CNIL’s “Audience Measurement” Exemption
On July 4, 2019, the French regulator, CNIL, issued guidelines concerning the requirements for obtaining website visitors’ consent for the use of certain types of website cookies. On September 17 2020 CNIL has also clarified by the revised guidelines and recommendations. As part of such guidelines, CNIL has provided a list of possible exemptions from such consent requirements. One of the exemptions provided by the CNIL is the exemption for “Audience Measurement” cookies which include criteria for qualifying for such exemption - as listed under Article 5 of the guidelines.
As provided in our earlier publications Contentsquare’s position on this topic is very clear - we believe that behaviour analytics information, and analytics cookies (first-party without personal information) as its conduit, are an essential and necessary part of any service and business survival and therefore should be exempt from the requirement of visitor consent. We strongly believe that the Contentsquare cookies, which are used purely for our customers website analytics purposes, should be exempt.
In this short essay we wanted to assist our customers in their determination (as Data Controllers) whether Contentsquare cookies are deemed as exempt under the CNIL recent guidelines, by providing the list of Audience Measurement exemption criteria, as provided under Article 5 of the guidelines together with Contentsquare relevant processing activities, practices and measurements.
Following are the conditions and Contentsquare’s related measurements (free translation to English*):
Cookies must be implemented by the site editor or by its subcontractor
The injection of Contentstquare’s cookies and JS code into the visitor browser is controlled solely by the website owner (Data Controller).
The person must be informed prior to their implementation
Contentsquare remind, encourage and contractually obligate all our customers (the Data Controllers) to provide their website visitors with all appropriate notices concerning the personal data processing done by them and by Contentsquare.
The person must have the ability to oppose it by means of an opposition mechanism that can be easily used on all terminals, operating systems, applications and web browsers. No read or write operation should take place on the terminal from which the person has objected
Contentsquare provides its customers with the ability to allow any of their website visitors to object to Contentsquare data processing (see Link for more information).
The purpose of the device must be limited to (i) audience measurement of the content viewed in order to allow the evaluation of the content published and the ergonomics of the site or application, (ii) audience segmentation of the website in cohorts in order to evaluate the effectiveness of the editorial choices, without this leading to targeting a single person and (iii) the dynamic modification of a site overall. The personal data collected must not be combined with other processing (customer files or statistics of visits to other sites, for example) nor transmitted to third parties. The use of tracers must also be strictly confined to the production of anonymous statistics. Its scope must be limited to a single site or mobile application publisher and should not allow the navigation of the person using different applications or navigating different web sites
The Contentsquare solution, when used alone, provides our customers with the ability to evaluate and analyse their website, its content and the experience of their website visitors without the ability to identify, lead or target the individual visitors.
The Contentsquare solution is provided as a stand-alone with no need or requirement for connection or integration with any additional tool in order for our customers to enjoy and benefit from the full scope and features of the solution.
The only approved sub-processors Contentsquare uses in order to provide the services (apart from the Contentsquare group relevant companies) are Contentsquare’s data hosting providers - as listed here.
Our analytics metrics, reports and statistics, if used alone, do not allow the ability, for Contentsquare nor our customers, to identify the individual visitor. For more information - visit here.
The use of the IP address to geolocate the Internet user must not provide more precise information than the city. The collected IP address must also be deleted or anonymized once the geolocation has been carried out
Our use of IP address for GEO localisation is limited to the city level.
Promptly after using the IP address for GEO Location (city level), blacklisting unwanted IP address, and troubleshooting immediate data collection malfunctions in the system (no to exceed 3 days), the IP address is permanently deleted. For more information - visit here.
The tracers used for these treatments must not have a lifespan exceeding thirteen months and this duration must not be automatically extended during new visits. The information collected through the tracers must be kept for a maximum period of twenty-five months
All Contentsquare cookies are 1st party cookies and an expiration date not to exceed 13 months without automatic extension. No personal information (other than the random unique cookie ID) is included in the cookies. See here for more information.
All data collected is stored for no longer than 13 months. For more information - visit here.
*Conditions were loosely translated into English for ease of reading only, without commitment on the accuracy of translation. In any contradictions between the English translation herein and the French Original Text, such original text will prevail.
To conclude, after reviewing CNIL’s guidelines above and Contentsquare extreme measures to protect the personal data of our customers, Contentsquare strongly believes that the Contentsquare cookies should be qualified and deemed as exempt from visitor consent.
We encourage and recommend our customers to discuss these requirements and Contentsquare’s measurements internally with their respective legal and privacy experts and get to the relevant conclusion.
This article is provided solely as an independent opinion and in no way shall be read or deemed as legal advice.