Back to blog

How to obtain consent and collect data under CNIL guidance and GDPR

Analytics Data privacy & security GDPR

Written by

Published February 4, 2020 · Updated February 18, 2021

How to obtain consent and collect data under CNIL guidance and GDPR

Privacy advocates and enthusiasts hoped that the GDPR would make the data ecosystem safer and crystallize the rules around consent. However, from the user’s perspective things don’t appear so rosy. Consent pop-ups tend to be manipulative or misdirecting, forcing permission or making it hard to opt out. According to a study done by researchers at Ruhr-University Bochum (Germany) and the University of Michigan (United States), 57% of these notices include dark patterns to push visitors into accepting options.

That’s why some EU Member States like Germany, Spain, the UK and France have released guidelines on tracking and obtaining permission to collect data. These documents clarify and complement information on the use of cookies and other tracking technologies. And the Court of Justice of the European Union has made two key rulings on those issues, demonstrating that legislators keep tabs on shady practices and will curb them on the spot.

Today we’ll focus on guidance which the Commission Nationale de l’Informatique et des Libertés (CNIL), a French Data Protection Authority, issued in July 2019. The document clarifies the notion of consent under Article 82 of the French Data Protection Act (Article 82) and establishes more precise requirements organizations should meet before dropping cookies on users’ devices.

Then we’ll explain how Piwik PRO adopts these standards to let you obtain data and benefit not only from analytics but also personalization and remarketing without compromising on privacy.

The scope of the CNIL guidelines

First, the data under Article 82 and the guidance don’t have to be personal. That’s crucial, as it broadens the scope of information set out by the GDPR.

Second, the rules apply to operations involving technology that accesses or stores information on users’ devices such as:

  • Mobile phones
  • Fixed or mobile computers
  • Tablets
  • Video game consoles 
  • Smart TVs 
  • Connected vehicles
  • Voice assistants

or any other object connected to a telecom network open to the public.

Third, the scope covers not only typical HTTP cookies, but also other mechanisms for online tracking such as:

  • local shared objects also known as “Flash cookies”
  • local storage integrated within HTML
  • device fingerprinting
  • operating system identifiers
  • device identifiers

And based on the guidelines, “tracking” refers to collecting data on the devices mentioned above.

The CNIL puts the spotlight on consent. The primary rule is that you need to get it before you place a single cookie or exploit other tracking technologies. First, you need to explain:

  • who the data controller(s) are
  • why you want to gather and process data
  • that visitors have the right to withdraw consent

Consent itself is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes”, just as stated in GDPR. Implied consent is thus invalid.

As a website owner, you can’t use pre-checked boxes to obtain agreement to collect or store people’s data. You can’t consider as “active behavior” the fact that visitors continue to use your site or app. That applies as well to browsing, scrolling or swiping the page or mobile application.

Also, it’s impermissible to treat browser settings as an expression of a user’s approval. These settings allow the user to control only HTTP cookies: they can’t block tracking, Flash cookies or device fingerprinting. If you implement any of these technologies, you must be ready at any time to demonstrate you have obtained consent in advance.

The State of GDPR Consent

Overview and scoring of how websites have adapted to data privacy regulations

Download your copy now

  • A global opt-in for cookies, meaning that people agree to cookies for all purposes at once, is valid only as an additional step accompanying the possibility to consent specifically and separately to each purpose. Also, site owners can’t bundle consent together with general terms and conditions.
  • Website owners can’t create cookie walls. Blocking access to visitors when they don’t consent violated the principle of freely given permission.

The French DPA provides an exemption from consent requirements when you employ tracking technologies to:

  • enable or facilitate communication by electronic means, e.g. opening a live chat session for getting support, logging into a website, both require cookies, enabling paying sites to limit free access to their content over a limited period/time or to a predefined quantity of articles;
  • allow websites to work properly, provide services to visitors or at their request, e.g. shopping cart cookies or authentication cookies.

That said, be transparent and make sure your prospects and clients know about the use and purposes of cookies, for instance from your organization’s privacy policy.

What about analytics cookies?

