GDPR and e-commerce: cookies and consent in France (2026)

GDPR compliance for a French online store is not a question reserved for major platforms. In 2026, an e-merchant who drops advertising cookies without valid consent faces a CNIL enforcement procedure, whether their turnover is €80,000 or €80 million. The issue combines personal data law, electronic contracts rules and operational tag-management practices — three areas that SME founders rarely address together.

This article sets out the 2026 framework, the practical requirements for a consent banner, exempted cookies, the retention periods to observe, the broader GDPR obligations specific to online retail, and the sanctions to factor into your compliance decisions.

An e-commerce site may only place non-essential cookies after clear consent, expressed by a positive act — clicking 'Accept'. Refusing must be as easy as accepting: a 'Reject all' button at the same level. The CNIL recommends renewing consent approximately every 6 months. Beyond cookies, the site must keep records of processing, inform its customers, frame transfers outside the EU and define consistent retention periods. Fines can reach €20 million or 4% of worldwide annual turnover.

Yes, except for cookies that are strictly necessary for the service to function. This is the principle set out in Article 82 of the French Data Protection Act (loi n° 78-17), which transposes the ePrivacy directive, and clarified by CNIL guidelines.

Prior consent is required for all cookies that are not essential to the service explicitly requested by the user: advertising and retargeting cookies, social-media pixels (Meta Pixel, TikTok Pixel), non-exempt audience-measurement cookies, and non-essential personalisation cookies.

Consent must result from a clear positive act: clicking an 'Accept' button or ticking a box. Simply continuing to browse no longer constitutes consent since the revision of CNIL guidelines. Pre-ticked boxes are not permitted.

The GDPR (EU Regulation 2016/679) works alongside the ePrivacy directive: cookie consent falls under the legal basis of 'freely given, specific, informed and unambiguous' consent under Article 7 of the GDPR, combined with the Article 82 obligation.

The banner is the first interface between the site and the user on tracker management. The CNIL assesses compliance by looking at three dimensions: how choices are presented, ease of refusal and the information provided.

The 'refuse as easy as accept' rule#

This is the most closely monitored requirement in 2026. The 'Reject all' button must be at the same hierarchical level and in the same visual format as the 'Accept all' button. Placing 'Reject' as a discreet text link below a large 'Accept' button does not meet this requirement.

Withdrawing consent#

Users must be able to withdraw consent at any time and as easily as they gave it. The standard approach is a 'Manage my preferences' or 'Cookies' link in the footer, which reopens the banner or the preference management panel.

Cookie walls#

Conditioning access to the site on accepting cookies is a practice whose lawfulness is assessed case by case. The CNIL has accepted certain cookie walls where an equivalent paid alternative is offered, but caution is advisable for a general-public merchant site.

The CNIL recommendation identifies two exempt categories.

Strictly necessary cookies: shopping cart, session identifier, authentication, load balancing, security (CSRF protection). These may be placed without consent, but users must still be informed.

Certain audience-measurement cookies, subject to cumulative conditions: purpose strictly limited to measuring site audience for the publisher, no cross-referencing with other processing, limited lifespan, aggregated data only, users informed in the privacy policy. This exemption covers specific configurations validated by the CNIL; it does not apply to Google Analytics in its default configuration. Implementing Consent Mode v2 can partly address this requirement, but does not guarantee full exemption.

All other cookies — advertising, remarketing, social media, advanced personalisation — require prior consent.

The CNIL gives two duration recommendations.

• Cookie lifespan: the CNIL historically recommended 13 months. In its consolidated January 2026 recommendation, it emphasises that duration must be proportionate to the purpose and recommends shorter periods for advertising cookies. 6 months is the operational benchmark for consent renewal.
• Retention of data collected via cookies: data from trackers should not be retained beyond 25 months (prior CNIL recommendation, still relevant in the absence of new guidance).
• Consent renewal: the CNIL recommends seeking fresh consent after approximately 6 months, assessed case by case according to the nature of the processing.

These durations must be documented in your records of processing and privacy policy.

Practical example for an online store#

For an e-commerce client we work with (fashion sector, approximately 15,000 unique visitors per month), compliance required four simultaneous workstreams: (1) reconfiguring the consent management platform (CMP) to display both buttons at the same level; (2) auditing tags in Google Tag Manager to ensure no pixel fires before consent; (3) reducing advertising cookie lifespan from 90 to 30 days; (4) adding a 'Manage my cookies' link in the footer. Implementation time: around two development days and one hour of CMP configuration. The main stumbling block: third-party scripts loaded directly in the source code (outside Tag Manager), placing cookies without passing through the consent layer.

