Today we are digging into a rather intriguing development from France that could ripple across the world of digital services: the CNIL (Commission nationale de l'informatique et des libertés) has just opened a public consultation on a draft recommendation about collecting consent across multiple devices.

If that sounds a bit dry, stay with us. It's actually about one of the thorniest real-world issues for any online business: how to manage consent properly when your users are bouncing between laptops, phones, tablets, smart TVs and, who knows, maybe even their fridge next year. And spoiler alert: the CNIL’s proposed rules could end up being the blueprint everyone else follows!

Let’s break it all down.

Why Is Multi-Device Consent Suddenly a Hot Topic?

For years, regulators were happy enough if you slapped a cookie banner on your website. As long as users clicked "Accept," you were generally considered to be doing your bit for GDPR compliance.

But times change. Today’s users are no longer tied to a single device. They might browse your site on their phone during lunch, then buy something on their laptop that evening. In between, they might have Googled your brand on a smart speaker or watched a video ad on their TV.

And here’s the rub: if consent is only collected on a per-device basis, it’s hardly meaningful. Users could be subjected to conflicting privacy settings across different devices, creating confusion and undermining the principle that consent should be “specific, informed, and unambiguous.”

The CNIL has recognised that we need a better way. Their draft recommendation sets out principles to allow businesses to collect and manage consent consistently across multiple devices, while still staying faithful to GDPR standards.

What’s Actually in the Draft Recommendation?

The CNIL’s full consultation page can be found here if you want to take a deep dive.

But we will summarise the essentials:

• Transparency remains king. Users must be clearly informed that their consent will apply across multiple devices.

• Freedom of choice must be preserved. Users should be able to give or withdraw consent easily on any device.

• Verification is necessary. Businesses must make reasonable efforts to verify that the person using Device B is the same as the one who gave consent on Device A.

• No dark patterns allowed. Consent mechanisms must avoid any misleading design or pressure tactics.

• Technical solutions must respect privacy. Methods for cross-device consent should not involve secretly tracking users without their agreement.

The CNIL offers examples of acceptable technical approaches such as using authenticated accounts (think: a user logs into your service on multiple devices) or securely linking devices based on user input.

They are quite clear, however, that probabilistic tracking (e.g., fingerprinting devices without the user’s consent) is not acceptable.

In a nutshell: multi-device consent should enhance user autonomy, not erode it.

What Could This Mean for Businesses?

If you are running a digital platform, e-commerce site, mobile app, or anything else that operates across more than one device, this consultation matters to you.

Why? Because it points towards the direction regulators are steering. If you are still thinking about consent only in terms of a single device, you could be in for a nasty compliance headache soon.

Under the CNIL’s vision, you might need to:

• Adjust your login systems to ensure that consent can be tied to authenticated users.

• Rework your cookie banners and privacy notices to explain multi-device consent plainly.

• Offer device-specific opt-outs, meaning that if a user withdraws consent on one device, you need a reliable way to sync that withdrawal across all devices.

• Audit your tech stack to make sure you’re not relying on behind-the-scenes tracking techniques that would fall foul of the rules.

How Are Others Reacting to This?

While the CNIL is among the first regulators to explicitly draft guidance on multi-device consent, they are not operating in a vacuum. Similar themes have been popping up elsewhere.

In its latest enforcement work, the European Data Protection Board (EDPB) has stressed that consent must be “granular and revocable” across platforms.

The UK's Information Commissioner's Office (ICO) has also indicated, in recent audits, that they expect companies to respect user preferences across devices where feasible.

And let's not forget the tech giants. Apple, for example, has made device synchronisation of privacy settings a selling point in its ecosystem.

Google has been (grudgingly) overhauling its consent frameworks to better align with GDPR realities.

What’s interesting about the CNIL’s approach is that it’s trying to thread a needle. They want businesses to provide seamless, user-friendly experiences without trampling over people's data rights. That’s no easy balance to strike.

The Technical Side: Practical Methods for Cross-Device Consent

If you are wondering how you might actually implement multi-device consent in practice, here are a few methods that could align with the CNIL’s draft guidance:

1. Account-Based Consent Management: When users log into an account on different devices, link their consent settings to their account profile. Update consent choices automatically across devices whenever the user makes a change.

2. Secure Device Linking: Allow users to manually link devices by entering a unique code or clicking a confirmation email. Think of how Netflix lets you add a new device by confirming your email address.

3. Explicit Device Association Requests: Upon visiting a service on a new device, prompt the user: "Would you like to sync your privacy settings from your other devices?", and only do so with their explicit agreement.

4. No Fingerprinting: Avoid techniques like matching devices based on IP address, device specs, or other hidden identifiers unless you have clear, opt-in consent. The CNIL is very clear: hidden tracking is not on.

Implementing these options will obviously require some investment in engineering and UX design. But it could save a lot of pain down the road, not to mention building deeper trust with users.

Why You Should Pay Attention Even if You’re Not in France

The CNIL has long been one of Europe’s most influential privacy regulators. Remember, it was the CNIL that slapped Google with the first major GDPR fine back in 2019 for consent-related failures.

Often, the CNIL’s interpretations of GDPR end up being picked up (formally or informally) by other national authorities. So even if you’re mainly focused on the UK, Germany, Ireland, or elsewhere, it’s wise to pay attention.

Moreover, the EU’s proposed ePrivacy Regulation, if it ever finally becomes law, is expected to further formalise the rules around consent and cross-device tracking. The CNIL’s consultation gives a strong hint about where things might be heading.

If you are outside the EU altogether, you’re not off the hook either. Brazil’s LGPD, South Africa’s POPIA, and even parts of the US (like California’s CPRA) are starting to raise the bar on transparency and user control. Being ahead of the curve is always better than scrambling to retrofit your systems later.