Cookie Consent and Analytics in France: What French Website Owners Need to Know in 2026

On Google's French websites, accepting cookies took one click. Rejecting them took five. You had to click "Customize," then individually disable three separate toggle switches, then click "Confirm." CNIL, France's privacy regulator, fined Google 150 million euros for that asymmetry alone.

That was in January 2022. Since then, CNIL has fined Google two more times for cookies. The total across all three: 575 million euros. And Google isn't even the only one. CNIL has issued over 1 billion euros in cookie-related fines since 2020. Against companies you've heard of. And companies the size of yours.

I'm David, founder of Clickport. I build privacy-first analytics that don't use cookies or require consent banners. This article is specifically for French website owners: what CNIL actually requires from your cookie banner, the consent exemption most sites don't know about, where Google Analytics stands after the 2022 ruling, and what's coming next.

If you run a website that serves French visitors, this is the regulatory landscape you're operating in.

The rules you're actually subject to

Cookie consent in France is governed by Article 82 of the Loi Informatique et Libertes (Law No. 78-17). This is France's transposition of the EU's ePrivacy Directive, and CNIL interprets it through updated guidelines published in October 2020.

The rules are stricter than most website owners realize. Here's what CNIL actually requires.

Consent must be a clear positive act. Scrolling doesn't count. Continuing to browse doesn't count. Pre-ticked boxes don't count. The user must actively click a button to accept cookies. CNIL's guidelines are explicit: "The scrolling down or swiping through a website or application can no longer be viewed as a valid expression of consent."

Rejecting cookies must be as easy as accepting them. If you have an "Accept All" button, you must have an equally visible "Reject All" button. Same size, same prominence, same number of clicks. This is the rule that cost Google 150 million euros, and CNIL enforces it aggressively. In December 2024, they issued formal notices to multiple websites specifically for styling the reject button as a less visible link while making accept a prominent button.

Each purpose needs separate consent. You can't bundle analytics, advertising, and personalization into a single "Accept All." Users must be able to consent to each purpose independently. And you must clearly explain each purpose in plain language.

Absence of action equals refusal. If a visitor ignores your cookie banner entirely, you must treat that as a rejection. No silent cookie loading while they think about it.

A persistent opt-out must be available on every page. Even after someone consents, they must be able to withdraw that consent at any time through a visible link or icon accessible from every page of your site.

One critical detail: Article 82 applies to all "traceurs" (trackers), not just cookies. Local storage, fingerprinting, pixel tags, device identifiers. If it reads from or writes to the visitor's device, consent is required. The law is technology-neutral.

And "legitimate interest" does not get you out of this. CNIL's FAQ is unambiguous: even if you rely on legitimate interest for the data processing itself, no non-essential tracker can be placed without prior consent. Consent is the only lawful basis for accessing a user's device for analytics purposes. Unless your tool qualifies for the exemption.

The consent exemption most French websites don't know about

Here's what most French website owners miss: CNIL explicitly allows certain analytics tools to operate without cookie consent. No banner needed for analytics. No consent popup. No data loss from visitors clicking reject.

This isn't a loophole. It's a formal exemption framework that CNIL has maintained since 2020, and 18 analytics tools have been evaluated and approved under it.

The exemption applies to audience measurement tools that meet these conditions:

1. Purpose limited to anonymous audience measurement. Pageviews, sessions, technical performance. Not profiling, not remarketing, not behavioral targeting.
2. First-party only. The tool works exclusively for your website. No cross-site tracking across multiple domains.
3. No third-party data sharing. Your analytics data stays between you and your tool. It cannot feed into an advertising ecosystem or be combined with data from other sources.
4. Cookie lifespan capped at 13 months. And the cookie must not reset on each visit.
5. Data retention capped at 25 months.
6. IP address pseudonymized. At least the last byte must be removed after geographic determination.
7. Users informed and given an opt-out. You must tell visitors you're measuring audience, and they must be able to refuse.

If your analytics tool meets all of these conditions, you can track visitors from the moment they arrive. No consent banner blocking your data. No 75% of visitors vanishing because they clicked "Reject."

Important change coming January 1, 2026: CNIL is replacing this approved list with a self-assessment framework. Instead of CNIL evaluating each tool, analytics providers will evaluate themselves against CNIL's published criteria. You won't be able to point to CNIL's list anymore. You'll need to verify that your specific tool and configuration meet the requirements.

And CNIL practices what it preaches. If you inspect cnil.fr, you'll find they track every visitor using Matomo, configured with needConsent: false. France's privacy regulator tracks its own site visitors without asking for cookie consent, using the very exemption framework it created. That's not hypocrisy. It's proof that the exemption works.

Google Analytics: where it stands in France

On February 10, 2022, CNIL ordered French website operators to stop using Google Analytics. The ruling found that transferring visitor data to Google's US servers violated GDPR Chapter V. IP anonymization was rejected as insufficient because Google has access to the full IP before truncation and can re-identify visitors through other data it holds.

