Cookies and multi-terminal consent: the CNIL sets the framework

After a public consultation and analysis of market feedback, in January 2026, the CNIL published its final recommendations on multi-terminal consent (” Cross-device ”). For legal and marketing departments, the challenge is twofold: to comply with a strict framework, while avoiding operational pitfalls and the risk of sanctions.

A single consent, but subject to conditions

In its recommendations, the CNIL explicitly authorizes the collection of a single consent for the use of trackers on all terminals connected to the same user account. This practice aims to limit “consent fatigue”, particularly in multi-brand ecosystems or media groups.

However, this is an option, and not an obligation: the CNIL sets the applicable framework when actors choose to deploy such a mechanism.

However (and contrary to the position defended by some actors during the consultation opened in April 2025), the CNIL strictly regulates this mechanism: it is only valid in an “authenticated universe”.

In other words, the user must be connected to a personal account, and his choices must be linked to this account, and not to a specific terminal. Multi-terminal consent is therefore not a shortcut for sharing choices on a large scale: it is a conditional option, which is based on a direct and traceable link between the account and the preferences expressed.

The intervention of the CNIL aims to bring tracking practices into line with the existing legal framework, by applying the principles of the RGPD and the Directive ePrivacy in a specific scenario: that of multi-terminals. The recommendations provide operational details, in particular concerning two pillars of data protection:

  • Information must remain adapted to display constraints... while being complete and understandable. The CNIL introduces a key point here: the multi-terminal nature of consent must be mentioned at the first level of information. In practice, this also involves a second period of information: when a terminal has not yet been linked to the account, the user must be informed after authentication, via an ephemeral banner.

This banner must in particular indicate, if applicable, whether choices associated with the account have already been registered or modified and if a contradiction exists between the preferences recorded on the terminal and those associated with the account.

Concretely, this means that a new interface component will have to be included in many user journeys: a post-authentication information banner, distinct from the consent banner.

  • Informed consent resulting from a positive act, which requires particular vigilance during the transition to a multi-terminal mechanism. The CNIL specifies in fact that a consent expressed on a given terminal, before the transition to multi-terminal management, cannot automatically be considered valid for other terminals. The logic is simple: if the user was not informed of the multi-terminal scope of his choice at the time he expressed it, then this choice cannot be “extended” by default.

When preferences don't match: how do you make a decision safely?

The CNIL looked at a point that divided the actors interviewed during the consultation: what to do when, before authentication, a user makes choices on a terminal that are different from those already registered at the level of his account?

The CNIL is considering two options:

  • Option 1 : the choices made on the terminal before authentication overwrite those saved within the account. The new choices then become the reference and apply to all terminals connected to the account.

This option has a strong operational advantage: it ensures that the last choice expressed by the user is the one that prevails, regardless of the medium used.

  • Option 2 : the choices recorded within the account take precedence over those made on the terminal before authentication. In this scenario, the “account” preference takes precedence over the “terminal” preference, which is equivalent to considering that the last collection window displayed (and validated in an authenticated universe) should take precedence.

But this modality has an important technical consequence: it is necessary to be able to distinguish navigation tracking according to whether the user is authenticated or not, for example via two different cookies and/or identifiers.

It is up to data controllers to choose the modality they wish to apply. However, the CNIL encourages the actors concerned to develop a common approach, in order to facilitate the understanding of the device by users, regardless of the site or application visited.

Operational pitfalls: consent fatigue, Dark Patterns unintentional and shared account management

Reading these recommendations, we already identify several possible operational pitfalls:

  • The risk of” Dark Patterns ” involuntary : the CNIL recalls that consent must be as easy to withdraw as it is to give. However, the synchronization of choices between terminals can, if poorly designed, make withdrawal more complex for the user. For example, a user who refuses cookies on mobile should be able to do so just as easily on desktop, without having to navigate through hidden menus.

Actors must take care not to create an imbalance between the ease of consenting and the ease of refusing or withdrawing consent.

  • Consent fatigue and the user experience : the multiplication of reminders and ephemeral banners, although required by the CNIL, can harm the user experience and generate consumer fatigue. The risk of users systematically clicking “accept” to make notifications disappear could go against the spirit of the GDPR.

  • Management of shared or family accounts : the CNIL insists on the fact that consent choices should not impact other users of the same terminal who are not authenticated to the same account. This poses a technical challenge for platforms, especially in homes where several people use the same devices.

Multi-terminal consent represents an important compliance challenge, but also a new stage of operational complexity for data controllers. It is neither a legal gimmick, nor a simple adjustment of Consent Management Platform : it is a structuring element of your tracker compliance strategy. As such, it deserves to be integrated into a global data governance approach rather than treated as an isolated constraint.

Our recommendations: before integrating multi-terminal consent, it is essential to ensure that you are able to:

  • to implement adapted and compliant multi-level information management,
  • to manage the contradictions of choice between the different spaces,
  • to trace these different choices,
  • to guarantee the simplicity of the withdrawal of any consent, regardless of the terminal used.

For any questions or support needs, do not hesitate to contact our IT/Data team.

Caroline Chancé, partner lawyer and Victoire Grosjean, associate lawyer

Read the article
Listen to the episode
Read the press release
Watch the video
Learn more
February 3, 2026
Say, hey!
Cta Arrow
Saturday - Thursday:
8:30am - 10:45pm
Call for an appointment

hello@libertylaw.com

Brand logo

© 2024

Squair

Pages
Home
Activities
Team
News
Contact
Legal information
Legal notices
General conditions of use
Privacy policy