As users increasingly engage with digital services across a wide range of devices, often while logged into a personal account, online service providers are increasingly looking for ways to obtain user preferences for the use of cookies and other similar 'storage and access' technologies via a single consent and to have each user's choices applied automatically across all authenticated environments they use. 

Recognising this shift, the Commission nationale de l'informatique et des libertés (CNIL), France's data protection authority, has published recommendations on how such multi‑device consent mechanisms can be implemented in a way that is both legally compliant and user friendly. The recommendations aim to help organisations adapt to users' expectations of consistency as they switch between phones, computers, tablets and connected televisions. This overview summarises the CNIL's position and considers how it compares with the current approach of the UK's ICO.

Scope and core expectations

The recommendations focus on authenticated environments that the CNIL refer to as "logged-in universes", where consent is linked to the user's account rather than to the specific device they are using. The guidance is relevant not only to websites and mobile applications but also to connected televisions, gaming consoles, voice assistants and connected vehicles, all of which may require consent under Article 82 of the French Data Protection Act. 

Ensuring transparency for users

The CNIL emphasises the importance of transparency and clear, timely user information. Details of any multi‑device consent mechanism should be provided on the first layer of the consent interface, ensuring that users understand from the outset how their preferences will be applied. Where a user logs in on a device that has not previously been linked to their account, organisations should display a temporary notification indicating that the consent choices saved to the account now apply to that device, or that those choices have been updated. This approach helps users remain aware of how their preferences operate as they move between devices.

The recommendations also address situations where conflicting preferences arise – for example, where a user expresses a choice on a device before authenticating that differs from the settings stored in their account. In such cases, the CNIL accepts two possible approaches: either the most recent choice made on the device takes precedence, or the preference associated with the authenticated account prevails. Regardless of the approach adopted, organisations must clearly explain how any conflict is resolved so that users understand which choice ultimately applies. The CNIL further encourages convergence towards a common industry approach to reduce user confusion.

Finally, the CNIL draws a clear distinction between authenticated and non-authenticated environments. Preferences expressed outside of an authenticated session must not be overridden by account level settings. This is particularly important for shared devices, such as family computers or connected televisions, where applying one individual's account-based preferences could adversely affect other users. The recommendations therefore stress that authenticated consent choices should not be propagated to such shared, non-authenticated contexts.

Data minimisation and moving to multi device models

In line with the GDPR principles of data minimisation and privacy by design, the CNIL requires organisations to avoid sharing clear text personal identifiers, such as email addresses or usernames, with consent management providers. Instead, organisations should rely on technical or pseudonymous identifiers to link devices securely, reducing the exposure of directly identifiable data.

Where an organisation implements a new multi‑device consent model, the recommendations make clear that fresh user consent is required. Consent previously obtained cannot be relied upon, as users will not have been informed that their choices could be applied across multiple devices. Earlier consent is therefore invalid for this form of cross‑device processing.

Although not mandatory, the CNIL also encourages organisations to offer users the ability to manage their preferences on a device-by-device basis through a dedicated preferences centre. This reflects the practical reality that individuals may use different devices for different purposes and may wish to exercise more granular control over how their personal data is processed.

Position of the UK ICO

In contrast to the CNIL, the UK ICO has not issued guidance that specifically addresses multi‑device consent mechanisms or the cross‑device synchronisation of cookie and other 'storage and access' technology preferences.

It remains to be seen whether the ICO will develop its guidance in this area, but meanwhile organisations looking to develop a multi‑device consent model may wish to align with the CNIL's expectations for the purposes of the UK's Privacy and Electronic Communications Regulations 2003 (PECR). The ICO has consistently emphasised the need for clear and comprehensive user information, consent obtained before any tracking takes place, transparency around the use of tracking technologies, and the ability for users to withdraw consent easily. These principles align closely with a multi‑device approach that is built around informed user choice and effective control.

Future developments

Looking ahead, the CNIL has indicated that its work in this area will continue. In particular, it plans to examine "cross‑domain" consent models during 2026, which would address scenarios where a single consent choice could apply across multiple websites or services operated within the same corporate group. If developed carefully, this approach could further reduce repetitive consent requests while preserving meaningful user choice and control.