The companies targeted were not named publicly, but noyb's complaints identified them as likely being Decathlon, Sephora, and Auchan. CNIL then issued additional formal notices and published a Q&A in June 2022 making its position clear: "All controllers using Google Analytics similarly to the companies targeted by the formal notices should consider the use thereof as unlawful under the GDPR."

CNIL did outline one theoretical path to legal compliance: a proxy server approach where an EU-hosted proxy strips all identifying data before anything reaches Google's servers. The conditions are so strict that CNIL acknowledged the approach is "complex and costly." You'd need to replace user identifiers, remove referrer information, strip URL parameters, reprocess fingerprinting data, and ensure the proxy never communicates directly with Google. At that point, there's very little left of Google Analytics.

What about GA4? CNIL never declared GA4 compliant. Their position was that the problem isn't a specific version. It's the transfer of personal data to US servers where it's accessible to intelligence agencies under FISA Section 702. GA4 addressed some concerns (no full IP storage), but the core transfer issue remained.

Then came the Data Privacy Framework. In July 2023, the European Commission adopted the EU-US Data Privacy Framework (DPF), creating a new legal basis for transfers to certified US organizations. Google is DPF-certified. This technically resolved the specific violation CNIL identified in 2022. CNIL acknowledged the adequacy decision on its website.

So Google Analytics transfers to the US are currently legal under the DPF. But "currently" is doing a lot of work in that sentence.

Here's why this matters: the person who filed the legal challenge to overturn the Data Privacy Framework at the EU's highest court is Philippe Latombe. He's a member of the French National Assembly. And he's a sitting CNIL commissioner. France isn't just enforcing privacy law. It's leading the legal challenge to the very framework that currently keeps Google Analytics legal in Europe.

Meanwhile, the US Privacy and Civil Liberties Oversight Board (PCLOB), which the European Commission referenced 31 times in its DPF adequacy decision as a crucial oversight mechanism, has been gutted by the Trump administration. Three of four members were fired in January 2025. The board can't form a quorum, can't conduct investigations, and can't perform the annual DPF review the adequacy decision relies on.

And when Microsoft's legal director was asked under oath before the French Senate whether he could guarantee French citizens' data wouldn't be transferred to US authorities without consent, his answer was: "Non, je ne peux pas le garantir." No, I cannot guarantee that.

The bottom line for French website owners: Even if Google Analytics is technically legal right now under the DPF, it still requires cookie consent. It doesn't qualify for CNIL's consent exemption. And the legal framework keeping it operational in Europe could collapse at any time. You're building your analytics on a foundation that has already been struck down twice (Safe Harbor, Privacy Shield) and is being challenged a third time by a member of France's own privacy authority.

What CNIL is actually enforcing

You might think CNIL only goes after Google and Meta. The billion-euro fine numbers make headlines, but CNIL enforces against companies at every scale. If you're running a French website with a non-compliant cookie banner, the enforcement record shows CNIL will find you.

Here are the cookie fines that should matter to you, because these are companies closer to your size than Google.

The pattern in these fines is remarkably consistent. The most common violations:

• Cookies placed before consent. Shein was fined 150 million euros because advertising cookies loaded the instant visitors arrived, before any interaction with the banner. Their "Reject All" button didn't even work. Cookies continued to load after clicking it.
• Asymmetric accept/reject. Accept is one click, reject is three to five clicks. This is the violation CNIL pursues most aggressively. TikTok was fined 5 million euros for it. Microsoft 60 million euros for the same issue on Bing.
• Cookies continuing after refusal. Several companies were fined not for a bad banner, but because clicking "Reject All" didn't actually stop the cookies. American Express and Vanity Fair France both got caught on this.

CNIL received a record 17,772 privacy complaints in 2024. That's a 31% increase from 2020. Cookie complaints specifically surged 26% in 2022 and have continued climbing. The CNIL is getting more complaints, processing them faster (thanks to the simplified procedure), and issuing more fines. The trend is not slowing down.

For the full picture of CNIL's enforcement against Big Tech, see our detailed analysis of Google Analytics' legal status.

Your analytics see less than a quarter of your French traffic

This is the part that affects your bottom line directly. Even if your cookie banner is perfectly compliant, it's costing you most of your data.

Research from CookieYes (2026) found that fewer than 25% of French users accept analytics cookies when given a fair choice. The eTracker benchmark study found an average of 60% visit data loss with a legally compliant banner design. And the Advance Metrics study of 1.2 million users found only 25.4% accepted all cookies at the first banner level.

Your cookie-based analytics are seeing a minority of your actual visitors and treating it as the whole picture.

On top of that, 44% of French internet users use ad blockers. Safari (21.74% market share in France) blocks virtually all third-party cookies through ITP. Firefox partitions cookies by site. Combined, privacy browsers and ad blockers make another 20-25% of French traffic invisible to cookie-dependent analytics.

Add it up: 75% reject your cookies. 44% block your scripts. The overlap between these groups means that a cookie-based analytics tool on a French website might be seeing 20-30% of actual traffic. You're making business decisions for a 196.4 billion euro e-commerce market based on a data sample that misses the majority of your visitors.