According to the guidelines, when you set up trackers for audience measurement for a site or mobile app, there are strict conditions under which you don’t need consent:

  • The process of measurement is being carried out by the site’s publisher or its subcontractor
  • You obtain only anonymous statistics
  • You measure the audience of a single website or mobile app and don’t track the user’s navigation across different sites or applications
  • Users are informed about tracking and have an easy way to reject it on all their devices, operating systems, applications and browsers
  • You are not allowed to connect personal data collected via those cookies with information you get from other activities or transfer it to third parties. For instance, you can’t combine your web analytics data with third-party data or data from your CRM. This requirement excludes blending information from a customer database with audience statistics regarding other websites.

    It means you can’t merge your CRM data with details on behaviors on different websites you get from your business partners. This applies to undertakings such as affiliate marketing, when a person buys a product and comes from one website to another through a promotional link or ad.

Different actors and responsibilities

A single actor. When you’re the only entity that manages tracking activities, i.e. as the site owner you drop cookies on your website, then you’re solely responsible for getting consent as the data controller.

Several actors. When several actors handle cookies together, a publisher and an advertising agency, analytics providers, or social networks, they act as controllers, joint controllers or processors. They need to define their respective compliance obligations according to Articles 26 and 28 of the GDPR.

Third parties. When third parties utilize tracking mechanisms, they are fully and independently responsible for them, meaning they must obtain users’ permission. However, they don’t necessarily have to get it themselves: they can contractually bind a publisher to do it on their behalf. The case of Google saying that the responsibility of obtaining consent for AdWords remarketing rests with the publisher, and thus they are not liable for obtaining it, would be contrary to CNIL principles.

A processor. An actor who works on behalf of a controller and can’t employ data for other purposes, such as audience extension, look-alike modeling or other profiling of a user. As these two actors establish their cooperation, they need to prepare legal documentation that details the obligations of each party.

Timeline for practical preparations

The CNIL declared a 12 month “grace period”, so every organization has some time to plan and introduce the necessary mechanisms and solutions to follow guidance published on June 28, 2019. Recently, the French DPA, after consultations with experts, has created an additional, practical guidance for collecting valid consents.

However, international organizations should keep in mind that not all DPAs across the EU will share the idea of “grace period”. You shouldn’t wait any longer. It’s advisable to review your strategy, current privacy policy and relevant obligations, then make any necessary changes.

How to gather data in line with CNIL guidance and GDPR

As you can see, the list of requirements and instructions is lengthy. This makes it a challenge for organizations to adhere to them all. To help you out, we’ll show how Piwik PRO lets you collect and act on data with full compliance.

Take advantage of data anonymization

Under the CNIL guidance, if you want to get anonymous statistics of your audience measurement you don’t need consent. Webmasters and marketers should be pleased by this news, as this will make measuring their site visitors’ behavior easier, and they can use the full data set.

The guidelines highlight that this exception allows for protection of users’ privacy and won’t permit the use of data for other purposes or cross-referencing with other databases.

On the other hand, the GDPR states that permission isn’t necessary when collecting anonymous data. Piwik PRO gives you such an option, called data anonymization.

That method involves several techniques that make it impossible to identify a particular person from a database. Moreover, you don’t need to set up any additional safeguards to such information, and experts treat this method as part of the privacy by design strategy.

To get more details on Piwik PRO’s approach to this concept, check out our post: The Ultimate Guide to Data Anonymization in Analytics [Updated]

Benefit from 100% data ownership

According to CNIL recommendations, you as a data controller are in charge of the purpose and means of processing the information you gather. And with Piwik PRO you get full ownership of data, whether it’s personal or not. That means access and control. You don’t need to rely on any third parties for storage and usage of your data.

Both the CNIL and GDPR make it clear that consent is crucial. Just a small reminder: consent must be freely given, specific, informed, and unambiguous. But this seems to be merely the tip of the iceberg when you consider adhering to all of the requirements being discussed here.

We’ve mentioned some exceptions where you can do without consents. However, it’s good to have reliable mechanisms in place that help you get a valid one with minimum effort. Here’s a rundown of what you can expect from Piwik PRO Consent Manager.

