Privacy advocates and enthusiasts hoped that the GDPR would make the data ecosystem safer and crystallize the rules around consent. However, from the user’s perspective things don’t appear so rosy. Consent pop-ups tend to be manipulative or misdirecting, forcing permission or making it hard to opt out. According to a study done by researchers at Ruhr-University Bochum (Germany) and the University of Michigan (United States), 57% of these notices include dark patterns to push visitors into accepting options.
Today we’ll focus on guidance which the Commission Nationale de l’Informatique et des Libertés (CNIL), a French Data Protection Authority, issued in July 2019. The document clarifies the notion of consent under Article 82 of the French Data Protection Act (Article 82) and establishes more precise requirements organizations should meet before dropping cookies on users’ devices.
Then we’ll explain how Piwik PRO adopts these standards to let you obtain data and benefit not only from analytics but also personalization and remarketing without compromising on privacy.
The scope of the CNIL guidelines
First, the data under Article 82 and the guidance don’t have to be personal. That’s crucial, as it broadens the scope of information set out by the GDPR.
Second, the rules apply to operations involving technology that accesses or stores information on users’ devices such as:
- Mobile phones
- Fixed or mobile computers
- Video game consoles
- Smart TVs
- Connected vehicles
- Voice assistants
or any other object connected to a telecom network open to the public.
Third, the scope covers not only typical HTTP cookies, but also other mechanisms for online tracking such as:
- local shared objects also known as “Flash cookies”
- local storage integrated within HTML
- device fingerprinting
- operating system identifiers
- device identifiers
And based on the guidelines, “tracking” refers to collecting data on the devices mentioned above.
The rules to obtain valid consent
The CNIL puts the spotlight on consent. The primary rule is that you need to get it before you place a single cookie or exploit other tracking technologies. First, you need to explain:
- who the data controller(s) are
- why you want to gather and process data
- that visitors have the right to withdraw consent
Consent itself is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes”, just as stated in GDPR. Implied consent is thus invalid.
As a website owner, you can’t use pre-checked boxes to obtain agreement to collect or store people’s data. You can’t consider as “active behavior” the fact that visitors continue to use your site or app. That excludes browsing, scrolling or swiping the page or mobile application.
Also, it’s impermissible to treat browser settings as an expression of a user’s approval. These settings allow the user to control only HTTP cookies: they can’t block tracking, Flash cookies or device fingerprinting. If you implement any of these technologies, you must be ready at any time to demonstrate you have obtained consent in advance.
The State of GDPR Consent
Overview and scoring of how websites have adapted to data privacy regulations
A few more takeaways on consent
- A global opt-in for cookies, meaning that people agree to cookies for all purposes at once, is valid only as an additional step accompanying the possibility to consent specifically and separately to each purpose. Also, site owners can’t bundle consent together with general terms and conditions.
- Website owners can’t create cookie walls. Blocking access to visitors when they don’t consent violated the principle of freely given permission.
Exceptions around consent
The French DPA provides an exemption from consent requirements when you employ tracking technologies to:
- enable or facilitate communication by electronic means, e.g. opening a live chat session for getting support, logging into a website, both require cookies, enabling paying sites to limit free access to their content over a limited period/time or to a predefined quantity of articles;
- allow websites to work properly, provide services to visitors or at their request, e.g. shopping cart cookies or authentication cookies.
What about analytics cookies?
According to the guidelines, when you set up trackers for audience measurement for a site or mobile app, there are strict conditions under which you don’t need consent:
- The process of measurement is being carried out by the site’s publisher or its subcontractor
- You obtain only anonymous statistics
- You measure the audience of a single website or mobile app and don’t track the user’s navigation across different sites or applications
- Users are informed about tracking and have an easy way to reject it on all their devices, operating systems, applications and browsers
- You are not allowed to connect personal data collected via those cookies with information you get from other activities or transfer it to third parties. For instance, you can’t combine your web analytics data with third-party data or data from your CRM. This requirement excludes blending information from a customer database with audience statistics regarding other websites.
It means you can’t merge your CRM data with details on behaviors on different websites you get from your business partners. This applies to undertakings such as affiliate marketing, when a person buys a product and comes from one website to another through a promotional link or ad.
Different actors and responsibilities
A single actor. When you’re the only entity that manages tracking activities, i.e. as the site owner you drop cookies on your website, then you’re solely responsible for getting consent as the data controller.
Several actors. When several actors handle cookies together, a publisher and an advertising agency, analytics providers, or social networks, they act as controllers, joint controllers or processors. They need to define their respective compliance obligations according to Articles 26 and 28 of the GDPR.
Third parties. When third parties utilize tracking mechanisms, they are fully and independently responsible for them, meaning they must obtain users’ permission. However, they don’t necessarily have to get it themselves: they can contractually bind a publisher to do it on their behalf. The case of Google saying that the responsibility of obtaining consent for AdWords remarketing rests with the publisher, and thus they are not liable for obtaining it, would be contrary to CNIL principles.
A processor. An actor who works on behalf of a controller and can’t employ data for other purposes, such as audience extension, look-alike modeling or other profiling of a user. As these two actors establish their cooperation, they need to prepare legal documentation that details the obligations of each party.
Timeline for practical preparations
The CNIL declared a 12 month “grace period”, so every organization has some time to plan and introduce the necessary mechanisms and solutions to follow guidance published on June 28, 2019. Recently, the French DPA, after consultations with experts, has created an additional, practical guidance for collecting valid consents.
