Introduction 

In an ever-changing digital landscape, data protection and compliance with regulations such as the General Data Protection Regulation (GDPR) have become crucial issues for businesses. 

Our recent study, based on an analysis of 551 websites, reveals worrying findings about data collection without explicit user consent. These findings underline the pressing need for businesses to understand and align with data protection standards, not only to avoid significant financial penalties, but more importantly to build a relationship of trust with their users.

But what does "not complying with the RGPD" mean? If an organisation or data processing activity does not comply with all the rules and/or requirements set out in the RGPD, it is liable to financial penalties which, in the case of a company, can amount to up to 4% of its annual worldwide turnover. The CNIL's more general summary of the RGPD makes it clear that "Internet users must be informed and give their consent prior to the storage and reading of certain tracking data".  

More general examples of non-compliance might be the absence of a cookie consent banner or the lack of an easy opt-out mechanism to revoke that consent. As we have seen in our study, the use of tracking mechanisms without obtaining prior informed consent from users is part of the list, particularly in cases where the data collected is shared with advertising agencies and/or third parties.  

Other aspects concerning data processing, such as protection, retention, cross-border transfers and transparency of the data collected, are addressed under the GDPR. 

All the rules and provisions of the RGPD can be consulted on the CNIL website : https://www.cnil.fr/fr/reglement-europeen-protection-donnees 

Not all cookies are baked the same way 

Regulation also means exceptions to the rule. For example, some cookies, such as those required for service provision, are exempt from consent. These are generally mandatory cookies that you must accept or that are automatically accepted when you access a website. Other exceptions apply in the case of "cookies used to store the contents of a shopping basket [...], to authenticate a service [...], to personalise the interface (e.g. choice of language), etc.". 

In addition to the essential tracers authorised, the use of certain audience measurement solutions from tools such as Piano Analytics (At Internet), Matomo or CS Digital, for example, are also exceptions to the rule. These tools have been evaluated and approved by the CNIL to enable audience tracking within the framework of specific parameters.  

Take Matomo, for example. In version 4 of the tool, it is possible to set up a data collection mode exempt from consent provided that the following 4 rules are respected:  

• the analytical data does not contain any personal information,  
• it is used exclusively for analytical purposes  
• it is not shared or linked to data from other websites;  
• the confidentiality policy provides clear information on data collection. 

The configuration required to comply with these rules can easily be made in the settings of the analytical tool of your choice, provided that it is on the list of solutions authorised by the CNIL. The list of solutions, together with their implementation guide in exempt mode, can be consulted at the following address: https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies-solutions-pour-les-outils-de-mesure-daudience  

4 steps to follow in the quest for compliance :   

Ensuring compliance with GDPR regulations involves several key steps:  

1-   List data processing: keeping a complete record of all data processing activities is essential to ensure that you are up to date with the regulations. This record should include information on the purpose of the data processing, the categories of data involved, access to the data, data retention periods, security measures and any international transfers of data.   

  To ensure this registration, it is recommended that you appoint or use the services of a DPO (Data Protection Officer), who will support and advise you on the steps to be taken.  

2-   Data evaluation and minimisation: Each entry in the register must be carefully examined to ensure that the data processed is relevant and necessary for the intended purpose. This means, for example, collecting only essential data and ensuring that data is not kept beyond the required period.   

3-   Respect the rights of data subjects: Inform the people whose data you are processing of their rights in a transparent manner. In particular, this means being transparent about the purpose of collecting the data, specifying the legal basis for the processing and detailing access to the data, its retention or any transfers outside the EU and the procedure enabling people to exercise their rights.   

4-   Data security: Implement technical and organisational measures to protect data. Depending on the sensitivity of the data, adopt specific security measures to combat unauthorised access, unwanted modifications or loss of data. Data breaches are a real risk, and appropriate security is essential to prevent harm to individuals.  

By following these steps, you will be compliant with the GDPR, therefore respecting individuals' rights to privacy and data protection, and eliminating the risk of fines.  

The study was conducted on 551 websites of companies operating in the following 7 sectors: Beauty, Fashion & Luxury, Automotive & Mobility, Retail & E-commerce, Health & Pharmaceuticals, Mid-Market, Banking & Insurance, Tourism & Leisure.