September 7, 2022

What is the Audience Measurement Cookies consent exemption?

What is the Audience Measurement Cookies consent exemption?

If you have been reading about the GDPR and the ePrivacy directive, you'd know under these regulations, if a website wants to collect data from EU citizens, consent must be freely and explicitly given by the website visitors for the implementation of all cookies, with the only exception of strictly necessary cookies.

What cookies are considered "strictly necessary" had previously been quite narrowly interpreted as only those that are integral to the functionality of the website, this excludes cookies that are necessary from an economic perspective to have the website in the first place. The management of a website or a mobile application generally requires the use of traffic or performance statistics, which are often essential to the provision of the service. That's why the French data protection authority's consent exemption for audience measurement cookies is a compelling solution for some, and can perhaps become more widely practiced in areas affected by the GDPR and ePrivacy directive.

The French data protection authority (CNIL)'s updated guidelines on cookie consent were published a year ago and came into enforcement for data controllers earlier this year. The publication includes recommendations concerning the requirements for obtaining website visitors’ consent for the use of certain types of cookies and other trackers, where the audience measurement cookies may be considered as strictly necessary cookies under certain conditions, thus benefit from the consent exemption. (Under CNIL guidelines, consent must comply with Article 82 of the French Data Protection Act and Article 4 of the GDPR.)

These cookies must only be used to produce anonymous statistical data and must have a purpose strictly limited to measuring the audience of the website or application (performance measurement, detection of navigation problems, optimization of technical performance or its ergonomics, estimation of the power of the necessary servers, analysis of contents consulted), for the exclusive account of the publisher.

In summary, the benefit of cookie consent exemption only comes with the following conditions:
  • If users are informed of the implementation of such cookies and other trackers, e.g. via a privacy notice;
  • If users are given the ability to object to the implementation of such cookies;
  • If such cookies are strictly for the purposes of either audience measurement or A/B testing;
  • If the processed data is not cross-referenced with other types of processing;
  • If the scope of the tracker is limited to a single website or application;
  • If the information collected through these trackers is kept for a maximum period of 25 months;
  • If the lifetime of the trackers is limited to 13 months, and not automatically extended during new visits.

It's also possible for the same third-party (subcontractor) to provide a comparative audience measurement service to multiple publishers, provided that:

  • The data is collected, processed and stored independently for each publisher; and
  • The trackers are independent of each other.

It might seem as though there are a lot of limitations, but this still allows for the collection of useful data. You’d get data on campaigns, referrers, events, conversions (anonymous) and more. Naturally, you’ll get all the data you normally would from website visitors who do provide consent, since the CNIL consent exemption doesn’t put any limits on the data you can collect after consent.

Just be sure not to merge the data collected under the exemption with data collected after consent, which is beyond the accepted scope of data collected under the exemption.

DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions. The information presented on this website may not reflect the most current legal developments. An attorney should be contacted for advice on specific legal issues. The implementation of a data protection law compliant Consent Management Platform (CMP) is ultimately at the discretion of the respective data protection officer (DPO) or legal department.