Cookie Policy Guide
Overview
A cookie policy informs users about cookies and trackers placed on their device. It is distinct from the privacy policy but can be integrated into it. It must comply with CNIL 2020 guidelines.
Cookie Policy Objectives
Objective Requirement
Transparency Inform about cookies used and their purposes
Consent Obtain free, informed, and prior consent
Control Allow users to manage their preferences
Compliance Comply with GDPR + ePrivacy + CNIL recommendations
Reference Resources
Template
Template Description
assets/sample_template_politique_cookies.docx
Default template to use if no private template is provided
Internal template provided by lawyer Use if the lawyer has a more suitable private template
CNIL Documentation
PDF File to READ (Read tool) URL to CONSULT (WebFetch tool) Topic
assets/CNIL_lignes_directrices_cookies_et_traceurs.pdf
Cookie guidelines
assets/CNIL_recommandation_cookies_et_traceurs.pdf
https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies Cookie recommendations
assets/CNIL_faq_cookies_et_traceurs.pdf
https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies/FAQ Cookie FAQ
assets/CNIL_evolution_regles_utilisation_cookies.pdf
https://www.cnil.fr/fr/evolution-des-regles-dutilisation-des-cookies-quels-changements-pour-les-internautes Rules evolution
assets/CNIL_transparence.pdf
Guide on information and transparency
assets/CNIL_principes_rgpd.pdf
Fundamental GDPR principles
assets/RGPD_texte_officiel.pdf
Full text of EU Regulation 2016/679
REQUIREMENT: For ANY information regarding cookies, consent, retention periods, exemptions, or best practices:
-
READ the PDF files with the Read tool BEFORE responding on a regulatory point
-
CONSULT the online URLs with WebFetch to verify the most current information
-
CITE the CNIL URL in your response when mentioning a rule or duration
-
NEVER invent a duration or rule without verifying it in the sources
Knowledge Base
Document Content
COOKIES.md Cookie categories, banners, CNIL sanctions, retention periods
BASES_LEGALES_COOKIES.md Cookie-specific legal bases (consent, exemptions)
DROITS_PERSONNES.md Data subject rights
DUREES_CONSERVATION.md Retention periods (6 months recommended by CNIL for consent, 13 months max)
Information to Collect from Client
IMPORTANT: Before drafting the policy, collect the information below.
- Website Publisher Information
-
Full company name
-
Legal form (SAS, SARL, Ltd, etc.)
-
Registered office address
-
Contact email
-
Website URL
- Cookies Used
STRICTLY NECESSARY COOKIES (exempt from consent)
-
Session cookie
-
Authentication cookie
-
Shopping cart cookie
-
Security cookie (CSRF)
-
Language preference cookie
-
Cookie choice remembrance cookie
ANALYTICS COOKIES
-
Google Analytics
-
Matomo
-
AT Internet
-
Other: ___________
ADVERTISING / MARKETING COOKIES
-
Google Ads
-
Facebook Pixel
-
LinkedIn Insight Tag
-
Criteo
-
Other: ___________
SOCIAL MEDIA COOKIES
-
Facebook share buttons
-
Twitter/X share buttons
-
LinkedIn share buttons
-
Embedded YouTube videos
-
Other: ___________
FUNCTIONALITY COOKIES
-
Live chat (e.g., Intercom, Crisp)
-
Video player
-
Interface personalization
-
Other: ___________
- Consent Management Platform (CMP)
-
None
-
Axeptio
-
Didomi
-
Cookiebot
-
OneTrust
-
Other: ___________
- Retention Periods
READ CNIL SOURCE: assets/CNIL_recommandation_cookies_et_traceurs.pdf
- https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies IMPORTANT: CNIL recommends 6 months for the consent cookie. Use 6 months as default.
Cookie CNIL Recommended Duration Maximum Duration
Consent cookie 6 months 13 months
Analytics cookies Depending on purpose 13 months
Advertising cookies Depending on purpose 13 months
Drafting Workflow
Step 1: Template Selection (MANDATORY)
NEVER DRAFT A POLICY FROM SCRATCH. Always start from a given template for drafting, either:
-
the default template in assets/sample_template_politique_cookies.docx ;
-
another internal template provided by the user.
This template is your base reference. You must:
-
Faithfully reproduce the template's structure and wording
-
Keep the exact template phrasing (they are validated)
-
Only replace placeholders with client information
-
Do NOT rewrite sentences even if you think you can phrase them better
-
Do NOT add sections that are not in the template
The collected information (cookies used, CMP, etc.) is used to fill in the template, not to rewrite it.
- FIRST ACTION: Confirm the template to use BEFORE any drafting. Ask the user:
"I will draft the cookie policy starting from the provided default template. Do you have an internal template that would be more suitable as a starting point?"
Option Action
Default template Use assets/sample_template_politique_cookies.docx
Internal template Use the document provided by the lawyer
- Consider the user's choice and select the starting template.
