Important
The CNIL exemption applies solely in France.
The provisions of the CNIL exemption are specified in Article 5 of the CNIL deliberation n° 2020-091 of 17 September 2020 (guidelines) and the CNIL deliberation n° 2020-92 of 17 September 2020 (recommendations).
General design
The CNIL exemption specifies the configuration enabling the use of an audience measurement tracker without requiring the visitor’s consent, nor any prior information, if the collection and treatment of data meet certain conditions.
It thus frees you from the impacts linked to the non-placement of cookies (loss of quality and volume in your statistical data) and enables you to continue obtaining visibility in terms of performance measurement or the analysis of content consulted by visitors.
Definition
The CNIL exemption implies that the data is collected is only that which is ‘strictly necessary’ to the provision of your service.
In this sole exemption scenario, it will not be possible to request your users’ consent to return to an opt-in mode. (In this case, see hybrid measures)
Note
As an example, the CNIL deems the following information as strictly necessary to the collection of audience measurement data: ‘Performance measurements, the detection of browser issues, optimisation of technical or ergonomic performance, estimation of the required server power and the analysis of content consulted, etc.’.
The other conditions set out by the deliberation 2020-091 (paragraph 51) are as follows:
- These trackers must have a purpose strictly limited to audience measurement on the website or application only and on the behalf of the publisher.
- These trackers must not enable a global monitoring of the person’s browsing using different applications or on other websites.
- These trackers must serve solely for the production of anonymous statistical data.
- Collected personal data cannot be used for other processing aims nor be transmitted to a third party.
Lastly, paragraph 52 of the same deliberation states that ‘audience measurement processing is considered as personal data processing and is subject to the all the relevant provisions of the GDPR.
The 17 September 2020 guidelines, accompanied by practical recommendations, specify that an audience measurement tracker may be exempted from obtaining consent if the purpose for which it is used is limited to ‘that which is strictly necessary to the provision of a service’.
In this regard, as the Data Controller, you must document, and justify in the event of an inspection, the collection and use of data meeting needs which are ‘strictly necessary’ to your activity.
Guidelines
To assist you in making this choice, AT Internet offers the guidelines below.
Via your Organisation's administrator, request that AT Internet via the support centre activates the following, for the whole of your organisation:
- The masking of the visitor ID property in your Data Model (property which is non-accessible from the interfaces)
- The erasure of personal data after 25 rolling months (see the customisation of personal data history)
- The anonymisation of the final octet (deletion of the last 3 digits) of the IP address (see anonymisation of the IP address)
These three actions will be activated on the scale of the organisation and thus concern all the scopes included therein.
A certificate will be transmitted to you once these actions have been implemented by AT Internet.
To comply with your obligations as Data Controller and relative to the perimeters you wish to exempt, we advise you to:
- Use adequate tagging methods for the management of the CNIL exemption, in particular to limit data collection to its strict necessity (see dedicated article).
- Set the data model so as not to display undesired properties in the Analytics Suite
- Carry out audience measurement on your domain or application exclusively: off-site measurements such as banner impressions, external videos, email openings or iframes are not possible without prior consent.
Note
If you wish to track a user in various perimeters linked to the same publisher, you must prove that this measure is strictly necessary to your activity.
- Collect and use data within the Analytics Suite in such a way as to disable visitor/user recognition: data collected must serve solely for the use of anonymous statistics or cohorts which do not involve personal data.
- Do not use imported or exported data for cross-referencing purposes (e.g. AT Connect, CRM import, API calls for partners, API or export Data Flow export for CRM).
- Set the lifetime of your trackers (cookie or mobile ID) at 13 calendar months; this is the default setting for AT Internet trackers.
- Check the level of geo-tracking which is strictly necessary for the use of your service: by default, AT Internet offers the ‘city’ level at most.
- Notify your users in the confidentiality policy (website, app, etc.) of the presence of this exempted tracker and implement an opt-out setting.
Note
Contact our support centre (‘Help’ button on the bottom right) to request an activation study for the CNIL exemption.
AT Internet also provides its services (invoiced) to audit the all the ‘Client action’ points on your behalf.
Advantages
With the CNIL exemption, your visitors are neither lost nor duplicated prior to consent and you obtain high-quality data.
