Not all cookies are baked the same way
Regulation also means exceptions to the rule. For example, some cookies, such as those required for service provision, are exempt from consent. These are generally mandatory cookies that you must accept or that are automatically accepted when you access a website. Other exceptions apply in the case of "cookies used to store the contents of a shopping basket [...], to authenticate a service [...], to personalise the interface (e.g. choice of language), etc.".
In addition to the essential tracers authorised, the use of certain audience measurement solutions from tools such as Piano Analytics (At Internet), Matomo or CS Digital, for example, are also exceptions to the rule. These tools have been evaluated and approved by the CNIL to enable audience tracking within the framework of specific parameters.
Take Matomo, for example. In version 4 of the tool, it is possible to set up a data collection mode exempt from consent provided that the following 4 rules are respected:
- the analytical data does not contain any personal information,
- it is used exclusively for analytical purposes
- it is not shared or linked to data from other websites;
- the confidentiality policy provides clear information on data collection.
The configuration required to comply with these rules can easily be made in the settings of the analytical tool of your choice, provided that it is on the list of solutions authorised by the CNIL. The list of solutions, together with their implementation guide in exempt mode, can be consulted at the following address: https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies-solutions-pour-les-outils-de-mesure-daudience
4 steps to follow in the quest for compliance :
Ensuring compliance with GDPR regulations involves several key steps:
1- List data processing: keeping a complete record of all data processing activities is essential to ensure that you are up to date with the regulations. This record should include information on the purpose of the data processing, the categories of data involved, access to the data, data retention periods, security measures and any international transfers of data.
To ensure this registration, it is recommended that you appoint or use the services of a DPO (Data Protection Officer), who will support and advise you on the steps to be taken.
2- Data evaluation and minimisation: Each entry in the register must be carefully examined to ensure that the data processed is relevant and necessary for the intended purpose. This means, for example, collecting only essential data and ensuring that data is not kept beyond the required period.
3- Respect the rights of data subjects: Inform the people whose data you are processing of their rights in a transparent manner. In particular, this means being transparent about the purpose of collecting the data, specifying the legal basis for the processing and detailing access to the data, its retention or any transfers outside the EU and the procedure enabling people to exercise their rights.
4- Data security: Implement technical and organisational measures to protect data. Depending on the sensitivity of the data, adopt specific security measures to combat unauthorised access, unwanted modifications or loss of data. Data breaches are a real risk, and appropriate security is essential to prevent harm to individuals.
By following these steps, you will be compliant with the GDPR, therefore respecting individuals' rights to privacy and data protection, and eliminating the risk of fines.
The study was conducted on 551 websites of companies operating in the following 7 sectors: Beauty, Fashion & Luxury, Automotive & Mobility, Retail & E-commerce, Health & Pharmaceuticals, Mid-Market, Banking & Insurance, Tourism & Leisure.