CNIL Consent Exemption
On October 1, 2020, the French Data Protection Authority (the “CNIL”) published a revised version of its cookie guidelines (the “Guidelines”) and its final recommendations on obtaining users’ consent to store or read non-essential cookies and similar technologies on users’ devices or browsers (the “Recommendations”).
The Guidelines provide a limited exemption to the consent requirement (“Consent Exemption”). The Consent Exemption applies to analytics cookies whose purpose is limited to measuring the audience of the site or app only on behalf of the web publisher. The Guidelines provide that for the Consent Exemption to apply, the following conditions must be implemented:
- 25-month data retention max. You can review your current data retention settings under Analytics > Admin > Data Governance. Data Retention
- Disable third party cookies in ECID. disableThirdPartyCalls, disableThirdPartyCookies, and disableIdSyncs
- 13-month cookie limit. You can override your analytics cookie expiration using the
cookieLifetime variable. Experience Cloud cookies including Analytics and ECID extend the cookie expiration date with each visit. To set a static, non-rolling cookie expiration, you can either: (1) write custom code to set a date on which to delete the cookie, or (2) use your CMP to control the date of the cookie reset. cookieLifetime and Experience Cloud Cookies
- Limited scope. The scope of the cookie must be limited to a single site or application. Browser Cookies
- Anonymization. Anonymize the last octet of the IP Address. General Account Settings
- Hide visitor ID from reporting. The visitor IDs are not visible in Adobe Workspace and Adobe Reports and Analytics by default. Visitor IDs are available in Data Feeds and Data Warehouse. Access to Data Feeds and Data Warehouse can be limited by Access Permissions in Admin Console and Data Feed Column Reference
- Geolocation parameters. Geolocation can be no more precise than postal code level. Zip Option and General Account Settings
- Set opt-in options. The Opt-in service lets you set visitor protocols to determine if you can set a cookie on the user’s device or browser when visiting your site. Opt-In Service
- Prevent data sharing. To preclude data sharing to Adobe Audience Manager, use the
opt.dmp context variable for Privacy Reporting to block hits from being shared.
- Access and delete ability. Utilize the Privacy Service for access and delete requests. Analytics & Privacy Service
Additional Considerations for Data Collection
The following additional considerations apply:
- Consider collecting the opt-in status in an Analytics variable in order to separate opted-in data from opted-out data for segmentation, virtual report suites, or to route to separate end-points.
- No measurement outside the site or app without prior consent, for example no off-site campaigns, email campaigns, or iFrames.
- Collection of personal information in variables is not permitted without consent. Control Experience Cloud Activities Based on User Consent
- Data is only to be used to produce anonymous statistics, without combination with other data.
- Data is not used to cross-reference actions.
- GPS geolocation data is not collected.
- When end-user consent has been given, the above settings can be modified and restrictions relaxed.
For more information, see the CNIL Cookie Exemption website.