You can collect such data as is strictly necessary and not lose a significant portion of your audience.
Risks
With the CNIL exemption, you cannot use or create ‘user’ analyses (excluding cohorts), given that visitors cannot have opt-in status.
Similarly, you may not cross-reference data.
Important
You may only avail of the CNIL exemption if your platform is intended for French users.
Please check and validate with your legal department /DPO that you can implement the CNIL exemption.
Expected behaviour
To comply with your users’ wishes, you must be able to modify the state of consent at any time of the visit.
Step | Description | |
Arrival on the site |
Visitor identification is authorised and dedicated cookies may be placed (idrxvr,atidx,atid or atuserid) |
|
Visitor chooses |
All cookies are defined with the OPT-OUT value. |
Tagging configuration
The CNIL exemption will use the Tag Composer Privacy plug-in available in the Javascript 5.24.0 version.
Please ensure you implement the correct version of the marker in order to collect only such data as is strictly necessary.
Note
This plug-in and its methods will apply solely to client-side visitor identification, it will impact first-party cookies only.
Tagging
To handle visitor consent in the marking of the CNIL exemption, you simply need to add a line to the beginning of your SmartTag marking.
Then, just move from one state to another depending on the consent expressed by the visitor.
Exempt
var tag = new ATInternet.Tracker.Tag();
tag.privacy.setVisitorMode('cnil', 'exempt'); // Visitor set under Exempt
tag.page.set({
name: 'pageName',
});
tag.dispatch();
Here, the tag will only collect data which is strictly necessary and common to all forms of activity. :
s | idclient | vm | vc | ts | vtag | ptag | p | type | click |
site number | visitor identifier | visitor mode | visitor consent | hit timestamp | tag version | platform using the tag | page label | hit type | click type |
If you wish to add settings to feed properties which you consider to be essential to your activity, you may add them to the marker or via Tag Composer.
All information will be presented in the developer documentation.
Opt-Out
var tag = new ATInternet.Tracker.Tag();
tag.privacy.setVisitorOptout(); // Visitor set under Opt-Out
tag.page.set({
name: 'pageName',
});
tag.dispatch();
It is possible not to send information by using the false setting of Tracker sendHitWhenOptOut.
Certification
Setting up the CNIL Exemption also reduces the loss of trafic on certified analysis (ACPM).
To make sure your tagging is fit for certification purposes, please specify the following properties on your responsive site: customObject = {"device":"APPsmartphone"}, and customObject = {"device":"APPtablet"}.
Properties
Consent properties
The new Privacy plug-in methods add 2 properties to your hits:
- Visitor mode: visitor_privacy_mode / &vm to filter events based on the consent status (exempt/optout)
- Visitor consent: visitor_privacy_consent / &vc to directly identify consented traffic when ‘true’
Data which is not strictly necessary
User identification, for example, is only available when the visitor mode is in opt-in.
Even if it is placed on the same page marker, only the opt-in method will authorise the addition of properties to hits.
var tag = new ATInternet.Tracker.Tag();
tag.privacy.setVisitorMode('cnil','exempt'); // Visitor set under Exempt
tag.page.set({
name: 'pageName',
});
tag.identifiedVisitor.set({
id: 123456 // Non transmis, du fait du mode visiteur défini en Exempt
});
tag.dispatch();
The same applies to all data which is not deemed strictly necessary by our Privacy team.
As Data Controller, the choice is nevertheless yours to make. You will therefore be able to specify directly in the marker or Tag Composer which settings you wish to ‘authorise’ in order to feed your analysis in exempt mode.
Explorer
Once the marking and the hits containing these properties are implemented, you will be able to add to your Explorer analyses with the ‘Combine’ button above each table. When using the CNIL exemption, you should only see the following events: (Visitor mode: "exempt"; visitor consent: false)
Privacy anlysis
In Explorer you can reach Audience > General Traffic > Privacy to see the number of events considered as opt-out.
When the visitor has opt-out status, their data is anonymised, excluded from general traffic and serves only to feed this analysis.
Data Query / Data Flow
You may add the Visitor mode and Visitor consent properties to your data sets.
You will be able to analyse ‘exempt’ visitor mode only, given that opt-out events feed the Privacy analysis exclusively.