1. Provide active opt-in, no pre-ticked boxes

Legislators around the world can’t stress enough the requirement of offering visitors free, informed and unambiguous choice. This means you can’t display banners with pre-checked boxes, because they don’t leave room for active behavior or indicate a person’s wishes.

Your visitors have to tick a box themselves in order to agree to your request. Our Consent Manager offers you a simple editor that helps you create messages and pop-ups enabling informed and active opt-ins.

Before you start collecting a single piece of data, ask your site visitors whether they agree to it or not. You can’t load any script, tracker or pixel before gaining your users’ approval. That’s the condition the GDPR introduced, and the guidelines that the European Data Protection Board and the CNIL also uphold. The only exception applies to cookies that enable your website to load

You need to be ready to prove at any moment that you have obtained permission to acquire and process data. You need to document all relevant details, namely, when someone consented and what purposes stood behind the application of cookies and similar technologies. With this kind of record you can easily check the status of consents.

4. Decide which pages require turning privacy compliance on

You should be able to easily tweak the settings to any website to change tracker firing mechanisms. If you choose to turn GDPR compliance on, new visitors will be opted-out by default and will see a consent form pop-up. You can easily change the setup according to the consent history of a particular user.

It’s not only good practice, but it’s an obligation to inform people about cookie lifespans. The Advocate General at the Court of Justice of the European Union said clearly in his opinion that “the duration of the operation of cookies is an element of the requirement for informed consent”. According to the CNIL, this period should last a maximum of 13 months, and you can’t store the information collected with those cookies for longer than 25 months.

Make sure that you present an exhaustive list of any third parties involved in acquiring and/or processing data. Then update the register, and most importantly, make it available to visitors directly when they make their decision.

6. Inform users of all purposes for using trackers

Ensure that your consent message includes every single purpose for tracking. Make it clear and visible when you ask for users’ agreement. With our Consent Manager, you can design a pop-up that allows you to request multiple consents separately for several processing purposes, for instance, analytics, remarketing, and content personalization.

To see how you can implement that consent banner, check out one from our public repository here.

7. Make opt-out as easy as opt-in

Respecting users’ privacy and ensuring free choice means that you let visitors easily amend their decisions. Here you should apply the same principles we’ve already discussed, and most importantly, make choices accessible so that users can opt out at any time without much effort.

If you want to dive deeper into issues around this topic, check out our post: How Consent Manager Can Help You Obtain GDPR-Compliant Consents From Your Users.

Review your organization’s compliance from A to Z

For organizations keeping privacy top-of-mind, an audit of compliance mechanisms should be a priority. This way you can find and fix any possible mistakes. Technology and the legal landscape bring more and more changes that add complexity to your compliance strategy. You need to stay alert and ready to ensure your business practices are aligned with regulatory requirements.

The State of GDPR Consent

Overview and scoring of how websites have adapted to data privacy regulations

Download your copy now

Final thoughts

The CNIL publication comes as no surprise to anyone, and we can expect that other legislation will follow. It’s clear that the public needs tighter control over privacy. Brands that manage people’s information should remember that free choice and transparency are vital, so it’s high time you make those things a reality in your organization.

Organizations still need to ask for permission to utilize data for different purposes, in particular those involving marketing tools. Navigating this legal maze and designing an analytics strategy can be burdensome. The way out is to find a reliable partner that guarantees compliance and helps you acquire data in line with strict regulations.

We realize these are complex issues and you might have some questions or concerns. If you do, just drop us a line and we’ll be glad to address them right away.


Karolina Matuszewska

Writer and content marketer. Transforms technical jargon into engaging and informative articles. | LinkedIn profile

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free

New Call-to-action
Upcoming live webinar

June 17, 2021

Make smart decisions about your marketing budget – identify the best performing channels with Piwik PRO Analytics Suite

The road to a conversion can be long and wandering – especially if there are multiple touchpoints along the way. Social media, paid ads, referrals – how do you know which channel contributed the most to a conversion? Our expert will try to answer this and any other questions you might have in this webinar. Learn how to identify the best performing marketing channels, dive deeper into attribution models and stay for the Q&A at the end.

Sign up for this webinar