When it comes to the compliance of your analytical data with the GDPR, the collection of the Internet user’s consent for the deposit of cookies is a key issue. Figures from a study published in May by our partner Empirik reveal that even though 93% of websites display a cookie banner, 78% trigger tracking analytics even before the Internet user’s consent action – and 42% of sites continue tracking even though the Internet user has refused consent!
In response to this, the CNIL has toughened its stance for 2020 by preparing a new recommendation – which could have significant ramifications.
Previously in the GDPR saga…
The CNIL has so far imposed a series of record fines for non-compliance. Google was hit with a €50 million fine from the French authority for lack of transparency, with information that was unclear and difficult for users to access (sometimes up to 5 clicks to obtain the relevant info). In particular, the tech giant was blamed for violating the rules on consent. Another example was a real estate company sentenced to a fine of €400K for non-compliance with the storage period for cookies.
Complaints and sanctions are increasing and highlight the fact that many companies are still far from being compliant. The CNIL has nevertheless been criticised by various associations that defend Internet users (notably the ‘Quadrature du net’ – the French advocacy group that promotes digital rights and freedoms of citizens) that accuse it of being too lax (indeed when it condemned Google, it failed to apply the fine of 4% of its turnover as stated in the GDPR) and other groups of publishers/advertisers such as the GESTE who have asked the CNIL to give more time to businesses to adapt and comply… It’s a minefield out there!
The CNIL strikes back
The French privacy ‘police’ nevertheless announced new guidelines last July. Through this new text, the aim is to simplify the applicable law so that it is better understood and respected. The scope of the law (for example: what is the precise definition of a “tracker”) and the procedures for obtaining consent are explained.
Some important new features to remember:
- An end to scrolling – the continuation of navigation (scroll) is no longer be considered a valid expression of consent.
- Proof of consent – operators using trackers must be able to prove that they have obtained consent.
- No more cross-referencing to browser settings – this will no longer be a method of managing consent. The appearance of the cookie banner and the methods of collection will be clearly defined in the upcoming recommendation.
The draft recommendation ‘cookie and other trackers’ was published on the 14th January this year. Its purpose is to set out the practical arrangements for obtaining consent. A public consultation with professionals and civil society was launched until the 25th February. To be continued…
Digital analytics compliance – the 2 potential scenarios
Background: you manage your website(s) using your analytics solution and, as controller, you have to choose (tagging method, activation of options, etc.) how to bring your practice into compliance. Different scenarios are possible:
Scenario 1: Consent. You need to obtain the Internet user’s consent: for example, you use a CMP-type market solution (or a customised solution) that is based on the categorisation of cookies or an IAB framework.
The consequences in terms of analytical measurement:
- The cookie can only be deposited after the consent action (in this case, clicking on the acceptance button).
- Failure to measure pre-click traffic can potentially alter your analyses: incorrect volumes and rebound rates, truncated navigation routes or a break in source identification. Unless you use a data reconciliation method after consent of the Internet user (1st cookie)
In summary: you practice more advanced web analytics on the part of users who have consented to the processing of their personal data.
Scenario 2: Exemption. You choose to be exempt from the requirement to obtain consent: the CNIL allows an exemption under certain conditions (article 5 of the CNIL deliberation of 4 July 2019).
The consequences on the analytics measurement:
- The measurement is made from the first page of the visit. You have comprehensive data reflecting the reality of the Internet user’s journey.
- You must comply with several conditions imposed by the CNIL, ranging from the impossibility of cross-checking with external data to compliance with the storage period. More info here.
In summary: you have comprehensive analyses on all your users that ensure your non-intrusive web analytics practice so that you do not have to collect consent.
AT Internet compliance tools:
- An option to set the storage time of analytical cookies
- An opt-out mechanism
- A tagging method to block the placement of cookies before the user’s consent is given
- A method of data reconciliation after consent of the Internet user (in cookie 1st)
- An option to exclude un-cookied traffic when your analytics solution performs fingerprinting visitor recognition (as AT Internet does).
- The migration of the 3rd cookie to the 1st cookie for a less intrusive management of cookies for your users.
The world of analytics is therefore divided into 2 categories. Those who choose to collect consent and others who prefer the exemption. In all cases, the CNIL imposes rules and it is your responsibility to activate some of these options to respect the legal framework. Talk to your legal department to find out which option to choose. AT Internet offers methods and tools for compliance in both cases. And to get an even clearer perspective, check out our latest privacy webinar:
Photo credit: Chirs Barbalis