How to make your website compliant with CNIL

This article is also available in: French.

Commission Nationale Informatique & Libertés (aka CNIL) is the French data protection agency. The CNIL has listed Piwik PRO as a solution that can be used to collect some data without consent. So if you’re operating in France, you can take advantage of this exemption.

In this article, we’ll explain what data you can collect without consent. We’ll also show you how to set up your account in Piwik PRO to make it aligned with the CNIL guidelines.

Do’s and don’ts of collected data

Here are the rules you need to follow to stay compliant with the CNIL guidelines:

  • Collect data only on your domains and apps: You can collect data only on sites or apps that belong to your organization.
  • Don’t join data with other sources: You can’t merge data collected without consent with other data. Turn off any integrations that may join such data (Analytics > Settings > Integrations).
  • Don’t use custom dimensions to collect personal data.
  • Don’t export data collected without consent.
  • Don’t process raw data collected without consent: You can filter out your data by using custom dimensions. Create custom dimensions (on a session-level and event-level) that’ll set apart (1) data collected without consent from (2) data collected with consent. When you access your data via API, filter out the first batch.
  • Sign data processing agreement: You need to agree to our Data Processing Agreement. If you need a hard copy contact us at: legal+dpa@piwik.pro (send us your account address, email address of your authorized signer and company details).

Set up Piwik PRO to meet the CNIL guidelines

When setting up your account, you can decide to use two methods: (1) collect all data without displaying a consent form or (2) ask visitors for consent, and for visitors who don’t agree, collect data that are exempt from consent.

This method is best when Piwik PRO is the only software you use to collect personal data. With the following setup, you won’t need to show a consent form to your visitors and your data will fall into the CNIL’s exempted category. Just remember to follow do’s and don’ts of collected data.

If you decide not to ask visitors for consent and collect only exempted data, you need to do the following setup:

  1. Turn off Ask visitors for consent and turn off Use cookies.

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (off) + Use a session ID (on) + Use visitor cookies (off)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Ask visitors for consent (off) + Use a device fingerprint (on) + Use visitor cookies (off)

  2. Turn on Mask IP address and mask at least 1 byte.

    Setting: Administration > Sites & apps > Privacy > Mask IP address (on) + Level 1 (on) + Collect from unmasked IP addresses (All location data)

    Settings in versions below 16.0.0: Administration > Platform > Privacy settings > Mask IP address (on) + 1 byte (on)

  3. Turn on Collect data only from known sites. This option makes sure that you’ll collect data only from the added site or app addresses.

    Setting: Administration > Sites & apps > Data collection > Filters > Collect data only from known sites (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Whitelist page URLs (on)

  4. Turn on Comply with CNIL guidelines. With this option turned on, we’ll hide the session log report (Analytics > Reports > Session log) and tracker debugger (Analytics > Settings > Tracker debugger). We’ll also show a warning message when a user tries to create API keys.

    Setting: Administration > Sites & apps > Privacy > Comply with CNIL guidelines (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Comply with CNIL guidelines (on)

Use this method if you’re using other software to collect and process data. These can be products for marketing automation, A/B testing, measure ad conversions and the like. You’ll need to get consent from visitors to use them.

If you decide to show a consent form to your visitors, you’ll collect full data for those who agree and exempted data for those who don’t agree. Here’s how your setup should look:

  1. Apply the GDPR guidelines to collect data after the consent is given. Read more
  2. Turn on Ask visitors for consent and turn on Collect data without using cookies.

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (on) + Collect data without using cookies (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Ask visitors for consent (on) + Collect data without using cookies (on)

  3. Turn on Mask IP address and mask at least 1 byte.

    Setting: Administration > Sites & apps > Privacy > Mask IP address (on) + Level 1 (on) + Collect from unmasked IP addresses (All location data)

    Settings in versions below 16.0.0: Administration > Platform > Privacy settings > Mask IP address (on) + 1 byte (on)

  4. Turn on Collect data only from known sites. This option makes sure that you’ll collect data only from the added site or app addresses.

    Setting: Administration > Sites & apps > Data collection > Filters > Collect data only from known sites (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Settings > Whitelist page URLs (on)

  5. Make sure the Piwik PRO tag (the one responsible for collecting data) is marked as Consent type: Analytics. This option will make sure that this tag will fire only after visitors consent to Analytics.

    Setting: Tag Manager > Tags > Piwik PRO > Advanced tag settings > Consent type: Analytics

  6. Turn on Comply with CNIL guidelines. With this option turned on, we’ll hide the session log report (Analytics > Reports > Session log) and tracker debugger (Analytics > Settings > Tracker debugger). We’ll also show a warning message when a user tries to create API keys.

    Setting: Administration > Sites & apps > Privacy > Comply with CNIL guidelines (on)

    Settings in versions below 16.0.0: Administration > Websites & apps > Comply with CNIL guidelines (on)

Was this article helpful?

Technical support

If you still have some questions, visit our community.
There’s always someone ready to help!

Back to help center