Step 2: Understand the Site and Cookies Used
MAIN OBJECTIVE: Precisely identify all cookies placed by the site.
- Ask the lawyer for available information:
"To draft a perfectly tailored cookie policy, please provide:
- The website URL
- The list of cookies used (if known)
- The consent management platform (CMP) used
- Third-party tools integrated (analytics, advertising, social media...)
- Any existing documentation about the site's cookies
You may anonymize this information if necessary for confidentiality reasons.
The more information you provide, the better adapted the policy will be. Otherwise, we will conduct our own research but it will be limited to publicly accessible information."
- Research on the site (if accessible):
-
Visit the site and observe the cookie banner
-
Identify the CMP used
-
List visible cookies (via browser tools)
-
Note third-party integrations (YouTube, social media, analytics...)
-
Read the existing cookie policy (if present)
- Summary before drafting:
SITE: [URL] CMP USED: [Solution name] STRICTLY NECESSARY COOKIES: [List] ANALYTICS COOKIES: [List + providers] ADVERTISING COOKIES: [List + providers] SOCIAL MEDIA COOKIES: [List + providers] FUNCTIONALITY COOKIES: [List] RETENTION PERIODS: [Compliant with 13 months max?] KEY LAWYER POINTS: [What must absolutely be included]
Once the summary is ready → Proceed to Draft 1.
Step 3: Draft 1
ABSOLUTE RULE: The reference template is your validated base.
-
START from the template: structure, wording, tone → this is your reference
-
ADAPT to the client case: integrate the specific cookies identified
-
DO NOT rewrite everything: keep the template wording, only adapt what needs to be
In summary: Template + client cookies = Draft 1. Not a complete rewrite.
Complete the template section by section:
-
What is a cookie? (definition)
-
Who places cookies? (publisher + third parties)
-
Strictly necessary cookies (detailed table)
-
Analytics cookies (table + purposes)
-
Advertising cookies (table + purposes)
-
Social media cookies (table + purposes)
-
How to manage your preferences? (banner + browser)
-
Retention period
-
Policy updates
-
Contact
Immediate compliance check: Before presenting Draft 1, verify the cookie compliance checklist (CNIL 2020):
-
Exhaustive list of cookies with name, provider, duration, purpose
-
Distinction between necessary cookies vs cookies requiring consent
-
Information that refusing is as easy as accepting
-
Retention periods ≤ 13 months
-
Clear explanation of how the banner works
-
Instructions for managing cookies via browser
-
Link to CMP to modify preferences
-
Document update date
-
Contact for questions
If Draft 1 is compliant → Proceed to Step 3.
Step 4: Deliver Draft 1 + Benchmark + Improvement Suggestions
- Deliver Draft 1 with explanation:
"Here is Draft 1 of the cookie policy.
What I took into account:
- [List of identified cookies]
- [CMP used]
- [Retention periods]
Compliance: The document complies with CNIL 2020 guidelines."
- Present the benchmark (systematic):
Research 3-5 cookie policies from companies in the same sector, then present:
"Benchmark conducted:
I analyzed the cookie policies of:
- [Company 1] - [what we noted]
- [Company 2] - [what we noted]
- [Company 3] - [what we noted]
Identified possible improvements:
Would you like to incorporate these elements into the provided Draft?"
- If the lawyer approves improvements → Produce Draft 2
Step 5: Final Verification
Final review before definitive delivery:
-
All site cookies are listed
-
Distinction between necessary / consent-required respected
-
Retention periods ≤ 13 months
-
Clear management instructions (banner + browser)
-
No internal references in final document
-
Update date present
CNIL Reference Sanctions
Company Amount Reason
Google €150M Refusing cookies more difficult than accepting
Facebook €60M No visible "reject all" button
Amazon €35M Cookies placed without prior consent
Microsoft €60M Cookies placed without consent
These sanctions illustrate the importance of a compliant cookie policy and a banner respecting the principle that refusing must be as easy as accepting.
Common Mistakes to Avoid
Mistake Potential Sanction Solution
Cookies placed before consent Fine Wait for "Accept" click
No visible "Reject" button Fine Button at same level as "Accept"
Strict cookie wall Fine Offer an alternative
Duration > 13 months Formal notice Respect maximum duration
No cookie list Non-compliance Detailed table required
Dark patterns Fine Neutral and clear design
Incomplete cookie list Non-compliance Complete site audit
Using This Guide
-
Step 1 - Choose the template: Default reference template, or lawyer's internal template
-
Step 2 - Identify cookies: Collect lawyer info + site analysis
-
Step 3 - Draft Draft 1: Complete template + compliance check
-
Step 4 - Deliver + Benchmark: Present Draft 1 + systematic benchmark + improvement suggestions
-
Step 5 - Finalize: Integrate approved improvements + final verification
TEMPLATE REMINDER: Never draft from scratch. Always start from the reference template and adapt it. DURATION REMINDER: CNIL recommends 6 months for the consent cookie (13 months max). Always verify in CNIL sources before mentioning a duration.