Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AT Internet XiTi, now part of Piano Analytics, is a French analytics platform with a CNIL aligned cookieless mode, used by European media and government sites.
AT Internet, founded in France in 1996 around the XiTi product, is now operated under the Piano Analytics brand following the acquisition by Piano in 2021. The platform is widely used by European media, government and large publishers thanks to its EU only infrastructure and a long history of CNIL alignment.
In the standard mode, AT Internet writes a first party visitor cookie (atuserid) and a session cookie used to compute visit metrics and journeys. In the CNIL aligned cookieless mode, no cookie is set; the tag computes a daily salted hash of the truncated IP and user agent, with the salt rotated daily, to deduplicate visits.
In cookieless mode the implementation matches the CNIL audience measurement exemption: no cookie, aggregated metrics only, short retention and IP truncation. The standard cookie based mode and any personalisation feature fall back to article 5(3) of the ePrivacy Directive and require prior consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Document AT Internet XiTi as a strictly necessary measurement tool when you stay in cookieless mode. If you switch to the cookie based mode for journey analysis, gate the tag in your CMP, set retention to thirteen months or less and configure granular categories for any optional add ons.
AT Internet hosts in France with EU only residency for European customers. There are no US sub processors in the analytics pipeline when the EU only configuration is selected, which keeps the deployment inside the EEA.
Sign the AT Internet (Piano) DPA, opt for cookieless mode, document the alignment with the CNIL exemption, gate any cookie based feature behind a CMP and review the data retention each year against the latest CNIL guidance.
Websites using AT Internet XiTi must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the cookieless audience measurement mode. It becomes appropriate when the operator activates personalisation, journey analysis on authenticated users, or cross site tracking that exceeds pure audience measurement.
Sample consent text
We use AT Internet XiTi (Piano Analytics) to measure traffic on this site. In its CNIL aligned cookieless mode, no consent is required and only aggregated audience data is stored in France. Any cookie based feature is gated by a separate consent banner.
Third-party domains contacted
atinternet.iopiano.ioxiti.comlogc412.xiti.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| atuserid | Analytics | 13 months | AT Internet first party visitor identifier set in the standard cookie based mode to compute returning visitors and journey metrics. |
| atauthority | Analytics | Session | Session cookie used by AT Internet to relate page views to a single visit in the standard mode. |
| attvtuserid | Analytics | 6 months | Optional video player visitor identifier set when the AT Internet video module is active. |
AT Internet XiTi collects user analytics data — you legally need a consent banner. Try FlowConsent free.
In standard mode AT Internet writes a first party visitor cookie atuserid and a session cookie. In the CNIL aligned cookieless mode no cookie is set and the tag relies on a daily salted hash of the truncated IP and user agent.
Not in the cookieless mode aligned with the CNIL exemption. The standard cookie based mode and any personalisation feature require prior opt in consent under article 5(3) of the ePrivacy Directive.
Legitimate interest under article 6(1)(f) GDPR for cookieless audience measurement that meets the CNIL exemption criteria. Consent is required for cookie based features and any add on that profiles users.
No when the EU only configuration is used. AT Internet hosts in France with EU residency and does not engage US sub processors for the analytics pipeline.
No for the cookieless mode. A DPIA becomes appropriate when personalisation, journey analysis on authenticated users or cross site tracking go beyond pure audience measurement.
Stay in the cookieless mode by default, document the legitimate interest basis aligned with the CNIL exemption, gate any cookie based feature behind a CMP and keep retention to thirteen months or less.
Other CNIL friendly analytics include Matomo, Piwik PRO, Plausible, Fathom, Cabin, Beyable Analytics and Actirise. For enterprise use cases Adobe Analytics with EU residency and Mapp Intelligence are also viable.
In cookieless mode, mention that no cookies are set and that the audience measurement relies on the CNIL exemption. When the cookie based mode is enabled, list atuserid and the session cookie with their lifetime and purpose.