# CNIL (Commission Nationale de l'Informatique et des Libertés Created in 1978, the CNIL is the French Data Protection Authority (DPA). It makes sure computing does not harm the human identity, their privacy and rights. The French (DPA) supports notably professionals in their compliancy process and helps private individuals know and exercise their rights. The CNIL controls, sanctions, protects and supports organisations and individuals for their compliancy. * [Compliance to GDPR and to the CNIL and the EDPB recommendations](#compliance-to-gdpr-and-to-the-cnil-and-the-edpb-recommendations) * Didomi SDK compliance (CNIL Recommendation) * Trackers exempt from consent (CNIL) *** ### Compliance to GDPR and to the CNIL and the EDPB recommendations A CMP (Consent Management Platform) is a platform allowing to collect user consent for personal data. A CMP register, store and restore consent and transmit it to multiple vendors when necessary. It makes the user experience more fluid and the consent collecting easier. Nevertheless, Armand Heslot (Privacy & Security Expert from CNIL) reminded recently during an interview for mind Media that using a CMP doesn't necessary mean that you are compliant with GDPR nor that the consent you are obtaining is valid. **What are the different conditions to meet to be compliant when you are collecting user consent thanks to a CMP ?**\ First, the data protection authority state that the wording you are using must be clear, intelligible, it must be written in simple language allowing users to understand clearly what they are consenting to. Processing purposes must be clear and written on the first page of the banner. Buttons " I agree", "I disagree" and " I refine my preferences" to allow the user to consent or refuse globally can be visible on the first page, but they must appear after the detailed purposes list. On the second page, you can require consent for each purpose, be careful though, the opt-out boxes are not accepted by CNIL nor the EDPB. The French data protection authority is very clear on the subject in the Vectaury formal demand : *"*When all the purposes of the collect are notified with opt-out boxes, we can't consider that the user is consenting to anything. Indeed, his action is required to refuse the processing by unchecking the boxes corresponding to each purpose." Added to that, the data controller names must appear in the first page of the banner. It enables users to give consent knowing the identity of companies collecting their data. Furthermore, the text mustn't suggest that disagreeing will prevent the user from accessing to the website or will conduct to a payment to access it. **Particular matter with processing geolocation data** **When you are collecting geolocation data, you must ask for a specific consent to the user.** CNIL reminds in its formal demand that EDPB enforces a specificity of consent that a global acceptation of the user without knowing multiple processing or multiple purposes doesn't satisfy. Mobile Application users doesn't specifically consent to geolocation data processing for profilage and advertisement targetting." **Is collecting consent through scroll or click valid ?** **Collecting consent through scroll or click is not accepted anymore by the CNIL as a positive act from the user.** The EDPB states that scrolling is not a positive action and can't be considered as consent. **Can analytics cookies be considered as essential ones ?** Be careful, audience measurement cookies such as Google Analytics are not considered as essential ones unless they are respecting some conditions written by CNIL: . Currently, only two solutions are recognized by CNIL as solutions respecting these conditions. They are AT internet (Xiti) and Matomo. You must ask for user consent when you want to drop such a cookie on his device. Remind to give to the user the possibility to come back on his consent status or to change his parameters by clicking on a link in the bottom of your page or in your privacy policy. The buttons "agree" and "disagree" must have the same size and neutral colors. Analytics cookies cannot last more than 13 months. Information collected by cookies can be stored for a maximum of 25 months.You must ask him his consent after this delay. Sometimes, Google Analytics cookies lifespan is 24 months by default. You must then, reduce this lifespan. Here is a guide: 📰 . **Topics you should take caution to when configuring a CMP** * User must know the purpose of data processing, identity of data controller but also data collected for consent to be valid * Wording used to inform the user must be clear, intelligible, it must be written in simple language allowing users to understand clearly what they are consenting to. * It must have buttons " I agree", "I disagree" and " I define my preferences" to allow the user to consent or refuse globally can be visible on the first page, but they must appear after the detailed purposes list. ⚠️ **This can be different depending on the country: feel free to check out our article about** [**Legal peculiarities on consent in different countries**](/consent-management-platform-cmp/frameworks-regulations/general-data-protection-regulation-gdpr.md#legal-peculiarities-on-consent-in-different-countries)**.** * The text mustn't suggest that disagreeing will prevent the user from accessing to the website or will conduct to a payment to access it. * When you are collecting geolocation data you must ask for a specific consent to the user * Collecting consent through scroll or click are not accepted anymore by the CNIL as it's not a positive act from the user. ⚠️ **This can be different depending on the country: feel free to check out our article about** [**Legal peculiarities on consent in different countries**](/consent-management-platform-cmp/frameworks-regulations/general-data-protection-regulation-gdpr.md#legal-peculiarities-on-consent-in-different-countries)**.** * Remind to give to the user the possibility to come back on his consent status or to change his parameters by clicking on a link in the bottom of your page or in your privacy policy. * The lifespan of user consent for cookies is 6 months. Analytics cookies cannot last more than 13 months. Information collected by cookies can be stored for a maximum of 25 months.You must ask him his consent after this delay. Sometimes, Google Analytics cookies lifespan is 24 months by default. You must ask him his consent after this duration. ⚠️ **This can be different depending on the country: feel free to check out our article about** [**Legal peculiarities on consent in different countries**](/consent-management-platform-cmp/frameworks-regulations/general-data-protection-regulation-gdpr.md#legal-peculiarities-on-consent-in-different-countries)**.