CNIL Compliance for Ecommerce Tracking

If your use of Matomo Analytics qualifies for the CNIL exemption, you can collect certain types of data without needing user consent, provided specific configuration conditions are met. These include disabling features like Ecommerce tracking.

However, CNIL-compliant users may want to implement Ecommerce tracking to analyse shopping cart interactions, transactions, checkouts, and conversions while complying with CNIL rules relating to cookies and other trackers.

This guide explains when consent is required and when it may be exempt for certain Ecommerce functions, so you can ensure you stay compliant with CNIL regulations.

CNIL outlines explicit conditions under which cookies and trackers are exempt from consent. These exempt cookies are generally considered “strictly necessary” for the functioning of the site or application and do not require user consent if used appropriately.

General exemption

For a tracker to be exempt from consent, all exemption conditions must be met. If any requirement is not met, such as adding other non-exempt cookies, tracking or identifying individuals, sharing data, or using strictly necessary cookies for secondary purposes then prior consent is required.

CNIL considers the following types of trackers exempt:

  • Trackers that store users’ cookie preferences.
  • Authentication trackers (including those for security measures).
  • Trackers for shopping cart contents or billing in Ecommerce sites.
  • Trackers that personalise the user interface (e.g., language choice).
  • Load balancing trackers that improve site stability.
  • Trackers limiting free access to paid content on a website.

For Ecommerce purposes, cookies that store shopping cart contents or assist with payment processing are also exempt from consent. However, analytics or tracking cookies that could identify individuals or are used for detailed analytics purposes may not qualify as exempt.

Specific exemption – audience measurement

CNIL also considers certain audience measurement cookies as also exempt from consent, if they meet the following requirements:

  • Used solely for measuring site performance (page-by-page) without linking back to individuals.
  • Used to aggregate data such as page load times, time spent on pages and scroll depth.
  • Statistics collected should be anonymous, for internal use only, stored independently for each website owner and not shared with third parties.
  • Data storage and collection must be limited to a 13-month lifespan for cookies, and collected data retained for no more than 25 months.
  • The lifespan and retention periods are regularly reviewed to make sure they are limited to what is strictly necessary.
  • Users are informed of the use of the exempt trackers (e.g., in your website privacy policy).

To maintain exemption status, these trackers:

  • Must be used exclusively for audience measurement, including performance monitoring, technical optimisation, and content analysis.
  • Must be independent and limited to individual publishers.
  • Must not be used for cross-checking of the data with other processing.
  • Must not allow tracking of users across different sites or applications.
  • Cannot be used for any purpose beyond anonymous audience measurement.

Non-Exempt Trackers

Trackers that require user consent under CNIL guidelines include:

  • Personalised or non-personalised advertising trackers.
  • Social network sharing functionality.
  • Trackers used for multiple purposes, especially those combining strictly necessary functions with advertising.

If Matomo is configured only to capture exempt metrics, you may be able to avoid a consent banner. However, any features extending beyond these exemptions require user consent.

For Ecommerce functions like shopping cart management and payment processing, necessary cookies may be used without consent. But if you plan to use Ecommerce analytics, which include tracking individual conversions, purchases, or any analytics that could link back to specific users or identify them, a consent banner is required. CNIL strictly prohibits using analytics tools in a manner that may identify individuals without prior consent.

To stay within the exemption guidelines:

  • Do not use non-essential analytics features like User ID tracking, session recordings, heatmaps, Ecommerce analytics, or advertising conversions without consent. These features cannot be adjusted to be consent-free while remaining compliant with ePrivacy laws.
  • Implement a cookie consent manager to capture consent if you need detailed Ecommerce analytics. A consent manager will ensure compliance, prompting users to approve the use of tracking cookies before you begin capturing these specific metrics.

If you choose to ask for consent and use Ecommerce function, you can enable the Anonymise Order ID function to limit data processed.

Read more about CNIL with Consent: Tracking Ecommerce and other actions after consent is given.

Steps to Ensure Compliance with Matomo

Use Exempt Trackers for Essential Functions

Cookies for shopping carts, authentication, and audience measurement can be used without consent, provided they are configured to anonymise and limit data in accordance with CNIL standards.

For any features that go beyond CNIL’s consent exemptions (e.g., Ecommerce analytics), implement a consent manager to gain explicit user consent before collecting data.

Review and Audit Tracking Configurations

Ensure all tracking aligns with CNIL’s guidelines, limiting data retention and scope, and update practices as needed to stay compliant with any regulatory changes.

Disclaimer: The information provided above is for general informational purposes only and should not be considered legal advice. Please consult your legal team for specific advice and guidance tailored to your needs.

Previous FAQ: How do I configure Matomo without tracking consent for French visitors (CNIL exemption)?