What French websites are actually doing about it

France has responded to this situation differently than most of Europe. Where other countries are still debating, France has moved.

Matomo holds 12.9% of .fr domains according to W3Techs. That's nearly 5x its global average of 2.7%. Roughly one in four French websites has already moved away from Google Analytics. France is the single strongest market in Europe for GA alternatives.

French government websites have led the migration. service-public.gouv.fr (the main government services portal) and impots.gouv.fr (the tax authority) both use Eulerian, a French analytics company. CNIL itself uses Matomo. Major French media outlets including Le Monde and France Info use Piano Analytics (formerly AT Internet, founded in Bordeaux in 1996).

France has a uniquely deep bench of homegrown analytics companies that exists nowhere else in Europe:

• Matomo: Created in 2007 by French engineer Matthieu Aubry (originally as Piwik). Open source, self-hosted option available. CNIL consent-exempt when properly configured.
• Piano Analytics: Founded in Bordeaux in 1996 as AT Internet. The standard for French media audience measurement. CNIL consent-exempt.
• Eulerian: French martech company, made and hosted in France. Server-side, first-party data collection. Clients include Carrefour, Fnac Darty, Orange, Canal+, and the French government.
• ABLA Analytics: Made in Marseille by Astra Porta. Hosted on Scaleway (French cloud). CNIL consent-exempt by default. Claims to recover 41% more data than GA. Free tier available.

The French analytics ecosystem is more developed than anywhere else in Europe because CNIL forced the issue earlier than anyone. The 2022 Google Analytics ruling, combined with the consent exemption framework, created market conditions where privacy-first tools had a genuine competitive advantage. Other European countries are only now catching up to where France has been for years.

What's coming in 2026 and beyond

Three developments will reshape this landscape in the next 12-24 months.

1. The EU Digital Omnibus would make France's approach the law everywhere.

The Digital Omnibus (proposed November 2025) creates a consent exemption for audience measurement analytics at the EU level, written directly into the GDPR via a new Article 88a. The conditions mirror what CNIL has already been doing: first-party only, no cross-site tracking, no third-party data sharing, controller's own use only.

If it passes, the consent exemption that currently only applies formally in France (and informally in a handful of other countries) would become the law across all 27 EU member states. The feedback period closed March 9, 2026. It's now before the European Parliament and Council.

The Omnibus also proposes a companion Article 88b mandating browser-level privacy signals. Websites would be required to honor standardized privacy preferences sent by browsers. This could eventually replace per-site cookie banners entirely. Implementation timeline: 24-48 months after adoption.

2. The Latombe CJEU appeal could invalidate the Data Privacy Framework.

Philippe Latombe's appeal to the Court of Justice is pending. This is the same court that struck down Safe Harbor (Schrems I, 2015) and Privacy Shield (Schrems II, 2020). If it invalidates the DPF, EU-to-US data transfers would again lack a legal basis. Google Analytics would face the same illegal status it had in 2022. A ruling is expected in late 2026 or 2027.

3. CNIL is expanding into new tracking categories.

On February 25, 2026, CNIL launched a public consultation on session replay tools (Hotjar, FullStory, etc.), with comments open until April 22, 2026. Their position: session replay requires prior consent, passwords and payment data must be blocked by default, and blanket recording of all sessions is not acceptable. CNIL is also working on rules for email tracking pixels, which would require explicit prior consent.

The direction is clear: CNIL is methodically expanding consent requirements to every form of user tracking. Tools that don't need consent by design will have an increasingly large advantage over those that do.

What this means for your website

If you run a website that serves French visitors, here's a practical assessment of where you stand.

If you're using Google Analytics with a cookie banner: You're probably compliant with the DPF (for now), but you're losing 70-80% of your visitor data to consent rejection and ad blockers. Your analytics are showing you a biased minority of your actual traffic. And the legal framework supporting your data transfers to the US is being challenged at the EU's highest court by a sitting member of France's own privacy authority.

If your cookie banner isn't compliant: You're at risk. CNIL issued 87 sanctions in 2024 and 83 in 2025. They process 17,772 complaints per year. The simplified procedure means they can issue fines faster than ever. And the most common violation, asymmetric accept/reject buttons, is exactly what most off-the-shelf cookie banners still do wrong.

If you want to see all your traffic and eliminate the risk: Switch to an analytics tool that qualifies for CNIL's consent exemption. No cookie banner needed for analytics. 100% of visitors visible from day one. No CNIL enforcement risk for analytics tracking. No dependency on the Data Privacy Framework staying valid.

Clickport is built for exactly this situation. No cookies, no consent banner required, EU-hosted, first-party only, privacy-first by design. Every visitor is visible. Every session is tracked. No legal dependency on US data transfers. You can try it free for 30 days, no credit card required, and see the difference in your data within the first hour.

The French privacy landscape is moving in one direction. CNIL's enforcement is accelerating. The consent exemption for privacy-first analytics is becoming EU law. The legal framework for US data transfers is under active threat. The question isn't whether to switch. It's when.