resources
chevron blanc pointant vers la droite
CNIL 2025 cookies

Cookies and CNIL technical clarifications : key takeaways from the Orange, Shein, Condé Nast & American Express sanctions

Find out how the CNIL tightened its technical controls on cookies in 2024-2025. Analysis of the sanctions Orange (€50 million), Shein (€150 million), Condé Nast/vanityfair.fr (€750,000) and American Express (€1.5 million) and the resulting obligations for site publishers.

Posted by
Joanna Masson
.
13 Jan 2026

Introduction

The penalties imposed on Orange, Shein, Condé Nast/VanityFair.fr and American Express reveal a significant change in the CNIL's approach to cookie control.

They are part of a now much more technical approach to monitoring, reflecting four major trends: systematic monitoring of network traffic, strict verification of the effectiveness of user choices, increased accountability of publishers for their technical architecture, including when they rely on industry standards, and a restrictive interpretation of exemptions.

Before 2025: the CNIL's monitoring focused mainly on the user interface and consent

Between 2020 and 2022, the CNIL mainly checked the following points:

• Refusal had to be as simple as acceptance.

• Information on the purposes had to be clear.

• No non-essential cookies should be placed prior to the user's choice.

• The labels and choice paths should not mislead the user.

In short : a control focused on the consent mechanism, with some occasional technical checks, but without a comprehensive systematic analysis of the underlying technical architecture.

The CNIL ensured that the cookie banners respected the main principles: symmetry of the buttons, clarity of information, absence of Dark Patterns. The underlying technical flows — HTTP requests, automatic cookie readings, propagation of withdrawal to partners — were not systematically analyzed.

This approach encouraged compliance that was essentially declarative, based on UX more than on technical reality.

In 2025: the CNIL systematically verifies the technical effectiveness of user choices

The CNIL now systematically verifies the technical effectiveness of user choices, by finely analyzing network flows.

What is a HAR file and how does the CNIL use it?

HAR (HTTP Archive) files make it possible to record all the network interactions of a web page, thus revealing the cookies actually placed.

Concretely, the CNIL analyzes HAR files during its checks to verify in detail each HTTP request, each cookie placed or read, each call to a third party domain.

Automatic reading of cookies: a broad interpretation of the CNIL

The CNIL adopts a broad interpretation of reading operations: the reading of a cookie on the user's terminal can occur automatically, as soon as a request is sent to the server, independently of any voluntary action by the site publisher. Even if the publisher does not actively use the data in a cookie, the simple fact that it is transmitted automatically in an HTTP request constitutes a “reading” subject to consent.

Even “passive” reading is punishable: regardless of the deactivation of scripts, the lack of effective use of data or the existence of purge mechanisms on browsers.

Only the reality of the flows visible in the HAR file counts, regardless of the actual use of the data by the publisher. If the cookie is present in the network flows, the breach is characterized.

This approach is based on an objective assessment of compliance, based on the observation of technical flows and not on the declared intentions of the publisher.

Withdrawal of consent: strict control of the expected technical solutions

Technical effectiveness of withdrawal: a strict requirement

The 2024-2025 sanctions show that many sites continued to read cookies (including first-party cookies) after a withdrawal of consent by the user, characterizing a failure to effectively withdraw the withdrawal, inseparable from the very obligation to obtain valid consent.

The CNIL recalls that after the withdrawal of consent, any reading or writing of trackers must stop, including those generated automatically.

Technical solutions recommended by the CNIL

To this end, the CNIL has identified several technical solutions:

  • Change the expiration date of cookies : return a “set-cookie” header with a past expiration date to invalidate the cookie and prevent it from being read by network requests;
  • Delete cookies via a local script : delete cookies without an “HttpOnly” attribute using a script executed locally via the browsers' “cookie” APIs; or
  • Block HTTP requests to third party domains.

The publisher must be able to demonstrate that after the withdrawal of consent, no more reading or writing of trackers is triggered in technical flows, including those triggered automatically.

The three pillars of effective consent withdrawal

This requirement for the technical effectiveness of withdrawal is particularly demanding because it imposes:

  • Immediate technical action : the withdrawal cannot simply be recorded in a database for later consideration. It should block all read/write instantly.
  • Coordination with third party partners : the publisher must ensure that third-party domains also stop reading their cookies after removal. This involves mechanisms for propagating the withdrawal signal (via TCF or others).
  • Technical proof : the publisher must be able to demonstrate, with support from HAR files, that the withdrawal is effective. Declarations of intent are no longer enough.

In practice, the withdrawal of consent should be treated as a technical mechanism with immediate effect, and not as a simple change of preference recorded on the interface side.

The IAB TCF and GDPR compliance: why the standard is not enough

The CNIL considers that the use of TCF (Transparency & Consent Framework) of the IAB, an advertising standard adopted by many publishers, does not exempt the publisher from technical expertise and transparency on the tracers actually registered.

