How to make your website compliant with CNIL

Commission Nationale Informatique & Libertés (aka CNIL) is the French data protection agency. The CNIL has listed Piwik PRO as a solution that can be used to collect some data without consent. So if you’re operating in France, you can take advantage of this exemption.

In this article, we’ll explain what data you can collect without consent. We’ll also show you how to set up your account in Piwik PRO to make it aligned with the CNIL guidelines.

Do’s and don’ts of collected data

Here are the rules you need to follow to stay compliant with the CNIL guidelines:

  • Collect data only on your domains and apps: You can collect data only on sites or apps that belong to your organization.
  • Don’t join data with other sources: You can’t merge data collected without consent with other data. Turn off any integrations that may join such data (Analytics (new) > Settings > Integrations).
  • Don’t use custom dimensions to collect personal data.
  • Don’t export data collected without consent.
  • Don’t process raw data collected without consent: You can filter out your data by using custom dimensions. Create custom dimensions (on a session-level and event-level) that’ll set apart (1) data collected without consent from (2) data collected with consent. When you access your data via API, filter out the first batch.
  • Sign data processing agreement: You need to agree to our Data Processing Agreement. If you need a hard copy contact us at: legal+dpa@piwik.pro (send us your account address, email address of your authorized signer and company details).

Set up Piwik PRO to meet the CNIL guidelines

When setting up your account, you can decide to use two methods: (1) collect all data without displaying a consent form or (2) ask visitors for consent, and for visitors who don’t agree, collect data that are exempt from consent.

This method is best when Piwik PRO is the only software you use to collect personal data. With the following setup, you won’t need to show a consent form to your visitors and your data will fall into the CNIL’s exempted category. Just remember to follow do’s and don’ts of collected data.

If you decide not to ask visitors for consent and collect only exempted data, you need to do the following setup:

  1. Turn off Ask visitors for consent and turn off Use cookies.

    Setting: Administration > Websites & apps > Settings > Privacy > Ask visitors for consent (off) + Use cookies (off) + Use device fingerprinting (on)

  2. Turn on Mask IP address and mask at least 1 byte.

    Setting: Administration > Platform > Privacy settings > Mask IP address (on) + 1 byte (on) + Use masked IP address for location and network data (on)

  3. Turn on Whitelist page URLs. This option makes sure that you’ll collect data only from the added site or app addresses.

    Setting: Administration > Websites & apps > Settings > Tracking + Whitelist page URLs (on)

Use this method if you’re using other software to collect and process data. These can be products for marketing automation, A/B testing, measure ad conversions and the like. You’ll need to get consent from visitors to use them.

If you decide to show a consent form to your visitors, you’ll collect full data for those who agree and exempted data for those who don’t agree. Here’s how your setup should look:

  1. Apply the GDPR guidelines to collect data after the consent is given. Read more
  2. Turn on Ask visitors for consent and turn on Collect data without using cookies.

    Setting: Administration > Websites & apps > Settings > Privacy > Ask visitors for consent (on) + Collect data without using cookies (beta) (on)

  3. Turn on Mask IP address and mask at least 1 byte.

    Setting: Administration > Platform > Privacy settings > Mask IP address (on) + 1 byte (on) + Use masked IP address for location and network data (on)

  4. Turn on Whitelist page URLs. This option makes sure that you’ll collect data only from the added site or app addresses.

    Setting: Administration > Websites & apps > Settings > Tracking + Whitelist page URLs (on)

  5. Make sure the Piwik PRO tag (the one responsible for collecting data) is marked as Consent type: Analytics. This option will make sure that this tag will fire only after visitors consent to Analytics.

    Setting: Tag Manager > Tags > Piwik PRO > Advanced tag settings > Consent type: Analytics

Was this article helpful?

Technical support

If you still have some questions, visit our community.
There’s always someone ready to help!

Back to help center