As previously reported (see our post here), in December 2013, the CNIL issued new guidance on cookies compliance, replacing previous recommendations from October 2011 and April 2012. The new guidance acknowledges that there is no obligation to collect users’ prior consent for some cookies that are used exclusively to measure site audience and that do not allow user identification.

More recently, the CNIL has posted additional clarifications about site audience measurement cookies. According to the CNIL, consent is not required as long as:

  • users are informed in a clear and comprehensible manner (notably on the type of cookies placed and the purpose(s) for which they are placed);
  • users have the possibility to refuse cookies;
  • the data collected cannot be shared (e.g., client/CRM data bases);
  • the cookie set can only be used for the production of anonymous statistics;
  • the cookie does not enable the data controller to follow the user’s browsing on third-party websites;
  • if such cookies enable the geolocation of the user via her/his IP address, the information gathered cannot be more specific than the city where she/he is located;
  • the data retention period for such cookies is 13 months as from the user’s first visit on the website.

According to the CNIL, for the time being only the tool called Piwik, after a slight modification of its functions, is compliant with the above criteria.  However, according to the CNIL, Google Analytics cookies do not (and cannot) comply with these criteria. Therefore, prior consent must be obtained for Google Analytics cookies. The CNIL’s position can be interpreted as requiring no setting of site audience measurement cookies when visiting a website homepage before user consent has been obtained (i.e., by browsing).  The CNIL has even issued guidelines on how to update a website home page in order to block cookies prior to obtaining user consent:

How to obtain consent for Google Analytics cookies?

  • The CNIL recommends posting a dedicated banner on the home page that states that by continuing to use the website, the user agrees to have cookies set on his/her terminal. The banner also needs to state the exact purpose(s) of the cookie(s), as well as the possibility to refuse cookies or modify cookies settings by clicking on a dedicated link. The banner is to remain displayed as long as the user stays on the home page. According to the CNIL, a cookie may never be set if the user goes to the home page but does not browse the website (except when an express consent has otherwise been given), or if he/she clicks on the link in the banner to modify the cookies settings and refuses all cookies.
  • By clicking on the link displayed on the banner, users must be provided with complete, clear and legible information about how to accept or refuse cookies. The user’s consent is valid only if the information provided is sufficient. To limit the risk of invalid consent due to unclear or insufficient information, it is recommended not to use any complex legal or technical terminology.