** * Google Analytics are not considered as essential cookies unless they are respecting some conditions: ) ### Didomi SDK compliance (CNIL Recommendation) In September 2024, the French Data Protection Authority (CNIL) published a dedicated set of recommendations for mobile applications. These guidelines highlight strict expectations in terms of **transparency**, **minimization of system permissions**, **documentation of processing operations**, and **proof of valid consent**. They apply both to **app publishers** and **technical providers** like Didomi, acting as **data processors**. As part of this regulatory framework, **Didomi provides proactive and structured documentation** to support its clients’ compliance efforts and to demonstrate the accountability of its mobile SDKs across all supported platforms (iOS, Android, hybrid frameworks). #### **Why this page?** As a data processor, Didomi is responsible for providing its clients — acting as data controllers — with clear, up-to-date, and complete documentation: * describing the **processing operations carried out via the SDK** in mobile apps; * clarifying the **legal qualification** of each processing activity; * detailing the **contractual guarantees** included in the signed Data Processing Agreement (DPA). > **Message from Didomi’s DPO:** > > *“This page is also designed to help your legal teams and Data Protection Officers (DPOs) meet their documentation obligations (Articles 30 and 28 of the GDPR), and to precisely identify the technical operations involved in the use of the Didomi CMP on mobile,” explains Sébastien Gantou.* #### **Compliance: Didomi’s key measures** Didomi aligns its practices with the CNIL’s expectations through robust technical and organizational safeguards: * Full legal qualification of SDK processing operations, detailed in the ROPA * A comprehensive inventory of SDK read/write operations (ROPO), as required under ePrivacy * No use of mobile OS-level permissions by the SDK * Modular feature design (consent collection, proof, export, analytics, etc.) * No processing of sensitive personal data * Full transparency on international data transfers and associated safeguards * Documented security architecture (TLS, encryption, endpoint protection) * Regular updates to the SDK documentation and proactive client notifications * Access to historical consent proof at any time * Procedures in place for incident handling and data breach notifications * Continuously maintained and accessible public registers #### **Transparency: available documents** To help you evaluate and document your use of the Didomi SDK, we provide two publicly accessible registers: [Record of Personal Data Processing Activities (ROPA)](https://business.didomi.io/hubfs/2025-02-14%20-%20ROPA%20RGPD%20-%20SDK%20\(EN\).pdf) [Record of SDK Data Processing Operations (ROPO)](https://business.didomi.io/hubfs/2025-02-14%20-%20ROPO%20eprivacy%20-%20SDK%20\(EN\).pdf) Both documents are structured according to CNIL expectations and updated upon any significant change. ### Trackers exempt from consent (CNIL) The French Data Protection Authority (CNIL) allows a publisher not to ask consent for some trackers. These trackers that don't need consent are: * Trackers needed to provide a service explicitly asked by the user * Trackers measuring the audience on the site/app * Trackers testing different versions to optimize the publisher's needs on its editorial choices depending on their performances The French Data Protection Authority gave examples of cookies concerned by the exemption of consent. Regarding the practices that the Commission is informed of, we have: * trackers keeping the choice expressed by the user on the deposit of trackers or the will of the latter to not express a choice ; * trackers intended to authentification to a service ; * trackers intended to store the content of a shopping basket on a commercial site ; * personalisation trackers of the user interface (for example, for the choice of the language or the presentation of a service), when such a personalisation represents an intrinsic part that is expected by the user of the service ; * trackers that make a balancing of the volume of equipments contributing to a communication service ; * trackers enabling the paid services sites to limit their free access to the content on a preset period/content quantity. * trackers measuring the audience, in the specific case of the Article 5 of the guidelines about the cookies and other trackers. **⚠️ Be careful, for these last two categories (audience trackers and AB testing trackers), the French Data Protection Authority listed some CUMULATIVE conditions to respect without fail to benefit from this exemption.** Here's the list fo the conditions to execute to dispense with consent: * they have to be executed by the publisher of the site or its subcontractor ; * the person needs to be informed by their execution beforehand ; * the person must have the possibility to oppose it via a mechanism of opposition that can be used easily on all the terminals, the operating systems, the apps and the web browsers. No operation of lecture or writing should happen on the terminal from which she opposed ; * the purpose of the device must be limited to (i) the measurement of audience of the viewed to enable evaluation of contents published and ergonomics on the site/app ; (ii) the - segmentation of the audience of the web site on cohorts to evaluate the efficacité of editorial choices, without needing it to target a unique person ; (iii) the dynamic and global modification of a website. The personal data collected should not either be cut and cross-checked with other processions (client files or attendance statistics of other websites, for example) neither forwarded to a third party. The use of these trackers must ado be strictly limited to the production of anonymous statistics. Its scope should be limited to one single publisher or mobile app, and it must not enable the follow-up of a user's browsing using different apps or browsing on different web sites ; * the use of the IP address to geo-track the user should not provide any further information than the city. The IP address collected should also be deleted or anonymized once the geo-track has been executed ; * the trackers used by these processings should not have a duration exceeding 13 months and which shouldn't be extended automatically when having new visits. The info collected via trackers should be keeper for a duration of twenty-five months. The cookie can be dropped without consent only if it only serves precise purposes. If it involves other purposes too, it cannot be exempted of consent. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.didomi.io/consent-management-platform-cmp/frameworks-regulations/general-data-protection-regulation-gdpr/cnil-commission-nationale-de-linformatique-et-des-libertes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.