According to GDPR
Article 6 of the GDPR specifies the lawfulness of processing, i.e. the legal grounds justifying the processing to be carried out.
Regarding the processing of analytic data, it must be noted that:
‘Processing shall be lawful only if [...]the data subject has given consent to the processing of his or her personal data for one or more specific purposes’
Article 7 specifies that:
‘The data subject shall have the right to withdraw his or her consent at any time. ... Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.’
You are also advised to consult article 8 for its specificities related to children's consent.
In the case of Analytics, in Europe the lawfulness of processing is consent.
This consent is closely linked to the notion of trackers, data placed on the user’s terminal for the purpose of obtaining ongoing information (cookies, FingerPrinting, Local Storage, etc.).
Consent thus conditions the placement or use of trackers.
Important
The GDPR exclusively sets out the grounds for the need and validity of consent.
The conditions for obtaining consent with regard to the use of trackers are specified in the ePrivacy directive (Directive 2009/136/EC), which has been transposed to the national law of each of its member states.The Europe Cookie Comparaison Law will enable you to consult and compare the national laws of each EU country.
The European Commission is working on the ePrivacy Regulation, which will eventually replace Directive 2009/136/EC and the national transpositions of personal data issues linked to electronic communications (thus including the ‘trackers’ aspect). Pending the enactment and coming into effect of the ePrivacy Regulation, the recommendations of each national authority must be taken into account for the management of trackers (cookies, mobile identifier, etc.).
Regarding Piano Analytics
In the framework of Analytics, all data related to a visitor is considered to be personal data (Definition of Personal Data).
Consent management for Piano Analytics data is carried out via the placing or not of a cookie for the web part.
For applications and other ‘native’ platforms, it is based on the transmission or not of the mobile identifier.
Values transmitted via the cookie or mobile identifier allow us to create the Visitor ID, present in the corresponding property available in the solution and enabling the association of behavioural data with an individual.
In the event where no cookie or mobile identifier is collected, we use FingerPrinting. Based on the web user’s browser, FingerPrinting allows us to continue analysing the behaviour of different visitors with recognition over time thanks to the IP and User-Agent.
As explained in the article "Definitions of Personal Data", FingerPrinting is considered as a tracker and must be subject to a request for consent.
You are advised to consult our compliance guide in order to implement the methods enabling the non-placement of cookies, reconciliation, activation of opt-out or exclusion of non-cookied traffic.
Note
Many Consent Management Platform (CMP) solutions are available on the market to enable you to manage the obtaining of consent.
They may have various operating logics and may or may not be linked to the Tag Management System (TMS).
In all cases, we recommend you carry out a thorough analysis of the terms of application, the potential impacts on your Analytics solution and the various settings available.
For all other personal data transmitted to Piano Analytics, such as identified visitors or properties (see the ‘accessory purposes’ defined in the DPA), specific consent may be required.Actions
For websites:- Provide an information banner which is clear and sufficiently detailed on the use of trackers
- Provide your users with the possibility to withdraw their consent easily and at any time
For native applications:
- Provide, on activation of the application for example, an information screen on the use of the user ID which is clear and sufficiently detailed
- Provide your users with the possibility to withdraw their consent easily and at any time
The legal context in France
As specified in the ‘According to the GDPR’ section, the directive on cookies is transposed in France to the French Data Protection Act.
Further to the implementation of the GDPR in May 2018, the CNIL published its new guidelines and practical recommendations in September 2020.
For websites
Trackers may not be used without prior explicit consent, or may be exempted under certain conditions in the framework of Analytics (Article 5 of the deliberation of 17 September 2020).
The law relative to ‘trackers’ can be consulted via the CNIL.
The following methods presented in our compliance guide will enable you to bring your solution into compliance:
- The CNIL exemption
- The reconciliation of data further to consent, for 1st cookies exclusively
- The non-placing of cookies prior to consent
Please note that you must provide your users with the possibility to withdraw their consent easily and at any time, via one of the opt-out systems at your disposal.
For native applications(mobile phones, TV, etc.)
With regard to native applications, it is important to remember that it is you, the customer, via the product/project head and/or developers, who chooses, on implementing our SDK in your application, which identifier will be used to monitor your users (UUID by default).
- For iOS, you may choose from 4 elements: UUID, IDFV, IDFA or a customised ID
- For Android, you may choose from 4 elements: UUID, Android ID, Advertising ID, or a customised ID
The CNIL defines the obligations for mobile application publishers.
We emphasise in particular the obligation to obtain consent for the collection of geo-tracking data.
Depending on the consent given by your user, you may disable user monitoring via one of the opt-out systems at your disposal.
Please note that you must provide your users with the possibility to withdraw their consent easily and at any time.
Do not hesitate to contact your support centre (‘Help’ button on the bottom right) for any further details or additional help with these compliance settings.