How to make your website compliant with CNIL

Note: This article is also available in French.

Commission Nationale Informatique & Libertés (aka CNIL) is the French data protection agency. The CNIL has listed Piwik PRO as a solution that can be used to collect some data without consent. So if you’re operating in France, you can take advantage of this exemption.

In this article, we’ll explain what data you can collect without consent. We’ll also show you how to set up your account in Piwik PRO to make it aligned with the CNIL guidelines.

Do’s and don’ts of collected data

Here are the rules you need to follow to stay compliant with the CNIL guidelines:

  • Collect data only on your domains and apps: You can only collect data on sites or apps that belong to your organization.
  • Don’t join data with other sources: You can’t merge data collected without consent with other data. Turn off any integrations that may join such data (Analytics > Integrations).
  • Don’t use custom dimensions to collect personal data.
  • Don’t export data collected without consent.
  • Don’t process raw data collected without consent: You can filter out your data by using custom dimensions. Create custom dimensions (at the session and event level) that’ll separate: (1) data collected without consent from (2) data collected with consent. When you access your data via the API, filter out the first batch.
  • Make sure to list Piwik PRO in your privacy policy when disclosing partners who process data on your behalf: You can use our disclosure templates to write your own version with your legal team. Additionally, you should add an opt-out from to give visitors the chance to completely opt out of tracking (Administration > Account > Opt-out form).
  • Sign data processing agreement: You need to agree to our Data Processing Agreement. If you need a hard copy of the Core DPA, download, sign and return a countersigned copy of this document to legal+dpa@piwik.pro.

Set up Piwik PRO to meet the CNIL guidelines

When setting up your account, you have two options: (1) collect all data without displaying a consent form or (2) ask visitors for consent. For those who don’t agree, you can collect data that is exempt from consent.

This method is best when Piwik PRO is the only software you use to collect personal data. With the following setup, you won’t need to show a consent form to your visitors and your data will fall into the CNIL’s exempted category. Just remember to follow the do’s and don’ts of collected data.

If you decide not to ask visitors for consent and only collect exempt data, you need to do the following setup:

  1. Turn off Ask visitors for consent and turn off Use visitor cookies.

    Setting: Administration > Sites & apps > Privacy > Compliances > Use a session hash (on) + Use visitor cookies (off)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Ask visitors for consent (off) + Use a device fingerprint (on) + Use visitor cookies (off)

    Note: When you don’t use cookies, the following data is less accurate:

    • New vs. returning visitor: no data
    • Channel attribution: only last click

    For more, see this comparison.

    Note: Some triggers in Tag Manager create cookies to work correctly. If you use one of the following conditions in triggers, we’ll set a cookie:

    • Event condition > Traffic source
    • Event condition > Returning visitor
    • Event condition > Campaign
    • Event condition > External referrer 
    • Multiplicity > Fire tag once per session
    • Multiplicity > Fire tag multiple times per session, excluding first
    • Multiplicity > Fire tag once per page view

    If you don’t want to use these cookies, don’t set these conditions in the trigger. More about cookies

  2. Turn on Mask IP address and mask at least 1 byte. This option removes the selected number of bytes from the address before saving it to the database. Nobody will ever see the full address.

    Setting: Administration > Sites & apps > Privacy > Mask IP address (on) + Level 1 (on) + Collect from unmasked IP addresses (Country)

    Settings in versions below 16.0.0: Administration > Platform > Privacy settings > Mask IP address (on) + 1 byte (on)

  3. Turn on Collect data only from known sites. This option makes sure that you only collect data from added website or app addresses.

    Setting: Administration > Sites & apps > Data collection > Filters > Collect data only from known sites (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Whitelist page URLs (on)

  4. Turn on Comply with CNIL guidelines. With this option turned on, we’ll hide the session log report (Analytics > Reports > Session log) and tracker debugger (Analytics > Settings > Tracker debugger). We’ll also show a warning message when a user tries to create API keys.

    The session log report will also be hidden on meta sites/apps that contain a site with this setting turned on.

    Setting: Administration > Sites & apps > Privacy > Comply with CNIL guidelines (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Comply with CNIL guidelines (on)

Consider using this method if you use other software, such as marketing automation, A/B testing or conversion tracking, to collect and process data. Since these tools collect and process visitor data, it’s essential to get consent from your visitors.

If you choose to display a consent form to your visitors, you’ll collect complete data from those who agree and exempt data from those who don’t. Here’s what your setup should look like:

  1. Apply the GDPR guidelines to collect data after the consent is given. Read more
  2. Turn on Ask visitors for consent and decide if you want to use a session hash and/or visitor cookies for non-consenting visitors. Visitor cookies help you recognize both new and returning visitors. Read more

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (on) > Collect anonymous data from non-consenting visitors (on) > Use a session hash (on) + Use visitor cookies (off) or Use a session hash (on) + Use visitor cookies (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Ask visitors for consent (on) + Collect data without using cookies (on)

    Note: When you don’t use cookies, the following data is less accurate:

    • New vs. returning visitor: no data
    • Channel attribution: only last click

    For more, see this comparison.

