Important
The ePrivacy exemption applies in certain European countries.
Please see the official guidelines published in some countries in the ePrivacy Exemption paragraph here and please double check with your legal team and/or DPO if such Exemption apply for the applicable law..
In France, the provisions of the ePrivacy exemption are specified in Article 5 of the CNIL deliberation n° 2020-091 of 17 September 2020 (guidelines) and the CNIL deliberation n° 2020-92 of 17 September 2020 (recommendations).
General design
The ePrivacy exemption specifies the configuration enabling the use of an audience measurement tracker without requiring the visitor’s consent, nor any prior information, if the collection and treatment of data meet certain conditions.
It thus frees you from the impacts linked to the non-placement of cookies (loss of quality and volume in your statistical data) and enables you to continue obtaining visibility in terms of performance measurement or the analysis of content consulted by visitors.
Definition
The ePrivacy exemption implies that the data is collected is only that which is ‘strictly necessary’ to the provision of the service requested by the end-user.
This scenario only includes the "exempt" visitor mode, for a simple exemption. If you want to include other visitor modes, such as opt-in, you can see the Hybrid Measure scenario.
Note
As an example, the CNIL deems the following information as strictly necessary to the collection of audience measurement data: ‘Performance measurements, the detection of browser issues, optimisation of technical or ergonomic performance, estimation of the required server power and the analysis of content consulted, etc.’.
For all details about the applicable conditions for the Exemption in France, please reach out the page in French here.
Guidelines
To assist you to implement your ePrivacy exemption, and based on the initial work made with the CNIL in France, AT Internet offers the guidelines below.
Via your Organisation's administrator, request that Piano Analytics via the support centre activates the following, for the whole of your organisation:
- The masking of the visitor ID property in your Data Model (property which is non-accessible from the interfaces)
- The erasure of personal data after 25 rolling months (see the customisation of personal data history)
- The anonymisation of the final octet (deletion of the last 3 digits) of the IP address (see anonymisation of the IP address)
These three actions will be activated on the scale of the organisation and thus concern all the scopes included therein.
A certificate will be transmitted to you once these actions have been implemented by Piano Analytics.
To comply with your obligations as Data Controller and relative to the perimeters you wish to exempt, we advise you to:
- Use adequate tagging methods for the management of the CNIL exemption, in particular to limit data collection to its strict necessity (see dedicated article).
- Set the data model so as not to display undesired properties in the Analytics Suite
- Carry out audience measurement on your domain or application exclusively: off-site measurements such as banner impressions, external videos, email openings or iframes are not possible without prior consent.
Note
If you wish to track a user in various perimeters linked to the same publisher, you must prove that this measure is strictly necessary to your activity.
- Collect and use data within the Analytics Suite in such a way as to disable visitor/user recognition: data collected must serve solely for the use of anonymous statistics or cohorts which do not involve personal data.
- Do not use imported or exported data for cross-referencing purposes (e.g. AT Connect, CRM import, API calls for partners, API or export Data Flow export for CRM).
- Set the lifetime of your trackers (cookie or mobile ID) at 13 calendar months; this is the default setting for AT Internet trackers.
- Check the level of geo-tracking which is strictly necessary for the use of your service: by default, AT Internet offers the ‘city’ level at most.
- Notify your users in the confidentiality policy (website, app, etc.) of the presence of this exempted tracker and implement an opt-out setting.
Note
Contact our support centre (‘Help’ button on the bottom right) to request an activation study for the CNIL exemption.
Piano Analytics also provides its services (invoiced) to audit the all the ‘Client action’ points on your behalf.
Advantages
With the ePrivacy exemption, your visitors are neither lost nor duplicated prior to consent and you obtain high-quality data.
You can collect such data as is strictly necessary and not lose a significant portion of your audience.
Risks
With the ePrivacy exemption, you cannot use or create ‘user’ analyses (excluding cohorts), given that visitors cannot have opt-in status.
Similarly, you may not cross-reference data.
Important
Please check and validate with your legal department and/or DPO that you can implement the ePrivacy exemption.
Expected behaviour
To comply with your users’ wishes, you must be able to modify the state of consent at any time of the visit.
Step | Description | |
Arrival on the site |
Visitor identification is authorised and dedicated cookies may be placed (idrxvr,atidx,atid or atuserid) |
|
Visitor chooses |
All cookies are defined with the OPT-OUT value. |
Tagging configuration
The CNIL exemption will use the Tag Composer Privacy plug-in available in the Javascript 5.24.0 version.
Please ensure you implement the correct version of the marker in order to collect only such data as is strictly necessary.
Note
This plug-in and its methods will apply solely to client-side visitor identification, it will impact first-party cookies only.
Tagging
To handle visitor consent in the marking of the CNIL exemption, you simply need to add a line to the beginning of your SmartTag marking.
Then, just move from one state to another depending on the consent expressed by the visitor.
Exempt
var tag = new ATInternet.Tracker.Tag();
tag.privacy.setVisitorMode('cnil', 'exempt'); // Visitor set under Exempt
tag.page.set({
name: 'pageName',
});
tag.dispatch();
Here, the tag will only collect data which is strictly necessary and common to all forms of activity. The list of these parameters is available in the developer documentation.
If you wish to add settings to feed properties which you consider to be essential to your activity, you may add them to the marker or via Tag Composer.
All information will be presented in the developer documentation.
Opt-Out
var tag = new ATInternet.Tracker.Tag();
tag.privacy.setVisitorOptout(); // Visitor set under Opt-Out
tag.page.set({
name: 'pageName',
});
tag.dispatch();
It is possible not to send information by using the false setting of Tracker sendHitWhenOptOut.
Certification
Setting up the CNIL Exemption also reduces the loss of trafic on certified analysis (ACPM).
To make sure your tagging is fit for certification purposes, please specify the following properties on your responsive site: customObject = {"device":"APPsmartphone"}, and customObject = {"device":"APPtablet"}.
Properties
Consent properties
The new Privacy plug-in methods add 2 properties to your hits:
- Visitor mode: visitor_privacy_mode / &vm to filter events based on the consent status (exempt/optout)
- Visitor consent: visitor_privacy_consent / &vc to directly identify consented traffic when ‘true’
Data which is not strictly necessary
User identification, for example, is only available when the visitor mode is in opt-in.
Even if it is placed on the same page marker, only the opt-in method will authorise the addition of properties to hits.
var tag = new ATInternet.Tracker.Tag();
tag.privacy.setVisitorMode('cnil','exempt'); // Visitor set under Exempt
tag.page.set({
name: 'pageName',
});
tag.identifiedVisitor.set({
id: 123456 // Non transmis, du fait du mode visiteur défini en Exempt
});
tag.dispatch();
The same applies to all data which is not deemed strictly necessary by our Privacy team.
As Data Controller, the choice is nevertheless yours to make. You will therefore be able to specify directly in the marker or Tag Composer which settings you wish to ‘authorise’ in order to feed your analysis in exempt mode.
Explorer
Once the marking and the hits containing these properties are implemented, you will be able to add to your Explorer analyses with the ‘Combine’ button above each table. When using the CNIL exemption, you should only see the following events: (Visitor mode: "exempt"; visitor consent: false)
Privacy anlysis
In Explorer you can reach Audience > General Traffic > Privacy to see the number of events considered as opt-out.
When the visitor has opt-out status, their data is anonymised, excluded from general traffic and serves only to feed this analysis.
Data Query / Data Flow
You may add the Visitor mode and Visitor consent properties to your data sets.
You will be able to analyse ‘exempt’ visitor mode only, given that opt-out events feed the Privacy analysis exclusively.