Analytics cookies: CNIL/CNPD exemptions, ICO still requires consent

Excerpt — On 29 April 2026, the UK ICO finalized its Storage and Access Technologies guidance, confirming that non‑essential analytics cookies require prior consent under PECR. In France and Luxembourg, narrow exemptions exist for certain audience measurement cookies.

The case

• United Kingdom — The ICO reiterates that, except for strictly necessary cases, placing cookies (including analytics) requires valid consent under PECR/UK GDPR, with a banner and clear opt‑in. Official source: Final storage and access technologies guidance — 29/04/2026 and the Cookies and similar technologies chapter of the Guide to PECR.
• France — CNIL (Deliberation No. 2020‑092 of 17/09/2020) allows a consent exemption for certain tightly limited audience measurement cookies (first party, restricted parameters, no combining, short retention, etc.). Sources: Deliberation No. 2020‑092 and cookies recommendation (PDF).
• Luxembourg — CNPD confirms that some analytics cookies can, in specific cases, be considered necessary for the provision of the service (e.g., server capacity, incident detection), and thus exempt from consent. Sources: Legal context, Applicable principles and practice, and Cookies Guidelines (PDF).

This contrast creates a clear divergence: the ICO requires consent for non‑essential analytics, while CNIL and CNPD allow narrowly scoped exemptions for certain audience measurements.

Legal reasoning

• Applicable law
  • ePrivacy (EU) — Article 5(3) of Directive 2002/58/EC requires prior consent for storing/accessing information on a device, unless the cookie is strictly necessary for a service explicitly requested. Text: EUR‑Lex — Directive 2002/58/EC, Art. 5(3).
  • GDPR — Article 6 sets legal bases. ePrivacy is lex specialis: where Art. 5(3) requires consent, legitimate interest (Art. 6(1)(f)) cannot substitute it. Text: EUR‑Lex — GDPR, Art. 6.
  • EDPB — Guidelines 05/2020 on consent clarify validity requirements (clear affirmative action, no pre‑ticked boxes, refusal as easy as accept, etc.).
• Supervisory interpretations
  • ICO (UK, PECR) — Firm stance: user consent is required for any non‑essential cookie, including analytics. See PECR Guide — Cookies.
  • CNIL (FR) — Consent exemption for “audience measurement” is possible if strictly configured (first party, purely statistical purpose, short retention, no retargeting or combining). Ref.: Deliberation No. 2020‑092.
  • CNPD (LU) — Exemption may apply to analytics necessary for service quality/security (capacity, bugs), excluding marketing/profiling. Ref.: Applicable principles.

Legal conclusion: In France and Luxembourg, legitimate interest can support downstream statistical processing of data from an ePrivacy‑exempt audience measurement, if — and only if — the trackers themselves fall under the exemption. In the UK, the ICO deems analytics not “strictly necessary”: PECR consent remains required.

What this changes in practice

• Multinationals operating in Luxembourg/EU and the UK
  • Luxembourg/France: you may exempt certain audience measurements from opt‑in banners if you strictly meet CNPD/CNIL criteria (first party, statistical only, no third‑party sharing, retention ≤ 13 months, truncated IP, no cross‑site IDs). For GDPR downstream, you should document your legitimate interest in your records.
  • United Kingdom: a consent banner with opt‑in remains required even for analytics; no implied consent or pre‑ticked boxes. See the ICO PECR Cookies guidance and the 29/04/2026 SAT guidance.
• Operational decision tree (summary) for a Luxembourg site
  1. Is the tracker strictly necessary for the explicitly requested service (basket, authentication, security, load balancing)? If yes, ePrivacy exemption → no consent; downstream GDPR basis as appropriate. CNPD: Applicable principles.
  2. Is it a “pure” first‑party audience measurement, strictly configured (no ads, no combining, short duration)? In FR/LU: exemption possible; in the UK: consent required. CNIL 2020‑092; ICO PECR.
  3. Any other purpose (marketing, retargeting, third‑party sharing, CRM enrichment, third‑party analytics) → ePrivacy consent is mandatory (EU and UK). EDPB “Consent” 05/2020.

Common pitfalls

1. Confusing GDPR legal basis with ePrivacy rule: relying on legitimate interest to place a non‑essential cookie is unlawful if ePrivacy requires consent. See ePrivacy Art. 5(3) and GDPR Art. 6.
2. “Analytics” ≠ exemption by nature: in the UK, the ICO confirms analytics are not strictly necessary; an opt‑in banner is mandatory. PECR Guide.
3. Ignoring strict configuration for exempted measurements (FR/LU): long‑lived IDs, cross‑site combining, third‑party exports or advertising uses void the exemption. CNIL 2020‑092 (PDF).
4. Misleading banners or dark patterns: consent must be freely given, specific, informed and unambiguous; refusal must be as easy as accept. EDPB — Guidelines 05/2020.
5. Reusing a mixed “analytics/marketing” tool without segregation: if the tool sets trackers for other purposes (advertising, external attribution), consent is required even if some options are off. CNPD — practice.

Next steps

To secure your configuration choices and cookie notices, working with a Luxembourg DPO can accelerate compliance. For a pragmatic review and implementation, you can contact our team.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.