Skip to main
← Legal index

Cookies & CNIL exemption

Last updated : 2026-05-06

1. Cookies set by the Walityk tag

The JavaScript tag loaded on the client’s site may set three first-party cookies, all technical:

  • _tft_uid — persistent pseudonymous identifier, HMAC-signed, 13-month lifetime. Provides identity continuity across sessions.
  • _tft_sid — session identifier, 30-minute lifetime. Groups events from the same visit.
  • _tft_consent — encodes the Consent Mode v2 state (4 characters g/d). Required to honour the user’s choice without re-asking on every page.

None of these cookies contains plaintext PII. No third-party cookie is set.

2. CNIL exemption mode — when no banner is required

The tag can run in exempted mode as long as the configuration fully complies with the CNIL guidelines on audience measurement cookies (decision of 17 March 2022, as updated). In exempted mode:

  • The purpose is strictly limited to audience measurement of the client’s site (anonymous statistics, A/B testing, performance optimisation).
  • No data is cross-referenced with other processing or shared with third parties (the GA4/Meta/Ads/TikTok marketing destinations are disabled, or only send events for which analytics_storage is consented).
  • The IP address is truncated then hashed, never stored in plaintext.
  • Pseudonymous identifiers have a maximum lifetime of 13 months.
  • Raw data is retained for a maximum of 25 months.
  • The end user has a simple objection mechanism (link in the client’s privacy policy).

As soon as the client enables at least one advertising destination (Meta CAPI, Google Ads, TikTok Events, or GA4 with Google signals enabled), explicit consent is required before conversions are sent, in accordance with the ePrivacy Directive and the GDPR.

Walityk honours this requirement via Google’s Consent Mode v2: events are collected but transmitted without advertising data (or not at all) until consent is granted. Integration with a certified CMP (Cookiebot, OneTrust, Axeptio, Didomi, etc.) is documented in the installation guide.

4. User choice

The consent state applied on the tag side:

  • Denial / no response → exempted mode where the configuration allows it, otherwise no transmission to advertising destinations.
  • Explicit consent → all flows enabled by the client are triggered, within the limits of their respective settings (for example, disabling a specific destination).

5. Deleting cookies

The user can delete cookies at any time from their browser settings. The client’s /dashboard page exposes a “Reset my Walityk identifier” button that invalidates the _tft_uid cookie (upcoming, Lot 9).