CNIL launches public consultation on draft recommendations relating to multi-terminal consent

The CNIL notes that a multi-terminal consent system – a “cross-device” consent solution – is optional. However, the Draft Recommendation seeks to clarify the requirements for collecting multi-device consent. For example, the Draft Recommendation defines multi-terminal consent, outlines the legal conditions for obtaining multi-terminal / cross-device consent, and provides practical recommendations in relation to user transparency and how to navigate risks and challenges. For example, the CNIL notes that individual choices associated with one account should not impact all other users of the shared device, when they are not authenticated to the same account. 

• Conditions: The CNIL confirms that consent must still be obtained under the same legal conditions previously outlined by the CNIL in its existing Recommendation on cookies. For example: (i) it must be as easy to give consent as to withdraw it; and (ii) users must receive clear information about the scope of their consent before making a choice. The information must specify that the choices will apply to all devices on which the account user is authenticated.
• Transparency: The CNIL notes that users must be informed, typically via a consent management platform (CMP), about the scope of their consent and the ability to modify their choices. When a user authenticates on a new device, an information banner should immediately clarify whether the account’s consent choices have been saved or modified. This ensures that users are always aware of how their consent is being managed across devices.
• Managing contradictions between choices made in non-logged-in environments and those recorded on the account: The Draft Recommendations note that a key challenge arises when a user expresses different consent choices on a device before logging in, compared to those already associated with their account. The CNIL outlines two main approaches for resolving such contradictions: (i) the most recent choice (made on the new device before authentication) overwrites the account’s previous choices, ensuring the latest user preference is respected across all devices; or (ii) the account’s existing choices can take precedence, requiring technical measures to distinguish between logged-in and non-logged-in tracking. The CNIL recommends that organisations adopt a single, consistent approach to multi-device consent management to enhance user understanding and trust. In both cases, users must be clearly informed about how contradictions are managed and how they can modify their choices.
• Managing the switch towards a multi-terminal consent: Controllers must collect new, free, specific, informed and unambiguous consent. Consent expressed on a given device prior to the switch to multi-terminal consent management cannot be considered valid for other terminals, as the user was not informed of the multi-terminal scope of their consent.

The public consultation is open until June 5 2025. The consultation on the Draft Recommendation is available here, the press release is available here and the Draft Recommendation is available here (in French only).