How to gather data in line with CNIL guidance and GDPR
As you can see, the list of requirements and instructions is lengthy. This makes it a challenge for organizations to adhere to them all. To help you out, we’ll show how Piwik PRO lets you collect and act on data with full compliance.
Take advantage of data anonymization
Under the CNIL guidance, if you want to get anonymous statistics of your audience measurement you don’t need consent. Webmasters and marketers should be pleased by this news, as this will make measuring their site visitors’ behavior easier, and they can use the full data set.
The guidelines highlight that this exception allows for protection of users’ privacy and won’t permit the use of data for other purposes or cross-referencing with other databases.
On the other hand, the GDPR states that permission isn’t necessary when collecting anonymous data. Piwik PRO gives you such an option, called data anonymization.
That method involves several techniques that make it impossible to identify a particular person from a database. Moreover, you don’t need to set up any additional safeguards to such information, and experts treat this method as part of the privacy by design strategy.
To get more details on Piwik PRO’s approach to this concept, check out our post: The Ultimate Guide to Data Anonymization in Analytics [Updated]
Benefit from 100% data ownership
According to CNIL recommendations, you as a data controller are in charge of the purpose and means of processing the information you gather. And with Piwik PRO you get full ownership of data, whether it’s personal or not. That means access and control. You don’t need to rely on any third parties for storage and usage of your data.
Include Consent Manager
Both the CNIL and GDPR make it clear that consent is crucial. Just a small reminder: consent must be freely given, specific, informed, and unambiguous. But this seems to be merely the tip of the iceberg when you consider adhering to all of the requirements being discussed here.
We’ve mentioned some exceptions where you can do without consents. However, it’s good to have reliable mechanisms in place that help you get a valid one with minimum effort. Here’s a rundown of what you can expect from Piwik PRO Consent Manager.
1. Provide active opt-in, no pre-ticked boxes
Legislators around the world can’t stress enough the requirement of offering visitors free, informed and unambiguous choice. This means you can’t display banners with pre-checked boxes, because they don’t leave room for active behavior or indicate a person’s wishes.
Your visitors have to tick a box themselves in order to agree to your request. Our Consent Manager offers you a simple editor that helps you create messages and pop-ups enabling informed and active opt-ins.
2. Fulfill the zero-cookie load requirement
Before you start collecting a single piece of data, ask your site visitors whether they agree to it or not. You can’t load any script, tracker or pixel before gaining your users’ approval. That’s the condition the GDPR introduced, and the guidelines that the European Data Protection Board and the CNIL also uphold. The only exception applies to cookies that enable your website to load
3. Keep a record of consent decisions
You need to be ready to prove at any moment that you have obtained permission to acquire and process data. You need to document all relevant details, namely, when someone consented and what purposes stood behind the application of cookies and similar technologies. With this kind of record you can easily check the status of consents.
4. Decide which pages require turning privacy compliance on
You should be able to easily tweak the settings to any website to change tracker firing mechanisms. If you choose to turn GDPR compliance on, new visitors will be opted-out by default and will see a consent form pop-up. You can easily change the setup according to the consent history of a particular user.
5. Tell users about cookie lifespan and possible third-party access
It’s not only good practice, but it’s an obligation to inform people about cookie lifespans. The Advocate General at the Court of Justice of the European Union said clearly in his opinion that “the duration of the operation of cookies is an element of the requirement for informed consent”. According to the CNIL, this period should last a maximum of 13 months, and you can’t store the information collected with those cookies for longer than 25 months.
Make sure that you present an exhaustive list of any third parties involved in acquiring and/or processing data. Then update the register, and most importantly, make it available to visitors directly when they make their decision.
6. Inform users of all purposes for using trackers
Ensure that your consent message includes every single purpose for tracking. Make it clear and visible when you ask for users’ agreement. With our Consent Manager, you can design a pop-up that allows you to request multiple consents separately for several processing purposes, for instance, analytics, remarketing, and content personalization.
To see how you can implement that consent banner, check out one from our public repository here.
7. Make opt-out as easy as opt-in
Respecting users’ privacy and ensuring free choice means that you let visitors easily amend their decisions. Here you should apply the same principles we’ve already discussed, and most importantly, make choices accessible so that users can opt out at any time without much effort.
If you want to dive deeper into issues around this topic, check out our post: How Consent Manager Can Help You Obtain GDPR-Compliant Consents From Your Users.
Review your organization’s compliance from A to Z
For organizations keeping privacy top-of-mind, an audit of compliance mechanisms should be a priority. This way you can find and fix any possible mistakes. Technology and the legal landscape bring more and more changes that add complexity to your compliance strategy. You need to stay alert and ready to ensure your business practices are aligned with regulatory requirements.
The State of GDPR Consent
Overview and scoring of how websites have adapted to data privacy regulations
The CNIL publication comes as no surprise to anyone, and we can expect that other legislation will follow. It’s clear that the public needs tighter control over privacy. Brands that manage people’s information should remember that free choice and transparency are vital, so it’s high time you make those things a reality in your organization.
With the exception of web analytics, organizations still need to ask for permission to utilize data for other purposes, in particular those involving marketing tools. Navigating this legal maze and designing an analytics strategy can be burdensome. The way out is to find a reliable partner that guarantees compliance and helps you acquire data in line with strict regulations.
We realize these are complex issues and you might have some questions or concerns. If you do, just drop us a line and we’ll be glad to address them right away.