We have good news for those using, or thinking about using, Piwik PRO en France. CNIL, the French data protection authority, has added Piwik PRO Analytics Suite to the list of analytics platforms that can be used to collect data without consent, given a certain configuration and set of limitations. This is a big advantage over many popular analytics platforms, such as Google Analytics, that always require consent to collect any data in France.
In other words, as long as you configure Piwik PRO correctly and limit the data collection in a few ways, then you don’t have to ask for consent to collect that data. If you are operating in France and want to take advantage of the exemption, you should first consult CNIL’s guidelines and documentation of the exemption program:
- Description of the CNIL exemption program [FR]
- CNIL guidelines for using the exemption and list of eligible platforms [FR]
- CNIL guidelines for cookies and other trackers [FR]
Because of how it’s designed, Google Analytics – 360 version included – will probably never qualify for such a consent exemption. Google Analytics is built to feed some of the data it collects into Google’s advertising ecosystem. This is currently done using cookies, which are considered personal data, that are repurposed for targeted advertising. The CNIL exemption is clear that no personal data can be collected and repurposed in this way without consent.
Even if Google Analytics were to drop cookies in favor of Google’s proposed FLoC (Federated Learning of Cohorts) approach, it would still need consent according to CNIL’s guidelines. The scope of processing for the consent exemption requires data to be used only for your own websites and applications. The business model Google Analytics is currently built on would never allow this.
Wondering why platforms such as Google Analytics are harder and harder to use in places with modern data privacy regulations? Privacy-friendly analytics platforms were designed with such regulations in mind. Google Analytics was not. Read more about what makes an analytics platform privacy-friendly. Also check out our article Is Google Analytics GDPR-Compliant?
Returning to the consent exemption itself, you might be wondering what the limitations on data collection are. The main two are: 1) no personal data and 2) no exporting or mixing of the data with other sources. Though you should consult the documentation linked above for all the details.
Luckily, these limitations still leave room for collecting tons of useful data. You’ll get data on campaigns, referrers, events, conversions (anonymous) and more. All these data points would only be available in Google Analytics after consent.
For those that do provide consent, you’ll get all the data you normally would. The CNIL consent exemption doesn’t put any limits on data you can collect after consent. Just be sure not to merge data collected under the exemption with data collected after consent. That is beyond the accepted scope of data collected under the exemption.
Want to know all the details of how to comply with CNIL’s guidelines? Take a look at our help center article How to make your website compliant with CNIL.
Many analysts are referring to this hybrid approach as a promising and sustainable way to collect data. The outlines of this approach are clear:
- Limited data before consent – mostly anonymous data
- Data for agreed to purposes after consent – usually some kind of personal data
Data privacy regulations seem to also be moving in that direction. GDPR left the door open for such an approach, and the latest draft of ePrivacy is set to confirm it.
So even though this CNIL exemption only applies to France, there is a good chance that something similar will soon be possible in other countries covered by the GDPR. Since more and more data privacy regulations are drawing inspiration from the GDPR, it also wouldn’t be surprising to see lawmakers around the world move in this direction.
Are you also collecting data outside of France? Read more about how Piwik PRO Analytics Suite can help you find the right balance between compliance and data collection all over the world →