The GDPR, or General Data Protection Regulation, is a European law of 2016 aiming at framing the capture and use of personal data of Internet users. This regulation has, over the years, evolved leading to new specifications to be integrated on its site under penalty of sanction. Once again, the year 2020 (in October of this beautiful year to be precise) has also inherited its share of new constraints that you must have in place before March 31, 2021 or risk a call to order from the CNIL.
But what are these new rules and how to respond to them? What is their impact on your current business and tracking system?
New GDPR 2020/2021 measures: what is changing?
The panel of rules recently required by the CNIL have one main target: cookies.
What is a cookie/tracker?
It is a tracer, which, during an action performed by the user, is deposited.
The actions “tracked” are multiple, they go from the consultation of a page, to the opening of an application as to the opening of an email. Another important point, cookies are not limited by the device used. They will indeed be equally active on a computer, a cell phone or a tablet.
More information on cookies by the Cnil here.
You will have understood, the cookie is multiple and it is everywhere!
But then, what do these new ePrivacy directives change?
Tracking, cookies and ePrivacy, what are the new requirements of the CNIL?
Until now, the user was invited to accept the activation of his cookies and therefore the tracking of his actions.
Does this banner look familiar?
You may have come across it in another color, another font and maybe even the message was slightly different, but one thing is for sure whether as an advertiser or an internet user, this banner is your cross since 2018.
However, the new reform comes to put a kick in the ant-hill of user consent with 2 watchwords: clarity and simplicity.
Indeed, to counter targeted advertising increasingly intrusive, the Cnil wants to allow the user not to be tracked and no longer be the “product” at their expense ( as the famous saying goes “if it’s free …”). The CNIL wants this form to evolve and clearly offer to the user the management of cookies. For this, it requires at least 3 CTA: “Refuse all cookies”, “Accept all cookies”, “Manage my cookie settings” on this form.
A new generation of form is born:
However, this new version is worrying.
Indeed, many fear that with a banner shown in this way, the user will almost systematically choose to refuse all cookies and deprive advertising agencies and other analysis tools of certain precious data.
But then if the user refuses, what data will it still be possible to collect?
How to calculate my audience while respecting the new GDPR rules?
The CNIL is fully aware that the calculation of the audience and the data related to it are necessary for all website managers. That is why it authorizes some cookies to follow the user without his consent.
But which ones?
Which cookies do not need the user’s consent?
In order for a cookie to inexorably play the role of a tracker without consent, it must meet certain criteria.
It must :
- Only and exclusively serve to calculate statistical audience data (session, page view, time spent, bounce rate etc.) and that only on behalf of the publisher (i.e. no reuse of the data)
It must not :
- allow cross-referencing of the data and follow the user throughout his inter-site or inter-application journey
- offer the possibility to transmit data to a third party
In view of these criteria, I can already hear you breathe a sigh of relief, at least for those who are only concerned with the tracking of audiences necessary for the proper monitoring of their site.
However, there is a catch.
Indeed, if you think that today your analysis solution respects the stated conditions, it is not (yet) the opinion of the CNIL. Each case is being studied but no official “derogation” has yet been issued by the organization.
And Analytics in all this? Does its use go against the new requirements of the Cnil?
Is Google Analytics exempt from consent?
Spoiler alert: NO, at least not yet
Why? Because Analytics, like a long list of audience measurement tools, retrieves (and uses) the data collected for other purposes.
Is it possible to become more GDPR Friendly?
Among the requirements that the CNIL has in relation to its analysis tools, there are 2 axes on which you can act: the duration of data retention and the anonymization of these. To act in this sense, you will have to force some parameters (see the steps here).
Is it enough not to ask for an agreement on this tracking?
Even if you try to anonymize the collected data (with a tag in the gtag or by truncating the IP addresses for example), personal data are still collected.
So, today you can act on your Analytics tool to make your data collection more in accordance with the new GDPR rules (data saving time, anonymization). However, today this is not enough to do without the user’s consent. The upgrades to the standards are essentially expected from the tools themselves. And even if talks have already started between the CNIL and the different actors, few are those who fill (today) all the boxes.
But then, what impacts are expected on the monitoring of my traffic?
What impacts of the new GDPR on my traffic monitoring are to be expected?
In prevention of the sanctions announced by the Cnil, some sites have put in advance the new banner requested. We have therefore been able to see the effect of this on the performance of the website. On average, the drop in traffic is between 20% and 40% on Analytics. A significant part that greatly penalizes the monitoring of your site and its performance.
What solutions to continue to monitor the performance of my site despite the new requirements?
If Analytics does not (yet) allow you to follow your web traffic without worrying, other solutions exist.
Alternative performance tracking tools to replace Analytics
Analytics has long been the main platform for analyzing the performance of your website, but new entrants have arrived on the market. Advocating anonymized data and committing to a use of data strictly reserved to the editor, these challengers have quickly made their place. Indeed, sensitized by the first GDPR reform, some companies have turned to these alternative tools. Among these performance monitoring tools, two names come up often: AT Internet and Matomo. But what about today?
For the moment, it is AT Internet which wins the race for certification! Indeed, it recently announced that the Cnil had confirmed that their solution could continue to offer an exemption from the collection of consent.
In their line, many say that it is only a matter of time before Matomo also wins.
But tracking tools aren’t the only solution to this problem! There are other ways to find your performance information.
Using logs to track your web traffic
Unlike Analytics or other performance tracking tools, data science tools like Oncrawl are not affected by this new cookie reform. They will continue to faithfully transmit the technical data of your site.
But not only that!
Indeed, thanks to the log study option that these tools can offer you, you will continue to be able to accurately track your traffic by studying the “hits” of each page. Moreover, thanks to the proposed segmentation, these data can be qualified in an optimal way and without sampling contrary to what Google Search Console can propose for example.
In short, the new requirements of the CNIL concerning the use of your cookies can have an impact on your ability to track your web traffic. However, there are solutions depending on your current situation.
Do you track your SEO traffic on Analytics?
State of play: Today the CNIL does not allow the recovery of performance data without user consent. A decrease of 20% to 40% of your traffic is therefore to be expected.
Solution 1: Implement GDPR Friendly adjustments and wait for Google Analytics to obtain the Cnil’s favor.
Solution 2: Change your performance calculation tool for a Cnil-approved player
Solution 3: Use the tracking of your logs to not lose the real traffic of your site
Are you tracking your traffic with a Cnil certified tool?
Here’s the situation: You don’t need to worry about it. Indeed, even if the user refuses the cookies, those that allow to track the performance of your site are exempt from consent. So you can track performance without limits!
You don’t track your traffic (yet)?
State of play: It’s time to get started!
The monitoring of a site is essential for an effective web strategy.
Solution: Make your choice among the solutions mentioned above