The Condé Nast case: a turning point for the TCF

In the sanction pronounced against the company publishing the site “vanityfair.fr”, the CNIL considers that the publisher should have, at a minimum, referred the user to the IAB rules to explain the technical choices implemented with regard to the required consents or exemptions.

This clarification is essential because it puts an end to a widespread belief: using a CMP (Consent Management Platform) certified TCF does not automatically guarantee compliance with the CNIL.

The responsibilities of the publisher despite the TCF

The publisher remains responsible for:

  • Verify that the cookies actually placed correspond to user choices : even if the CMP transmits consent signals correctly, some partners may not respect them.
  • Provide clear and complete information : the TCF imposes presentation constraints (in particular on “purposes” and “functionalities”), but the publisher must ensure that the user really understands what he is agreeing to. If certain “features” are presented as “still active” even though they require consent, the information is misleading.
  • Refer to IAB rules if necessary : when the TCF imposes complex technical choices (for example, certain grouped purposes), the publisher must explain or refer to the IAB documentation to allow informed consent.

The use of a CMP based on the TCF does not exempt the publisher from its responsibility in terms of the obligation to inform the user in a sufficient and intelligible manner about the technical rules actually implemented.

Capping advertising and A/B testing : first sanctions and strict interpretation of exemptions

Capping advertising: an advertising purpose subject to consent

In 2025, the CNIL sanctioned for the first time the deposit of cookies by Capping advertising andA/B testing without user consent, based on its 2020 guidelines, recommendations, and FAQ.

Many editors considered that the Capping improved the user experience (by avoiding excessive repetition of advertisements) and could therefore benefit from an exemption under “browsing comfort”. The CNIL decides: Capping remains an advertising purpose, therefore subject to prior consent, regardless of the perceived benefit for the user.

A/B testing : strictly controlled exemptions

The exemption for audience measurement is strictly regulated and only valid for statistical analyses, over a limited period of time (recommendation: 13 months maximum), without cross-site monitoring and for the exclusive account of the publisher. A cookie fromA/B testing with an identifier that persists over 10 years, allowing extended individual follow-up, goes beyond this framework and requires consent.

These sanctions send a clear signal: exemptions should not be interpreted extensively. If the purpose or duration exceeds the intended scope, consent becomes mandatory again.

Conclusion: “cookie” compliance is now more technical

Remember: the CNIL's “cookie” controls have become more technical. Compliance is no longer appreciated from what the user sees, but from real technical flows.

Website publishers must now take a rigorous technical approach, systematically check their network flows, and ensure that their consent management solutions actually work, beyond appearances.

Checklist: 10 Checkpoints for cookie compliance in 2026

  1. HAR flow analysis : check that your HAR files do not reveal any cookies placed before consent.
  2. Immediate withdrawal : test that withdrawing consent instantly blocks any reading/writing of cookies.
  3.  Coordination with third parties : check that your partners respect the withdrawal signals.
  4. TCF information : if you use TCF, refer to the IAB rules for complex choices.
  5. CMP Audit : don't just rely on your CMP, check for real technical compliance.
  6. Capping Publicist : get consent for all capping cookies.
  7. A/B testing : limit the duration to a maximum of 13 months and avoid cross-site monitoring.
  8. Technical documentation : keep proof of compliance (HAR files, configurations).

Frequently asked questions about cookies and the CNIL

🔸 What is a HAR file and why does the CNIL use it?

The CNIL analyzes HAR (HTTP Archive) files during its online checks to verify in detail each HTTP request, each cookie placed or read, each call to a third party domain.

HAR files are technical evidence of what is actually happening on a website, regardless of what is displayed to the user.

🔸 Does the IAB TCF ensure GDPR compliance?

No This clarification puts an end to a widespread belief: using a TCF certified CMP does not automatically guarantee compliance with the CNIL. In particular, the use of a CMP based on the TCF does not exempt the publisher from its responsibility in terms of the obligation to inform the user in a sufficient and intelligible manner about the technical rules actually implemented.

🔸 Cookies from Capping Do advertising require consent?

Yes. The Capping remains an advertising purpose; it is therefore subject to prior consent, regardless of the perceived benefit for the user.

🔸 How to prove the effectiveness of the withdrawal of consent?

The publisher must be able to demonstrate that after the withdrawal of consent, no more reading or writing of trackers is triggered in technical flows, including those triggered automatically.

The publisher must be able to demonstrate, with support from HAR files, that the withdrawal is effective.

🔸 What is the maximum duration for a cookie ofA/B testing without consent?

The exemption for audience measurement is strictly regulated and only valid for statistical analyses, over a limited period of time (recommendation: 13 months maximum), without cross-site monitoring and for the exclusive account of the publisher.

When compliance becomes strategic, The regulator's perspective becomes essential

With over 20 years of experience, Odoné supports leading organisations with rigorous, pragmatic and accessible guidance.

Make an appointment
flèche noire pointant vers la droiteflèche noire pointant vers la droite
Did you like this article?

Share it with colleagues or friends:
Logo bleu FacebookLogo bleu LinkedinLogo bleu X