- The user’s consent, or
- The cookie must be strictly necessary in order to provide the service explicitly requested by the user (Strictly Necessary Cookies).
The category of Strictly Necessary Cookies was previously interpreted rather narrowly. There must be a clear link between the strict necessity of the cookie and the delivery of the service. It is not sufficient that the cookie is merely necessary from an economic perspective to run a website. The Article 29 Working Party in WP194 regarded shopping cart, user authentication, security, load balancing, or multimedia player as use cases for Strictly Necessary Cookies.
The legal basis for so-called Reach Measurement Cookies has been heavily debated. Reach Measurement Cookies are statistical audience measurement tools for websites used to estimate the number of unique users, track the users’ interaction with the website and track down navigation issues. Typically, they have not been regarded as Strictly Necessary Cookies because websites can be provided to the users without measuring the users’ interactions with the websites. At the same time, Reach Measurement Cookies only provide useful findings if every users’ interactions with the websites are tracked.
In this context, the French data protection authority (CNIL) has provided guidelines (Guidelines) under which the Reach Measurement Cookies may be considered as Strictly Necessary Cookies and thus benefit from the consent exemption.
Cumulative conditions shall be met in order to benefit from the consent exemption
According to the Guidelines, Reach Measurement Cookies can only be considered as Strictly Necessary Cookies for the operation of the website if specific cumulative conditions are met.
In practice, any data controller wishing to implement Reach Measurement Cookies without obtaining the users’ prior consent shall be able to demonstrate compliance with the following cumulative conditions:
- The purpose of the Reach Measurement Cookies shall be strictly limited to measuring the audience of the website or application, exclusively on behalf of the website operator. This includes measuring performance, detecting navigation issues, improving technical performance, assessing the capacity of the servers, analysing the content viewed by the users, exclusively on behalf of the website operator. The use of the Reach Measurement Cookies must be strictly necessary for the proper functioning and day-to-day administration of the website.
The CNIL has further specified these requirements and issued a list of reach measurement functionalities that would be considered as strictly necessary for the proper operation of a website:
- audience measurement, page by page and aggregated (hourly or less frequently);
- list of referrer URLs, by page and aggregated on a daily basis;
- the type of terminal, browser and screen size of users, per page and aggregated on a daily basis;
- statistics on page loading times, per page and aggregated on an hourly basis;
- statistics of time spent on each page, bounce rate, scroll depth, per page and aggregated on a daily basis;
- statistics on user actions (click, selection), per page and aggregated on a daily basis; and
- statistics on the geographical area of origin of the requests, by page and aggregated on a daily basis.
- The Reach Measurement Cookies shall not allow the global tracking of navigation of the user who uses different applications or browses on different websites. Therefore, any Reach Measurement Cookie that uses the same identifier across several websites to cross-reference, duplicate or measure a unified reach of content is excluded from the consent exemption.
- The Reach Measurement Cookies shall aim at producing aggregated statistical data In other words, any cross-referencing of data or transfers to third parties shall be prohibited.
Reach Measurement Cookies confirmed by CNIL to be strictly necessary
In order to assist data controllers in confirming that the above conditions are met, the CNIL has launched a specific assessment for Reach Measurement Cookies, showing practical examples of compliant Reach Measurement Cookies available on the market.
The CNIL assessment program clarifies the practical conditions under which consent exemptions may be granted, and therefore offers a clearer view on how to comply. In practice, it allows any provider of a Reach Measurement Cookie to file an application, so that the CNIL can assess whether the tool falls within the scope of a consent exemption.
To date, a list of five Reach Measurement Cookies exempt from consent is published on the CNIL website in order to help data controllers selecting a provider (List):
- AT Internet’s Analytics Suite Delta;
- Net Solution Partner’s SmartProfile;
- Wysistat Business solution, Wysistat;
- Piwik PRO Analytics Suite; and
- Abla Analytics solution from Astra Porta.
In this list, the CNIL provides guidance on specific configurations that must be implemented for the use of each Reach Measurement Cookie.
Although organizations may still decide to rely on providers that are not included on the List, the CNIL clearly urges data controllers to carefully check the terms and conditions offered by potential providers.
For instance, data controllers shall check whether the providers are contractually committed not to re-use the data collected for their own purposes, or whether it would be possible to change the parameters of the Reach Measurement Cookies in order to deactivate the re-use of data.
Organizations have a strong interest in assessing that their Reach Measurement Cookies meet the conditions set forth by the CNIL in order to avoid any risks of fines. In that respect, the recent Guidelines constitute a key guidance for organizations, especially since analytics constitute precious data for online activity.
From an EU perspective, the Guidelines will directly apply only for organizations that fall in the jurisdiction of the CNIL. It remains to be seen if other national data protection authorities will follow the CNIL path. The Guidelines are, however, a good source for organizations in other EU member states to argue that certain Reach Measurement Cookies do not require consent.