Articles
Data privacy guides
The French DPA’s (CNIL) 2026 consent priorities: What companies need to know
Data privacy guides
new

The French DPA’s (CNIL) 2026 consent priorities: What companies need to know

Published  

3/17/2026

Updated  

by 

Francesca DeNisco

Thomas Adhumeau

5
min read

Published  

March 17, 2026

by 

Francesca DeNisco

10 min read
Summary

In 2026, one of the most active European data protection authorities, France’s CNIL, is accelerating its work on consent and tracking practices.

In addition to its ongoing efforts to enforce good practices in data protection (particularly regarding cookies and trackers), the national regulator began 2026 by publishing a series of positions and ongoing actions that clarify its expectations regarding cross-device tracking, tracking pixels in emails, and proof of consent in marketing.

For companies operating in France and, in practice, throughout the European Union, this is less about new rules than about stricter interpretation and application. Consent must be consistent, demonstrable, and respected throughout the user journey, regardless of the device used.

In this article, we review three major areas that companies need to understand and act on to ensure compliance with the French regulator's expectations.

1) Cross-device consent

Cross-device tracking allows organizations to link a user's activity across multiple devices into a single and unified profile. The CNIL states that if devices are linked to the same individual, it constitutes tracking and requires valid consent.

Cross-device consent refers to the ability to collect a single consent that is valid across all of a user's devices, as long as they are logged into an account. 

On December 18, 2025, the CNIL (French Data Protection Authority) adopted a final recommendation (deliberation no. 2025-131, published in the Official Journal on January 18, 2026) that specifically outlines the conditions under which this mechanism can be implemented.

In its recommendation, the CNIL establishes a precise framework for the (optional) implementation of a multi-device consent mechanism. This applies only when users are logged into an account (logged-in environment) and covers all the environments from which they authenticate (computer, smartphone, tablet, smart TV, etc.). The key points of the recommendation are as follows:

  • Multi-device consent is an optional mechanism: it is not required by the data controller, but if implemented, it must comply with a strict framework.
  • Symmetry of choices: If consent can be given once for several terminals, the same applies to refusal and withdrawal of consent.
  • Feedback banner: When logging in on a new device, the CNIL recommends displaying a temporary notification confirming that the account's associated choices have been applied.
  • Managing contradictions: In the event of a conflict between the choices made on a terminal before connection and those recorded in the account, the CNIL proposes two methods (priority to the last choice expressed or to the account's choices), each requiring explicit information from the user.
  • Data minimization: Account identifiers (email, username) should never be transmitted in plain text to service providers (CMP, AdTech). Systematic pseudonymization is required.
  • Impact on the unauthenticated environment: Choices in the authenticated universe should not impact those in the unauthenticated universe, particularly on shared terminals (family computers, connected TVs).

Note that the CNIL has announced the launch, in 2026, of additional work on multi-property (cross-domain) consent, focusing on the single collection of valid consent across several sites or media within the same group.

Explore the CNIL's expectations regarding cross-deviceconsent in more detail in our dedicated article on the subject:

{{CNIL-cross-device}}

2) Tracking pixels in emails

Last June, the CNIL opened a public consultation on its draft recommendation regarding the use of tracking pixels in emails, which sparked numerous reactions (including that of our Chief Privacy Officer).

Overview of the CNIL’s position

When an email includes a tracking pixel that collects information such as IP address, device data, or interaction signals, the CNIL considers it a tracking technology subject to consent requirements.

This issue is particularly sensitive when:

  • The tracking is used for profiling purposes.
  • The data is combined with other identifiers.
  • Monitoring is not strictly necessary to provide the service.

If a technology accesses information stored on the device or tracks user behavior for non-essential purposes, prior consent is required.

Points businesses should pay attention to

These future recommendations concern many digital professionals and companies:

  • Marketing teams use performance tools for emails.
  • CRM and automation platforms.
  • Publishers and media companies.
  • Every organization uses engagement-based profiling.

The draft recommendation is available here, and we invite our clients, pending official communication (which should occur in the coming months), to audit their practices and, at a minimum, ensure that they have a consent collection process in place when collecting email addresses. 

We will share more advice and best practices once the official recommendations are published. Stay tuned.

3) Proof of consent in the marketing sector

Beyond the monitoring practices themselves, the CNIL is again emphasizing that organizations must demonstrate that valid consent has been collected. 

The recent call for contributions on this topic opens a public debate on the regulator's new guidelines, before the recommendations are finalized. The CNIL specifies that proof of consent must be:

  • Linked to a specific user or identifier.
  • Time-stamped.
  • Associated with the exact purposes accepted or refused.
  • Traceable back to the version of the interface shown.

Organizations must be able to demonstrate what the user saw and what they chose in order to withstand regulatory scrutiny. This is an area where our teams have invested significant effort in developing our Versions and Proofs feature.

Learn more about our work on consent traceability in our dedicated article, written by our VP Partnership Ecosystem EMEA, Frank Ducret :

{{learn-more-consent-lineage}}

What this means for businesses and how Didomi can help

Taken together, these developments are heading in the same direction. The CNIL emphasizes the importance for companies to increase transparency for users across different channels and devices, provide sufficient information, and showcase enhanced accountability through documentation and auditability.

Practices that previously relied on assumptions or informal interpretations are now being evaluated against stricter requirements. Companies must examine the design of their cross-device systems, their email tracking configurations, their consent traceability architecture, and their preparedness for internal audits to ensure compliance.

At Didomi, we work closely with the CNIL and other European authorities to ensure our platform evolves in line with regulatory changes. For companies using Didomi, this means:

  • Cross-device consent signals are collected and applied consistently
  • Aligned email and web consent strategies within a single framework
  • A structured, traceable, and audit-ready proof of consent

Our goal is to help organizations transform regulatory requirements into reliable consent practices, developed in collaboration with authorities such as the CNIL. To learn more and discuss your data protection challenges, book a time with our team:

{{talk-to-an-expert}}

The author
The authors
Francesca DeNisco
Content and Communications Intern
Content writer currently focused on data privacy
Access author profile
Francesca DeNisco
Content and Communications Intern
Content writer currently focused on data privacy
Access author profile
Thomas Adhumeau
Chief Privacy Officer at Didomi.
French Commercial/IT Lawyer and Certified Information Privacy Professional by IAPP.
Access author profile

Related Articles

Data privacy guides
AI governance in the United States: Between state laws and federal preemption
February 6, 2026
Read article
Data privacy guides
Global Privacy Control (GPC): Everything you need to know for 2026 (and beyond)
December 4, 2025
Read article
Data privacy guides
TCF v2.3: The latest version of the Transparency and Consent Framework
November 5, 2025
Read article
Data privacy guides
Top 5 best enterprise Consent Management Platforms (CMP) for 2026
October 29, 2025
Read article
Data privacy guides
ICO review of UK websites’ cookie compliance: What you need to know in 2025
October 22, 2025
Read article
Data privacy guides
The digital stack every marketing team needs in 2025 and beyond (Jellyfish x Didomi)
October 1, 2025
Read article