Note: Marfeel’s solution is designed to comply with GDPR and CNIL requirements and, when implemented in its standard configuration, operates in compliance with those frameworks. The CNIL consent-exempt configuration described here is an optional implementation mode that may be enabled where the solution is configured strictly in accordance with the exemption criteria established by the CNIL. Clients should be aware that if they choose to operate the solution exclusively under a consent-exempt configuration, certain functionalities will necessarily be restricted due to the regulatory limitations applicable to such configuration. Clients wishing to implement this configuration should liaise with their Account Manager in advance to fully understand the resulting reduction in available functionalities.
1. Who is this self-assessment tool for?
The elements below allow the provider of the audience measurement solution to analyze whether it can be configured in a way that qualifies for the consent exemption.
Once this analysis has been completed, the provider is invited to give their prospects a document certifying compliance with the defined conditions, as well as, if applicable, the actions to be taken to properly configure the solution. A template document is provided in the annex.
2. Scope of the Self-Assessment Tool
This tool is solely intended to assess whether an audience measurement solution can be implemented without prior consent. It is not intended to evaluate the overall compliance of the solution with the applicable legal framework.
3. Objectives Pursued by Implementing Audience Measurement
The solution covered by this analysis framework must only concern the measurement of a website’s or application’s audience.
The permitted functionalities include:
- performance measurement;
- detection of navigation issues;
- optimization of technical performance or user interface;
- estimation of the required server capacity;
- analysis of the content viewed.
If the solution allows data processing for other purposes, these must be disabled by default, including but not limited to:
- any marketing-related measurement, such as measuring the performance of conversion channels, advertising campaigns, acquisition channels, or combating advertising fraud, etc;
- any creation of user cohorts for the purpose of delivering differentiated content, whether cohort membership is determined randomly or based on previously collected information.
If a functionality is difficult to analyze, the key question to ask is whether the absence of the proposed measurement would prevent the website from responding to the user’s explicit request (noting that economic necessity does not fall within the scope of what is considered “strictly necessary”).
Beyond the provider’s commitment to enabling the configuration of their tool to meet the objective,
the CNIL encourages them to reiterate these principles and to include the methodology for disabling non-compliant features in the document made available to their prospects.
4. Implementation Criteria for Audience Measurement
In order to determine that the audience measurement tool falls within the scope of the self-assessment tool, it must be configurable to comply with all the criteria outlined in the table below.
When the table specifies a particular technical measure, it reflects a recommendation from the CNIL.
The provider may demonstrate that an alternative measure effectively meets the same objective. In such cases, it is recommended that the provider clearly state and justify this in the documentation provided to potential clients, making it clear that the approach deviates from the CNIL’s recommended measures.
| Objective | Criteria | Technical Measure |
|---|---|---|
| The sole purpose for which the tool is used is the measurement of the website’s or application’s audience. | The provider makes available instructions to disable any functionality that falls outside the defined scope. | N/A |
| The data collected is minimized in relation to the purpose of audience measurement pursued. | If data from HTTP header fields (such as browser version, operating system, hardware, screen size) is collected, it must be minimized (e.g., only the major version of the operating system or browser). | |
| The solution collects no more than three types of events: - The mere presence of a person on a page and the information associated with that page (name, type, etc.); - The use by that person of a feature (e.g., button click, link click) and the associated information (destination, label, etc.); - Statistics related to load time, scrolling behavior, or time spent on a page. | ||
| The provider offers the service under a subcontracting arrangement. | The provider makes available a standard Data Processing Agreement (DPA) that includes the mandatory provisions listed in Article 28 of the GDPR and qualifies the provider as a processor. | N/A |
| The provider does not pool raw audience measurement data from multiple clients. | N/A | |
| The provider does not reuse the data for its own purposes, regardless of the intended objective (e.g., service improvement, fraud prevention, etc.). | N/A | |
| The provider, acting as a processor, makes a point of contact available to receive and handle questions and complaints from prospects in order to clarify any doubts regarding compliance. | N/A | |
| The tool does not allow tracking of the person outside the targeted site or application. | No identifier enabling tracking across multiple domains is used. | * If the identifier used is a cookie, it is placed internally (or “first-party”) in order to prevent global tracking of browsing activity. * If the IP address is used, it allows localization at the city level, then is pseudonymized by removing at least the last octet. * Any measure aimed at generating an identifier using the characteristics of the device (digital fingerprinting) includes a component specific to the site in the hash calculation (for example, the domain currently being visited) to prevent tracking across multiple domains (“cross-site”), as well as a time component (to ensure that the fingerprint has a limited lifespan). * Any tagging that allows the collection of personal information (for example, through forms) is prohibited. |
| Any feature aimed at cross-referencing, deduplicating, or measuring a unified “reach” rate of content is prohibited. | Deactivation of tools related to measuring the “reach” rate. | |
| The data is used solely to produce anonymous statistical data. | Both for the visualization provided in the tool’s interface and during export, all reports generated by the solution contain only anonymous statistics. | Aggregation and presentation to the nearest ten. Failing that, an analysis is conducted to justify the anonymous nature of the data (see the G29 opinion on the subject). |
| Anonymization is effective regardless of the selection criteria chosen by the client of the solution (a combination of criteria must not allow a user to be isolated). | ||
| No tracking of a single user’s browsing is possible. | Deactivation of all features of the session replay type. | |
| The right of individuals to object is respected. | A means of objection is implemented insofar as there is processing of personal data within the meaning of the GDPR. | Objection available in the form of a button or clickable link within the privacy policy of the visited website or application. |
| Sufficient means are implemented to take the refusal into account over time. | Proceed with the placement of an objection cookie, or with the measurement and the addition, to a suppression list, of a digital fingerprint (or ‘fingerprinting’). |
Appendix 5: self-assessment document template
According to our self-assessment, the Marfeel Analytics solution is compliant with the criteria established by the CNIL, and may be implemented without obtaining users’ consent, provided it is configured correctly. For this purpose, it must be configured in the manner described in this document.
