As previously reported (see our post here), in December 2013, the CNIL issued new guidance on cookies compliance, replacing previous recommendations from October 2011 and April 2012. The new guidance acknowledges that there is no obligation to collect users’ prior consent for some cookies that are used exclusively to measure site audience and that do not allow user identification.
More recently, the CNIL has posted additional clarifications about site audience measurement cookies. According to the CNIL, consent is not required as long as:
- users are informed in a clear and comprehensible manner (notably on the type of cookies placed and the purpose(s) for which they are placed);
- the data collected cannot be shared (e.g., client/CRM data bases);
- the cookie set can only be used for the production of anonymous statistics;
- the cookie does not enable the data controller to follow the user’s browsing on third-party websites;
- if such cookies enable the geolocation of the user via her/his IP address, the information gathered cannot be more specific than the city where she/he is located;
- the data retention period for such cookies is 13 months as from the user’s first visit on the website.
According to the CNIL, for the time being only the tool called Piwik, after a slight modification of its functions, is compliant with the above criteria. However, according to the CNIL, Google Analytics cookies do not (and cannot) comply with these criteria. Therefore, prior consent must be obtained for Google Analytics cookies. The CNIL’s position can be interpreted as requiring no setting of site audience measurement cookies when visiting a website homepage before user consent has been obtained (i.e., by browsing). The CNIL has even issued guidelines on how to update a website home page in order to block cookies prior to obtaining user consent:http://www.cnil.fr/vos-obligations/sites-web-cookies-et-autres-traceurs/outils-et-codes-sources/la-mesure-daudience/
How to obtain consent for Google Analytics cookies?