Cookie compliance depends on the technical chain, not just the banner interface. A compliant banner combined with scripts loaded outside the tag manager does not protect you.

Deploying a CMP (OneTrust, Axeptio, Didomi, Cookiebot, etc.) linked to Google Tag Manager in conditional-trigger mode is the most widely adopted technical solution among mid-size e-merchants.

Cookies are the visible part of the iceberg. An online store processes a significant volume of personal data: customer contact details, order histories, browsing behaviour, payment data (for solutions that store it), delivery addresses, loyalty data.

Records of processing: any organisation that processes personal data on a non-occasional basis must maintain GDPR records of processing. For an e-commerce site, the register covers at minimum: order management, customer account management, commercial prospecting, analytics, advertising cookies, returns management.

Information and individual rights: the privacy policy must be written in plain language, accessible from every page, and precisely describe purposes, retention periods and recipients. A dedicated contact form or email address (e.g. dpo@your-store.fr) is standard practice for handling rights requests.

Retention periods: order and invoicing data follow accounting obligations (10 years for accounting documents). Inactive customer account data is typically deleted or anonymised after 3 years of inactivity. Prospecting data is kept for 3 years from the last active contact. These periods must be written down and enforced in systems.

DPO (Data Protection Officer): appointment of a DPO is mandatory in only three cases (Article 37 GDPR): public authority or body, large-scale processing of sensitive data, or large-scale systematic monitoring. Most e-commerce SMEs do not fall under this obligation, but designating an internal GDPR contact is good practice. See the DPO's role to decide.

These issues are closely linked to the accounting obligations of an e-commerce site: invoicing data retention periods align with statutory accounting requirements.

This is a practical question for any e-merchant using US-based tools: hosting (AWS, Google Cloud), analytics (Google Analytics), CRM (HubSpot, Salesforce), advertising (Meta, TikTok), support (Zendesk, Intercom).

These transfers are lawful if one of the following frameworks is in place:

• Data Privacy Framework (DPF): since July 2023, transfers to US companies self-certified under the DPF are authorised. Verifying each provider's certification on the official register (dataprivacyframework.gov) is an annual due-diligence step.
• Standard Contractual Clauses (SCCs): for providers not certified under the DPF or based outside the US, SCCs adopted by the European Commission remain the standard mechanism. They must be signed and documented.
• Binding Corporate Rules: an option for intragroup transfers, but rarely used by SMEs due to complexity.

A transfer register must be maintained. An annual audit of providers and their transfer mechanisms is good practice, particularly if you use many SaaS tools.

See also our article on DAC-7 reporting obligations for platforms and marketplaces for the associated declaratory requirements.

The CNIL has graduated enforcement powers. It can issue:

• formal notices (no immediate financial penalty, but with a compliance deadline);
• administrative fines of up to €20 million or 4% of worldwide annual turnover, whichever is higher;
• orders to cease processing.

Placing cookies without consent is one of the most frequent grounds for sanctions in published CNIL decisions. Large platforms have been fined tens to hundreds of millions of euros. SMEs are not immune: the CNIL has also sanctioned mid-sized players for cookie breaches, often following user complaints.

Cookie compliance is also a commercial trust issue: users are increasingly sensitive to how their data is handled, and a poorly designed banner can signal a lack of professionalism.

Data security completes GDPR compliance: see our cybersecurity checklist for SMEs.

1. Cookie banner with 'Accept all' and 'Reject all' at the same visual and hierarchical level.
2. No non-essential cookie placed before the user's choice (check using a cookie audit tool or Chrome DevTools Application tab).
3. Consent withdrawable at any time via a permanently accessible footer link.
4. Cookie lifespan documented and proportionate (consent renewal approximately every 6 months).
5. Up-to-date privacy policy covering all purposes, periods and recipients.
6. Records of processing maintained (orders, customer accounts, analytics, prospecting).
7. Retention periods defined by data category and enforced in systems.
8. Transfers outside the EU mapped and framed (DPF or SCCs for each relevant provider).

Up to date as of 2026-06-14. This article is for information purposes and does not replace personalised advice. For your situation, consult a registered accountant or a data protection specialist.