Psst...Want to see content specific to your location?

Contentsquare’s take 


CNIL’s “Audience Measurement” Exemption 

Current version: May 2021

See previous versions

On September 17, 2020, the CNIL (French Data Protection Authority) issued amending guidelines (“the Guidelines”) and recommendations concerning the requirements for obtaining website visitors’ consent for the use of certain types of website cookies and similar identifiers repealing the guidelines of July 4, 2019. Within the framework of these Guidelines, the CNIL has provided a list of possible exemptions from these consent requirements. Audience measurement cookies or similar identifiers may in particular be exempt from consent under certain conditions, as listed in Article 5 (paragraphs 50 to 52) of the Guidelines.

As provided in our earlier publications, Contentsquare’s ("Contentsquare" or "we") take on this topic is very clear - we believe that online behaviour analytics information, and analytics cookies (first-party without personal data) as its conduit, are necessary for the operation of any website / mobile application and essential for any business, and therefore should be exempt from the visitor's consent requirement. We strongly believe that Contentsquare cookies, which are only used for the purpose of our customers website and application analytics purposes, should be exempt.   

In this short essay we wanted to assist our customers in their determination (as Data Controllers) whether Contentsquare cookies are deemed as exempt under the Guidelines, by providing the list of Audience Measurement exemption criteria, as provided under Article 5 of the Guidelines, as well as the practices implemented by Contentsquare, which according to us, allow to meet these criteria.

Following are the conditions and Contentsquare’s related measurements (free translation to English*): 

Requirements for audience measurement to be exempt from consent under Article 5 (paragraphs 51 and 52) of the Guidelines Contentsquare’s take

Cookies and similar technologies must have a purpose strictly limited to audience measuring on the website or application for the sole account of the editor


The sole purpose of our cookies is to analyze visitors' online behavior to improve their journey and the performance of the Customer's websites and mobile applications, in the name and on behalf of the Customer. Our Data Protection Agreement (DPA) provides that we can only act on the instruction of the Customer, who is the controller and that we only process the data on his behalf solely to provide our services to the Customer.

These cookies and similar technologies must not, amongst other requirements, allow the overall tracking of the visitor’s navigation using different websites or applications.


Our cookies are first-party cookies only limited to the audience measurement of the Customer's website or mobile application. Therefore, we do not cross-device or cross-domain.

These cookies and other tracking devices should only be used to produce anonymous statistics data.


Our analytics metrics, reports and statistics, if used alone, do not allow the ability, for Contentsquare nor our Customers, to identify the individual visitor. For more information, click here.

Personal data collected may not be cross-referenced with other personal data processed or transmitted to third parties.


No data processing other than the provision of our services for our Customers is carried out with the personal data collected via our cookies. Indeed, the Contentsquare solution is provided as a “stand-alone” solution without the need or requirement of connection or integration with an additional tool so that our Customers can enjoy and benefit from the full scope and functionality of our solution.

No personal data collected through our cookies is transmitted to third parties. The only approved subprocessors that Contentsquare uses to provide the services (other than the relevant Contentsquare group companies) are Contentsquare's data hosting providers - as listed here.

Audience measurement is a data processing which is subject to all the relevant provisions of the GDPR


Data protection is a priority at Contentsquare. Thus, as data processor, we are committed to providing our Customers with a user experience analytics solution which complies with the provisions of the GDPR and in particular with the following principles:

-      Purpose limitation:

As mentioned above, the sole purpose of our data processing is to analyze visitors' online behavior to improve their journey and the performance of the Customer's websites and mobile applications.

-      Data minimization:

We only collect personal data that are strictly necessary for the provision of our services (IP address, cookie ID and online behavioral data). For more information, please click here.

-      Limitation of the data retention:

All Contentsquare cookies are first-party cookies with an expiration date not exceeding 13 months, without automatic extension. No personal data (other than the random unique cookie ID) is included in the cookies. For more information, click here.

All data collected is stored for no longer than 13 months. For more information - visit here.

Promptly after using the IP address for GEO Location (city-level), blacklisting unwanted IP address, and troubleshooting immediate data collection malfunctions in the system (no to exceed 3 days), the IP address is permanently deleted. For more information - visit here.

-     Data subjects’ rights:

Contentsquare has set up a tool to manage data subjects requests (“DSRs”) to assist our Customers in exercising their rights so that they can respond effectively to the data subjects in compliance with applicable legal timeframes. Click here for more information.

Further, all Contentsquare Customers (as data controllers) are encouraged and contractually bound to inform visitors of their websites/applications about the data processing carried out by them and by Contentsquare. As such, we have a documentation center called "Privacy Center" on our website which allows our Customers to quickly and easily have all the useful information on Contentsquare's data protection practices, in particular with respect to our privacy and cookies policies. You can also access a document detailing how we process data in the Contentsquare solution.

In addition, Contentsquare offers its customers the option of allowing any visitor to their website to object to the processing of data by Contentsquare (click here for more information).

-    Security measures:

Contentsquare has put in place appropriate physical, technical and organizational measures to ensure a level of security adapted to the risk presented by the data processing carried out through the Contentsquare solution. For more information, please click here.

Finally, Contentsquare is ISO 27701 certified (both data controller and processor) which is an international standard for data protection aligned with the main international data protection regulations, including the GDPR and CCPA.

*Conditions were loosely translated into English for ease of reading only, without commitment on the accuracy of translation. In any contradictions between the English translation herein and the French Original Text, such original text will prevail.

To conclude, after reviewing CNIL’s guidelines above and Contentsquare extreme measures to protect the personal data of our customers, Contentsquare strongly believes that the Contentsquare cookies should be qualified and deemed as exempt from visitor consent.

We encourage and recommend that our Customers discuss these exemption conditions and Contentsquare’s take internally with their respective legal counsel and DPO and get to the relevant conclusion.

For more information please feel free to visit our Privacy Center, including our additional information on our data processing; or contact us directly at [email protected].

This article is provided solely as an independent opinion and in no way shall be read or deemed as legal advice.