Cookie Policy Guide

Overview

A cookie policy informs users about cookies and trackers placed on their device. It is distinct from the privacy policy but can be integrated into it. It must comply with CNIL 2020 guidelines.

Cookie Policy Objectives

Reference Resources

Template

CNIL Documentation

REQUIREMENT: For ANY information regarding cookies, consent, retention periods, exemptions, or best practices:

1. READ the PDF files with the Read tool BEFORE responding on a regulatory point
2. CONSULT the online URLs with WebFetch to verify the most current information
3. CITE the CNIL URL in your response when mentioning a rule or duration
4. NEVER invent a duration or rule without verifying it in the sources

Knowledge Base

Information to Collect from Client

IMPORTANT: Before drafting the policy, collect the information below.

1. Website Publisher Information

• Full company name
• Legal form (SAS, SARL, Ltd, etc.)
• Registered office address
• Contact email
• Website URL

2. Cookies Used

STRICTLY NECESSARY COOKIES (exempt from consent)

• Session cookie
• Authentication cookie
• Shopping cart cookie
• Security cookie (CSRF)
• Language preference cookie
• Cookie choice remembrance cookie

ANALYTICS COOKIES

• Google Analytics
• Matomo
• AT Internet
• Other: ___________

ADVERTISING / MARKETING COOKIES

• Google Ads
• Facebook Pixel
• LinkedIn Insight Tag
• Criteo
• Other: ___________

SOCIAL MEDIA COOKIES

• Facebook share buttons
• Twitter/X share buttons
• LinkedIn share buttons
• Embedded YouTube videos
• Other: ___________

FUNCTIONALITY COOKIES

• Live chat (e.g., Intercom, Crisp)
• Video player
• Interface personalization
• Other: ___________

3. Consent Management Platform (CMP)

• None
• Axeptio
• Didomi
• Cookiebot
• OneTrust
• Other: ___________

4. Retention Periods

READ CNIL SOURCE: assets/CNIL_recommandation_cookies_et_traceurs.pdf + https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies IMPORTANT: CNIL recommends 6 months for the consent cookie. Use 6 months as default.

Drafting Workflow

Step 1: Template Selection (MANDATORY)

NEVER DRAFT A POLICY FROM SCRATCH. Always start from a given template for drafting, either:

• the default template in assets/sample_template_politique_cookies.docx;
• another internal template provided by the user.

This template is your base reference. You must:

• Faithfully reproduce the template's structure and wording
• Keep the exact template phrasing (they are validated)
• Only replace placeholders with client information
• Do NOT rewrite sentences even if you think you can phrase them better
• Do NOT add sections that are not in the template

The collected information (cookies used, CMP, etc.) is used to fill in the template, not to rewrite it.

1. FIRST ACTION: Confirm the template to use BEFORE any drafting. Ask the user:

"I will draft the cookie policy starting from the provided default template. Do you have an internal template that would be more suitable as a starting point?"

2. Consider the user's choice and select the starting template.

Step 2: Understand the Site and Cookies Used

MAIN OBJECTIVE: Precisely identify all cookies placed by the site.

1. Ask the lawyer for available information:

"To draft a perfectly tailored cookie policy, please provide:
- The website URL
- The list of cookies used (if known)
- The consent management platform (CMP) used
- Third-party tools integrated (analytics, advertising, social media...)
- Any existing documentation about the site's cookies

You may anonymize this information if necessary for confidentiality reasons.

The more information you provide, the better adapted the policy will be. Otherwise, we will conduct our own research but it will be limited to publicly accessible information."

2. Research on the site (if accessible):

• Visit the site and observe the cookie banner
• Identify the CMP used
• List visible cookies (via browser tools)
• Note third-party integrations (YouTube, social media, analytics...)
• Read the existing cookie policy (if present)

3. Summary before drafting:

SITE: [URL]
CMP USED: [Solution name]
STRICTLY NECESSARY COOKIES: [List]
ANALYTICS COOKIES: [List + providers]
ADVERTISING COOKIES: [List + providers]
SOCIAL MEDIA COOKIES: [List + providers]
FUNCTIONALITY COOKIES: [List]
RETENTION PERIODS: [Compliant with 13 months max?]
KEY LAWYER POINTS: [What must absolutely be included]

Once the summary is ready → Proceed to Draft 1.

Step 3: Draft 1

ABSOLUTE RULE: The reference template is your validated base.

• START from the template: structure, wording, tone → this is your reference
• ADAPT to the client case: integrate the specific cookies identified
• DO NOT rewrite everything: keep the template wording, only adapt what needs to be

In summary: Template + client cookies = Draft 1. Not a complete rewrite.

Complete the template section by section:

1. What is a cookie? (definition)
2. Who places cookies? (publisher + third parties)
3. Strictly necessary cookies (detailed table)
4. Analytics cookies (table + purposes)
5. Advertising cookies (table + purposes)
6. Social media cookies (table + purposes)
7. How to manage your preferences? (banner + browser)
8. Retention period
9. Policy updates
10. Contact

Immediate compliance check: Before presenting Draft 1, verify the cookie compliance checklist (CNIL 2020):

• Exhaustive list of cookies with name, provider, duration, purpose
• Distinction between necessary cookies vs cookies requiring consent
• Information that refusing is as easy as accepting
• Retention periods ≤ 13 months
• Clear explanation of how the banner works
• Instructions for managing cookies via browser
• Link to CMP to modify preferences
• Document update date
• Contact for questions

If Draft 1 is compliant → Proceed to Step 3.

Step 4: Deliver Draft 1 + Benchmark + Improvement Suggestions

1. Deliver Draft 1 with explanation:

"Here is Draft 1 of the cookie policy.

**What I took into account:**
- [List of identified cookies]
- [CMP used]
- [Retention periods]

**Compliance:** The document complies with CNIL 2020 guidelines."

2. Present the benchmark (systematic):

Research 3-5 cookie policies from companies in the same sector, then present:

"**Benchmark conducted:**

I analyzed the cookie policies of:
- [Company 1] - [what we noted]
- [Company 2] - [what we noted]
- [Company 3] - [what we noted]

**Identified possible improvements:**
- [Improvement 1]: [explanation]
- [Improvement 2]: [explanation]

Would you like to incorporate these elements into the provided Draft?"

3. If the lawyer approves improvements → Produce Draft 2

Step 5: Final Verification

Final review before definitive delivery:

• All site cookies are listed
• Distinction between necessary / consent-required respected
• Retention periods ≤ 13 months
• Clear management instructions (banner + browser)
• No internal references in final document
• Update date present

CNIL Reference Sanctions

These sanctions illustrate the importance of a compliant cookie policy and a banner respecting the principle that refusing must be as easy as accepting.

Common Mistakes to Avoid

Using This Guide

1. Step 1 - Choose the template: Default reference template, or lawyer's internal template
2. Step 2 - Identify cookies: Collect lawyer info + site analysis
3. Step 3 - Draft Draft 1: Complete template + compliance check
4. Step 4 - Deliver + Benchmark: Present Draft 1 + systematic benchmark + improvement suggestions
5. Step 5 - Finalize: Integrate approved improvements + final verification

TEMPLATE REMINDER: Never draft from scratch. Always start from the reference template and adapt it. DURATION REMINDER: CNIL recommends 6 months for the consent cookie (13 months max). Always verify in CNIL sources before mentioning a duration.