As you may have noticed, the CNIL has struck hard against companies using Google Analytics ("...or any other similar solution...")1. It is in line with the decisions of the Austrian administration that prohibit the use of Google Analytics, at least in its current form. What is it about? How does a CNIL inspection work? And how to deal with it? We tell you everything!
CNIL control: what is it about?
The National Commission for Information Technology and Civil Liberties - known as the CNIL - is a body responsible for regulating the use of personal data. Its role is to ensure the compliance of companies and the respect of private information of individuals.
To this end, the CNIL has "the power to carry out checks on all organizations that process personal data "2 and are located in France. Three nationally known brands have been accused of not respecting privacy and not protecting user data.
The GDPR as a support to the CNIL control
The CNIL will issue a formal notice to site managers to ensure compliance with the General Data Protection Regulation (or GDPR). Companies must stop using the Universal Analytics feature (Google Analytics 3).
This should remind us of 4 fundamental points:
- The GDPR does not only include processes and organizational methods that are the responsibility of the legal department! It also allows to check the respect of the rules with the organizations in charge of the data processing or management (hosting, maintenance, tracking...). Today, the focus is on the technological environments of the web: regulatory bodies will be able to easily identify infringements there.
- Cookies are the tree that hides the forest! The subject represents barely 20% of the problem of compliance in web environments. In this case, it is indeed a tracking technology (the GA tag) that is targeted... According to the CNIL, it is essential to validly collect the consent of users before depositing or reading cookies.
- The Consent Management Platform (also known as CMP) is not an GDPR compliance solution in that it does not protect against infringements. If it allows to collect quickly and efficiently the users' consent , taking refuge behind the CMP argument is no longer audible by the regulatory bodies that warn about the need to perform regular audits.
- The RGPD does not only apply in France. Thus, if a company escapes the control of the CNIL, this does not mean that it will be spared in the 27 other member countries of the European Union (nor in several other countries that are not members but adhere to the GDPR).
Before, during, after: what happens during a CNIL inspection?
On-site inspection, online inspection, inspection of documents, or a hearing on request, the CNIL chairman may ask the person in charge to carry out different types of inspections. In the case of a summonsed hearing, the person being heard must be informed of the inspection at least 8 days before the date set.
The organization in question may also be responsible for communicating several pieces of information relating to data processing: tools used, management, general organization, etc.
The purpose of an audit may be to verify the compliance of processing operations with the Data Protection Act and the RGPD. Within the framework of this control, the agents are in charge ofanalyzing and keeping the technical and legalinformation transmitted. They may also question company personnel who may have more information on the compliance of data processing.
"A report is drawn up at the end of the inspection and records all the information gathered by the delegation and the findings it has made. It lists in an annex all the documents that were copied during the inspection. "3
The CNIL will take back the established report and examine all the documents provided. According to these analyses, different actions can be implemented: closing the procedure (if nothing to report), closing and observations (if some improvements are to be made), formal notice for compliance, implementation of sanctions...
How can Data On Duty solutions help you?
Our Privacy Manager solution saves you valuable time in identifying, correcting and maintaining your web ecosystems to 100% compliance with the GDPR spectrum.
It relieves you of the tedious work of auditing and analysis, automating to the maximum and alerting you to everything that goes right, what goes wrong. But also on why and how to correct it on your Web ecosystem.
Visitor Trust Index
We will also help you by producing the Visitor Trust Index for you to publish on your sites, as a trusted third party label.
You can reassure your visitors, restore trust and engage them to give their consent more willingly: up to +32% according to our studies.
Finally, with the Governance Manager solution, you will be able to optimize tracking compliance with your business challenges. And thus, take advantage of the renewed consent.
Thanks to the monitoring of your sites, you will be able to maintain compliance over time, display an index of excellence on your home pages and thus strengthen the confidence of your consumers. Don't wait any longer and optimize your tracking to have reliable conversion data. The entire Data On Duty team is at your disposal to help you secure your GDPR compliance.
1 Source: CNIL
2 Source: How does a CNIL inspection work?
3 Source: How does a CNIL inspection work?