How to make your website compliant with CNIL

This article is also available in: French.

Commission Nationale Informatique & Libertés (aka CNIL) is the French data protection agency. The CNIL has listed Piwik PRO as a solution that can be used to collect some data without consent. So if you’re operating in France, you can take advantage of this exemption.

In this article, we’ll explain what data you can collect without consent. We’ll also show you how to set up your account in Piwik PRO to make it aligned with the CNIL guidelines.

Do’s and don’ts of collected data

Here are the rules you need to follow to stay compliant with the CNIL guidelines:

  • Collect data only on your domains and apps: You can collect data only on sites or apps that belong to your organization.
  • Don’t join data with other sources: You can’t merge data collected without consent with other data. Turn off any integrations that may join such data (Analytics > Integrations).
  • Don’t use custom dimensions to collect personal data.
  • Don’t export data collected without consent.
  • Don’t process raw data collected without consent: You can filter out your data by using custom dimensions. Create custom dimensions (on a session-level and event-level) that’ll set apart (1) data collected without consent from (2) data collected with consent. When you access your data via API, filter out the first batch.
  • Make sure to list Piwik PRO in your privacy policy when disclosing partners who process the data on your behalf: You can use the opt-out from Administration > Settings > Opt-out form.
  • Sign data processing agreement: You need to agree to our Data Processing Agreement. If you need a hard copy contact us at: legal+dpa@piwik.pro (send us your account address, email address of your authorized signer and company details).

Set up Piwik PRO to meet the CNIL guidelines

When setting up your account, you can decide to use two methods: (1) collect all data without displaying a consent form or (2) ask visitors for consent, and for visitors who don’t agree, collect data that are exempt from consent.

This method is best when Piwik PRO is the only software you use to collect personal data. With the following setup, you won’t need to show a consent form to your visitors and your data will fall into the CNIL’s exempted category. Just remember to follow do’s and don’ts of collected data.

If you decide not to ask visitors for consent and collect only exempted data, you need to do the following setup:

  1. Turn off Ask visitors for consent and turn off Use visitor cookies.

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (off) + Use a session ID (on) + Use visitor cookies (off)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Ask visitors for consent (off) + Use a device fingerprint (on) + Use visitor cookies (off)

    Note: When you don’t use cookies, this data is less accurate:

    • New vs. returning visitor: no data
    • Channel attribution: only last click

    For more, see this comparison.

    Note: Some triggers in Tag Manager create cookies to work correctly. If you use one of the following conditions in triggers, we’ll set a cookie:

    • Event condition > Traffic source
    • Event condition > Returning visitor
    • Event condition > Campaign
    • Event condition > External referrer 
    • Multiplicity > Fire tag once per session
    • Multiplicity > Fire tag multiple times per session, excluding first
    • Multiplicity > Fire tag once per page view

    If you don’t want to use these cookies, don’t set these conditions in the trigger. More about cookies

  2. Turn on Mask IP address and mask at least 1 byte. This option removes the selected number of bytes from the address before saving it to the database. Nobody will ever see the full address.

    Setting: Administration > Sites & apps > Privacy > Mask IP address (on) + Level 1 (on) + Collect from unmasked IP addresses (Country)

    Settings in versions below 16.0.0: Administration > Platform > Privacy settings > Mask IP address (on) + 1 byte (on)

  3. Turn on Collect data only from known sites. This option makes sure that you’ll collect data only from the added site or app addresses.

    Setting: Administration > Sites & apps > Data collection > Filters > Collect data only from known sites (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Whitelist page URLs (on)

  4. Turn on Comply with CNIL guidelines. With this option turned on, we’ll hide the session log report (Analytics > Reports > Session log) and tracker debugger (Analytics > Settings > Tracker debugger). We’ll also show a warning message when a user tries to create API keys.

    Setting: Administration > Sites & apps > Privacy > Comply with CNIL guidelines (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Comply with CNIL guidelines (on)

Use this method if you’re using other software to collect and process data. These can be products for marketing automation, A/B testing, measure ad conversions and the like. You’ll need to get consent from visitors to use them.

If you decide to show a consent form to your visitors, you’ll collect full data for those who agree and exempted data for those who don’t agree. Here’s how your setup should look:

  1. Apply the GDPR guidelines to collect data after the consent is given. Read more
  2. Turn on Ask visitors for consent and turn on Collect data without using cookies.

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (on) + Collect data without using cookies (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Ask visitors for consent (on) + Collect data without using cookies (on)

    Note: When you don’t use cookies, this data is less accurate:

    • New vs. returning visitor: no data
    • Channel attribution: only last click

    For more, see this comparison.

