: "Accept" without equally prominent "Refuse" |
| TikTok | EUR 5,000,000 | Dec 29, 2022 | 2022-025 | Rejecting more complex than accepting; info inadequate |
| Voodoo (mobile games) | EUR 3,000,000 | Jan 2023 | 2023-004 | Used Apple IDFA for advertising without consent |
| Apple Distribution | EUR 8,000,000 | Jan 4, 2023 | 2023-001 | Targeted advertising on App Store without valid consent |
| # | Requirement | CNIL Reference | CloudVault Status |
|---|---|---|---|
| 1 | "Refuse All" button on first layer | Deliberation 2020-091 Section 2.1 | Implemented |
| 2 | Equal visual prominence accept/refuse | Deliberation 2020-091 Section 2.1 | Both 200x44px, same color |
| 3 | No cookie wall | Deliberation 2020-091 Section 2.2 | Full access without cookies |
| 4 | Reconsent every 6 months maximum | Deliberation 2020-091 Section 2.3 | 180-day reconsent cycle |
| 5 | Essential cookies documented and exempted | Deliberation 2020-091 Section 3 | 4 essential cookies listed |
| 6 | Third parties identified by name | Deliberation 2020-091 Section 2.4 | All third parties named |
| 7 | Cookie purposes described | Deliberation 2020-091 Section 2.4 | Per-category descriptions |
| 8 | Cookie retention periods stated | Deliberation 2020-091 Section 2.4 | Max 13 months per CNIL |
| 9 | Withdrawal as easy as giving consent | GDPR Art. 7(3) | Footer link on every page |
| 10 | Consent records maintained | GDPR Art. 7(1) | Full audit trail |