TL;DR — The CNIL requires a maximum retention period of 13 months for analytics and advertising cookies placed on user devices. Consent validity is limited to 6 months: beyond that, fresh consent must be collected. These rules apply to all sites accessible from France, regardless of where they are hosted. Equivalent guidance exists across the EU under GDPR and the ePrivacy Directive.
Cookie retention duration is one of the most frequently misconfigured aspects of cookie compliance. Many site owners do not distinguish between the technical lifetime of a cookie (its expiry date in the browser) and the data retention period associated with that cookie in the provider's servers. Both are regulated. This guide explains the applicable rules, common situations and mistakes to avoid.
What is the CNIL rule on cookie duration?
The CNIL recommends a maximum duration of 13 months for cookies placed on user devices. This recommendation originates from the 2020 guidelines and has been confirmed in enforcement decisions published since. Beyond 13 months, a non-functional cookie must be considered disproportionate to its purpose.
Are the 13 months a recommendation or a legal requirement?
The 13-month duration is a CNIL recommendation, not a directly enforceable legal text. However, the CNIL has incorporated it into its audit criteria. A site setting analytics cookies to 2 years without justification would face observations or sanctions. In practice, 13 months is the market standard: Google Analytics 4 and most compliant CMPs respect this duration by default.
What duration for functional cookies?
Strictly necessary cookies (shopping cart, authenticated session, interface preferences) are not subject to the 13-month rule in the same way: their duration must remain proportionate to their purpose. A 30-day authenticated session cookie is reasonable. A functional cookie lasting one year without technical justification is questionable. The general rule: the shortest duration that allows the service to function correctly.
Consent validity: 6 months
The CNIL regulates not only cookie duration but also how long consent itself remains valid. Consent given by a user cannot be treated as valid indefinitely.
The 6-month rule
Under CNIL recommendations, consent validity is limited to 6 months. After this period, fresh consent must be collected. In practice, if a user accepted cookies on 1 January, the CMP must present the banner again around 1 July, unless the user has modified their preferences in the meantime.
Why does consent validity differ from cookie duration?
Cookie duration (maximum 13 months) is the period the file remains on the user's device. Consent validity (6 months) is the period during which the platform_can consider the user's agreement still current. These two durations are independent and both must be managed by the CMP.
What your CMP must handle
A compliant CMP must configure and automatically manage both durations.
Expiry of the consent cookie
Most CMPs store the user's choice in a cookie or localStorage. This consent cookie must itself be configured with a duration consistent with CNIL recommendations. Setting it to 12 or 13 months is common. Once this period expires, the consent cookie lapses and the user sees the banner again.
Consent renewal at 6 months
The 6-month rule is more restrictive than the cookie duration. Even if the consent cookie has a 13-month lifetime, the CMP must present the banner again after 6 months for users who gave their consent. If the user refused, there is no obligation to ask again, but the CMP must log this to demonstrate compliance during an audit.
Data retention in third-party servers
The 13-month rule concerns the cookie placed on the user's device. Data collected by that cookie (for example, GA4 sessions) has its own retention duration in Google's or the tool provider's servers. This is governed by GDPR and the service's terms of use: Google Analytics 4 retains data for 14 months by default, adjustable to 2, 6 or 14 months.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Common mistakes
Setting analytics cookies to 2 years. This was the default for the old Universal Analytics. GA4 and most modern CMPs have corrected this to 13 months. Verify the actual configuration of cookies being placed.
Confusing cookie duration with data retention. These are two separate parameters: one concerns the file on the device, the other concerns data in the publisher's or processor's servers.
Not renewing consent after 6 months. The banner must reappear after 6 months for users who consented. Verify the CMP's renewal configuration.
Applying the same duration to all cookies. Functional cookies should have the shortest technically sufficient duration. Audience measurement cookies must not exceed 13 months.
Not documenting durations in the cookie policy. The cookie policy must explicitly mention the duration of each cookie or category. This is a CNIL and GDPR requirement.
Cookie retention checklist
- Audit all active cookies on the site and note their actual expiry duration (DevTools or scanner).
- Verify that analytics and advertising cookies do not exceed 13 months.
- Configure the CMP consent cookie to a maximum of 12 to 13 months.
- Enable automatic consent renewal at 6 months in the CMP for users who consented.
- Check the data retention duration in Google Analytics (set to 14 months maximum or less).
- Update the cookie policy with exact durations or ranges by category.
- Document the justifications for chosen durations in the data processing register.
- Verify durations after every CMP or analytics tool update.
- Scan the site at /en/scan to identify cookies whose duration exceeds the recommendation.
The CNIL rules on cookie duration are not complex, but they require explicit configuration of the CMP and each analytics tool. The maximum duration of 13 months for cookies and 6 months for consent validity are the two key parameters to control. Scan your site at /en/scan to verify the actual durations of your active cookies.
Frequently asked questions
What is the 13-month cookie retention rule?
The French data protection authority CNIL requires that cookie consent be renewed at least every 13 months. If a user accepted cookies 13 months ago and has not revisited the consent banner since, their consent is considered expired and must be recollected. This rule aims to ensure consent remains current and reflective of the user's actual preferences.
Does the 13-month rule apply to all cookies?
The 13-month rule specifically concerns the renewal of consent. It applies to all cookies that require consent, meaning analytical and advertising cookies. Strictly necessary cookies (those essential for the website to function) do not require consent and are therefore not subject to this limit. The technical storage duration of cookies is a separate matter from the consent renewal period.
How should I technically implement the 13-month renewal?
Your CMP (Consent Management Platform) should store the date of each user's consent along with their choice. When a returning user visits your site, the CMP checks whether 13 months have passed since their last consent. If so, it re-displays the banner to collect fresh consent. Most compliant CMPs handle this automatically, but it is worth verifying that this mechanism is properly configured.
Does the 13-month rule apply across Europe or only in France?
The 13-month rule is specific to the French CNIL's guidelines. Other European data protection authorities may have different guidance: for example, some specify 6-month or 12-month renewal periods, or address other aspects of consent duration. Under GDPR, the general principle is that consent must remain freely given, specific, informed, and current. Consult the guidelines of the authority in your country of establishment.
What are the risks of not renewing consent after 13 months?
Failing to renew consent after 13 months constitutes a breach of CNIL guidelines and could result in a formal notice or financial sanction in the event of a control or complaint. More broadly, using cookies based on expired consent violates the GDPR principle of valid consent. It is therefore both a legal risk and a reputational one, particularly in the context of growing regulatory enforcement.