Specifically, this solution is strictly limited to:
- measuring performance
- detecting browsing issues;
- optimising technical performance or ergonomics;
- estimating the required server capacity;
- analysing the content viewed.
Expressly excluding any processing for marketing purposes, including but not limited to:
- measuring the performance of conversion channels, the performance of advertising campaigns, the measurement of acquisition channels, combating advertising fraud, etc.;
- any creation of user cohorts for the purpose of presenting differentiated content, whether membership in such a cohort is defined randomly or based on previously collected information.
All of the criteria set out below are met if the configuration is correctly implemented. For each criterion, where an action is required on the part of the website publisher, this is indicated in the “action to be taken” column. If the publisher does not implement the measure in question, the solution may no longer qualify for the exemption from obtaining consent.
This assessment is solely intended to determine whether an audience measurement solution may be implemented without prior consent, and is not intended to assess the overall compliance of the solution with the applicable legal framework.
| Objective | Criterion | Technical measure | Criterion met | Action to be taken |
|---|---|---|---|---|
| The sole purpose for which the tool is used is to measure the audience of the website or application. | The provider makes available instructions to disable any functionality that falls outside the defined scope. | N/A | Yes | |
| The data collected is minimised in relation to the intended purpose of audience measurement. | If data from HTTP header fields (“headers”) is collected (browser version, operating system, hardware, screen size), such data is minimised (e.g., major version of the operating system/browser only). The solution collects at most three types of events: 1. The mere presence of a person on a page and the information associated with that page (name, type, etc.); 2. The use by that person of a feature (button click, link click) and the associated information (destination, label, etc.); 3. Statistics on loading time, scrolling, or time spent on a page. | |||
| The provider offers the service under a subcontracting arrangement. | The provider makes available a standard data processing agreement (DPA) that includes the mandatory clauses listed in Article 28 of the GDPR and qualifies it as a processor. | N/A | ||
| No pooling by the provider of raw audience measurement data originating from several of its clients is carried out. | N/A | |||
| No reuse of the data for the provider’s own purposes, whatever the purpose (service improvement, fraud prevention, etc.), is carried out. | N/A | |||
| The provider, as a processor, makes available a contact point to receive and handle questions and complaints from their prospects in order to clarify any doubts regarding compliance | N/A | |||
| The tool does not allow tracking of the person outside the targeted website or application. | No import of external data is possible. | - Deactivation of any collection or import of client identifiers (or “CRM”), UTM parameters, or campaign identifiers in URLs. - The referrer, if collected, is limited to the domain (“host”). - Any integration with third-party tools is excluded. | ||
| No identifier enabling tracking across multiple domains is used. | If the identifier used is a cookie, it is placed internally (or “first-party”) to prevent global tracking of browsing activity. - If the IP address is used, it allows location at the city level only, and is then pseudonymised by removing at least the last octet. - Any measurement aimed at generating an identifier using device characteristics (digital fingerprinting or “fingerprinting”) incorporates a site-specific component during the hash calculation (for example, the domain being visited) to prevent tracking across multiple domains (“cross-site”), as well as a time-based component (ensuring that the fingerprint has a limited lifespan). - Any tagging that enables the retrieval of personal information (for example, via forms) is excluded | |||
| Any functionality aimed at matching, deduplicating, or measuring a unified coverage rate (“reach”) of content is excluded. | Deactivation of tools related to measuring coverage rate (“reach”). | |||
| The data is used solely to produce anonymous statistical data. | Both for the visualisation made available in the tool’s interface and during export, all reports generated by the solution contain only anonymous statistics. | Aggregation and presentation to the nearest ten. Failing that, an analysis is carried out to justify the anonymous nature of the data (see the opinion of the Article 29 Working Party on the subject). | ||
| Anonymisation is effective regardless of the selection criteria chosen by the client of the solution (a combination of criteria must not make it possible to isolate a user). | ||||
| No tracking of an individual user’s browsing is possible. | Deactivation of all functionalities of the session replay type. | |||
| The right of individuals to object is respected. | A means of objection is implemented insofar as there is processing of personal data within the meaning of the GDPR. | Objection available in the form of a button or clickable link within the privacy policy of the visited website or application. | ||
| Sufficient means are implemented to take the refusal into account over time. | Proceed with the placement of an objection cookie or with the measurement and addition to a blocklist of a digital fingerprint (or ‘fingerprinting’). |