    Note: Some triggers in Tag Manager create cookies to work correctly. If you use one of the following conditions in triggers, we’ll set a cookie:

    • Event condition > Traffic source
    • Event condition > Returning visitor
    • Event condition > Campaign
    • Event condition > External referrer 
    • Multiplicity > Fire tag once per session
    • Multiplicity > Fire tag multiple times per session, excluding first
    • Multiplicity > Fire tag once per page view

    Make sure that tags with those triggers are set with the right consent type.

    We also set essential cookies that store visitor’s consent decision. More about cookies

  3. Turn on Mask IP address and mask at least 1 byte. This option removes the selected number of bytes from the address before saving it to the database. Nobody will ever see the full address.

    Setting: Administration > Sites & apps > Privacy > Mask IP address (on) + Level 1 (on) + Collect from unmasked IP addresses (Country)

    Settings in versions below 16.0.0: Administration > Platform > Privacy settings > Mask IP address (on) + 1 byte (on)

  4. Turn on Collect data only from known sites. This option makes sure that you only collect data from added website or app addresses.

    Setting: Administration > Sites & apps > Data collection > Filters > Collect data only from known sites (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Whitelist page URLs (on)

  5. Make sure the Piwik PRO tag (the one responsible for collecting data) is marked as Consent type: Analytics. This option makes sure that this tag is only fired after visitors have agreed to Analytics.

    Setting: Tag Manager > Tags > Piwik PRO > Advanced tag settings > Consent type: Analytics

  6. Turn on Comply with CNIL guidelines. With this option turned on, we’ll hide the session log report (Analytics > Reports > Session log) and tracker debugger (Analytics > Settings > Tracker debugger). We’ll also show a warning message when a user tries to create API keys.

    Setting: Administration > Sites & apps > Privacy > Comply with CNIL guidelines (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Comply with CNIL guidelines (on)

Set up Piwik PRO to meet the CNIL guidelines (tracking code only)

If you’re using only a tracking code on your site, but not the entire Piwik PRO container, you need to do a little bit different setup and modify your tracking code. Now, we’ll explain how.

To comply with CNIL guidelines when using only Piwik PRO tracking code, follow these steps:

  1. Turn on Comply with CNIL guidelines. With this option turned on, we’ll hide the session log report (Analytics > Reports > Session log) and tracker debugger (Analytics > Settings > Tracker debugger). We’ll also show a warning message when a user tries to create API keys.

    Setting: Administration > Sites & apps > Privacy > Comply with CNIL guidelines (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Comply with CNIL guidelines (on)

  2. Turn on Collect data only from known sites. This option makes sure that you only collect data from added website or app addresses.

    Setting: Administration > Sites & apps > Data collection > Filters > Collect data only from known sites (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Whitelist page URLs (on)

  3. Turn on Mask IP address and mask at least 1 byte. This option removes the selected number of bytes from the address before saving it to the database. Nobody will ever see the full address.

    Setting: Administration > Sites & apps > Privacy > Mask IP address (on) + Level 1 (on) + Collect from unmasked IP addresses (Country)

    Settings in versions below 16.0.0: Administration > Platform > Privacy settings > Mask IP address (on) + 1 byte (on)

  4. Use this code as your tracking code:
    <script type="text/javascript">
        var _paq = _paq || [];
        _paq.push(["disableCookies"]);
        _paq.push(["setDomains", "*.example.com"]);
        _paq.push(["trackPageView"]);
        _paq.push(["enableLinkTracking"]);
        (function() {
          var u="https://your-account.piwik.pro/";
          _paq.push(["setTrackerUrl", u+"ppms.php"]);
          _paq.push(["setSiteId", "XXX-XXX-XXX-XXX-XXX"]);
          var d=document, g=d.createElement("script"), s=d.getElementsByTagName("script")[0];
          g.type="text/javascript"; g.async=true; g.defer=true; g.src=u+"ppms.js"; s.parentNode.insertBefore(g,s);
        })();
      </script>
    

    Parameters

    .example.com (array<string>)
    Domains that you want to track. They can contain a wildcard character (“*”) or leading dot.

    https://your-account.piwik.pro/
    The address you use to log in to Piwik PRO.

    XXX-XXX-XXX-XXX-XXX
    The ID of the site or app in Piwik PRO where you want to send data. (Where to find it?)

Was this article helpful?

Technical support

If you still have any questions, visit our community.
There’s always someone happy to help!

Back to help center