CNIL Compliance for Ecommerce Tracking
If your use of Matomo complies with CNIL guidelines, you can collect certain types of data without requiring user consent. For example, certain aspects of Ecommerce tracking must be adjusted or disabled to comply with CNIL criteria.
As a CNIL-compliant user, you can still implement parts of the Ecommerce tracking feature, such as analysing shopping cart interactions, transactions, checkouts, and conversions, provided you adhere to CNIL rules regarding cookies and other trackers.
This guide explains when user consent is required for Ecommerce tracking and offers guidance on how to maintain CNIL compliance while using these features.
Defining CNIL Exemptions and Consent Requirements
CNIL outlines explicit conditions under which cookies and trackers are exempt from consent. These exempt cookies are generally considered « strictly necessary » for the functioning of the site or application and do not require user consent if used appropriately.
Consent Exempt Cookie and Trackers
General exemption
For a tracker to be exempt from consent, all exemption conditions must be met. If any requirement is not met, such as adding other non-exempt cookies, tracking or identifying individuals, sharing data, or using strictly necessary cookies for secondary purposes then prior consent is required.
CNIL considers the following types of trackers exempt:
- Trackers that store users’ cookie preferences.
- Authentication trackers (including those for security measures).
- Trackers for shopping cart contents or billing in Ecommerce sites.
- Trackers that personalise the user interface (e.g., language choice).
- Load balancing trackers that improve site stability.
- Trackers limiting free access to paid content on a website.
For Ecommerce purposes, cookies that store shopping cart contents or assist with payment processing are also exempt from consent. However, analytics or tracking cookies that could identify individuals or are used for detailed analytics purposes may not qualify as exempt.
Specific exemption – audience measurement
CNIL also considers certain audience measurement cookies as also exempt from consent, if they meet the following requirements:
- Used solely for measuring site performance (page-by-page) without linking back to individuals.
- Used to aggregate data such as page load times, time spent on pages and scroll depth.
- Statistics collected should be anonymous, for internal use only, stored independently for each website owner and not shared with third parties.
- Data storage and collection must be limited to a 13-month lifespan for cookies, and collected data retained for no more than 25 months.
- The lifespan and retention periods are regularly reviewed to make sure they are limited to what is strictly necessary.
- Users are informed of the use of the exempt trackers (e.g., in your website privacy policy).
To maintain exemption status, these trackers:
- Must be used exclusively for audience measurement, including performance monitoring, technical optimisation, and content analysis.
- Must be independent and limited to individual publishers.
- Must not be used for cross-checking of the data with other processing.
- Must not allow tracking of users across different sites or applications.
- Cannot be used for any purpose beyond anonymous audience measurement.
Non-Exempt Trackers
Trackers that require user consent under CNIL guidelines include:
- Personalised or non-personalised advertising trackers.
- Social network sharing functionality.
- Trackers used for multiple purposes, especially those combining strictly necessary functions with advertising.
If Matomo is configured only to capture exempt metrics, you may be able to avoid a consent banner. However, any features extending beyond these exemptions require user consent.
When Consent is Required
For Ecommerce functions like shopping cart management and payment processing, necessary cookies may be used without consent. But if you plan to use Ecommerce analytics, which include tracking individual conversions, purchases, or any analytics that could link back to specific users or identify them, a consent banner is required. CNIL strictly prohibits using analytics tools in a manner that may identify individuals without prior consent.
To stay within the exemption guidelines:
- Do not use non-essential analytics features like User ID tracking, session recordings, heatmaps, Ecommerce analytics, or advertising conversions without consent. These features cannot be adjusted to be consent-free while remaining compliant with ePrivacy laws.
- Implement a cookie consent manager to capture consent if you need detailed Ecommerce analytics. A consent manager will ensure compliance, prompting users to approve the use of tracking cookies before you begin capturing these specific metrics.
If you choose to ask for consent and use Ecommerce function, you can enable the Anonymise Order ID function to limit data processed.
Read more about CNIL with Consent: Tracking Ecommerce and other actions after consent is given.
Steps to Ensure Compliance with Matomo
Use Exempt Trackers for Essential Functions
Cookies for shopping carts, authentication, and audience measurement can be used without consent, provided they are configured to anonymise and limit data in accordance with CNIL standards.
Add Consent for Non-Exempt Features
For any features that go beyond CNIL’s consent exemptions (e.g., Ecommerce analytics), implement a consent manager to gain explicit user consent before collecting data.
Review and Audit Tracking Configurations
Ensure all tracking aligns with CNIL’s guidelines, limiting data retention and scope, and update practices as needed to stay compliant with any regulatory changes.
Disclaimer: The information provided above is for general informational purposes only and should not be considered legal advice. Please consult your legal team for specific advice and guidance tailored to your needs.