    Note: Some triggers in Tag Manager create cookies to work correctly. If you use one of the following conditions in triggers, we’ll set a cookie:

    • Event condition > Traffic source
    • Event condition > Returning visitor
    • Event condition > Campaign
    • Event condition > External referrer 
    • Multiplicity > Fire tag once per session
    • Multiplicity > Fire tag multiple times per session, excluding first
    • Multiplicity > Fire tag once per page view

    Make sure that tags with those triggers are set with the right consent type.

    We also set essential cookies that store visitor’s consent decision. More about cookies

  3. Turn on Mask IP address and mask at least 1 byte. This option removes the selected number of bytes from the address before saving it to the database. Nobody will ever see the full address.

    Setting: Administration > Sites & apps > Privacy > Mask IP address (on) + Level 1 (on) + Collect from unmasked IP addresses (Country)

    Settings in versions below 16.0.0: Administration > Platform > Privacy settings > Mask IP address (on) + 1 byte (on)

  4. Turn on Collect data only from known sites. This option makes sure that you’ll collect data only from the added site or app addresses.

    Setting: Administration > Sites & apps > Data collection > Filters > Collect data only from known sites (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Whitelist page URLs (on)

  5. Make sure the Piwik PRO tag (the one responsible for collecting data) is marked as Consent type: Analytics. This option will make sure that this tag will fire only after visitors consent to Analytics.

    Setting: Tag Manager > Tags > Piwik PRO > Advanced tag settings > Consent type: Analytics

  6. Turn on Comply with CNIL guidelines. With this option turned on, we’ll hide the session log report (Analytics > Reports > Session log) and tracker debugger (Analytics > Settings > Tracker debugger). We’ll also show a warning message when a user tries to create API keys.

    Setting: Administration > Sites & apps > Privacy > Comply with CNIL guidelines (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Comply with CNIL guidelines (on)

Set up Piwik PRO to meet the CNIL guidelines (tracking code only)

If you use only a tracking code on your site, but not the whole Piwik PRO container, you need to do a bit different setup and modify your tracking code. Now, we’ll explain how.

To meet the CNIL guidelines when you use only Piwik PRO tracking code, follow these steps:

  1. Turn on Comply with CNIL guidelines. With this option turned on, we’ll hide the session log report (Analytics > Reports > Session log) and tracker debugger (Analytics > Settings > Tracker debugger). We’ll also show a warning message when a user tries to create API keys.

    Setting: Administration > Sites & apps > Privacy > Comply with CNIL guidelines (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Comply with CNIL guidelines (on)

  2. Turn on Collect data only from known sites. This option makes sure that you’ll collect data only from the added site or app addresses.

    Setting: Administration > Sites & apps > Data collection > Filters > Collect data only from known sites (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Whitelist page URLs (on)

  3. Turn on Mask IP address and mask at least 1 byte. This option removes the selected number of bytes from the address before saving it to the database. Nobody will ever see the full address.

    Setting: Administration > Sites & apps > Privacy > Mask IP address (on) + Level 1 (on) + Collect from unmasked IP addresses (Country)

    Settings in versions below 16.0.0: Administration > Platform > Privacy settings > Mask IP address (on) + 1 byte (on)

  4. Use this code as your tracking code:
    <script type="text/javascript">
        var _paq = _paq || [];
        _paq.push(["disableCookies"]);
        _paq.push(["setDomains", "*.example.com"]);
        _paq.push(["trackPageView"]);
        _paq.push(["enableLinkTracking"]);
        (function() {
          var u="https://your-account.piwik.pro/";
          _paq.push(["setTrackerUrl", u+"ppms.php"]);
          _paq.push(["setSiteId", "XXX-XXX-XXX-XXX-XXX"]);
          var d=document, g=d.createElement("script"), s=d.getElementsByTagName("script")[0];
          g.type="text/javascript"; g.async=true; g.defer=true; g.src=u+"ppms.js"; s.parentNode.insertBefore(g,s);
        })();
      </script>
    

    In this code, change the following elements:

    • .example.com: (Array <string>) Domains that you want to track. They can contain a wildcard character (“*”) or leading dot.
    • https://your-account.piwik.pro/: The address you use to log in to Piwik PRO.
    • XXX-XXX-XXX-XXX-XXX: The ID of the site or app in Piwik PRO where you want to send data. (Where to find it?)

Was this article helpful?

Technical support

If you still have some questions, visit our community.
There’s always someone ready to help!

Back to help center