CNIL

Definition

The CNIL (Commission Nationale de l’Informatique et des Libertes) is the French data protection authority, established in 1978. It is responsible for enforcing the GDPR and the ePrivacy directive in France. For web analytics, the CNIL is the body that defines the rules applicable to cookies, trackers and audience measurement tools.

In September 2020, the CNIL published its cookie guidelines, reinforced in April 2021. The key points for web analytics are: consent must be freely given, specific, informed and unambiguous; continuing to browse does not constitute consent; refusing must be as easy as accepting; cookie walls (blocking access without consent) are prohibited with limited exceptions. CMPs must comply with these requirements.

Sanctions

The CNIL has enforcement powers with fines up to 4% of global annual revenue. Regarding cookies and tracking, it has sanctioned Google (150M euros), Amazon (35M euros), Microsoft (60M euros), and numerous French companies for non-compliant consent banners or cookie placement without consent.

The CNIL grants a consent exemption to certain audience measurement tools, under strict conditions: purpose limited to audience measurement, no data cross-referencing, no transfer to third parties. Matomo and AT Internet (Piano) can benefit from this exemption. GA4 is not eligible for this exemption.

Have an analytics project?

Let's discuss your tracking, measurement and data needs. Free initial consultation, no commitment.

Book a call