Analytics in France. Without a cookie banner.
The CNIL has published explicit exemption criteria for analytics since 2020. This is what the exemption requires, how the 2025 self-assessment tool works, and what changed with the 2026 Digital Omnibus.
The 5 CNIL criteria
The CNIL exemption is not vague. Five operational requirements define the boundary. An analytics tool either meets each one by design or it does not qualify.
Strictly limited purpose
Measurement must serve only audience analytics — no marketing, no advertising, no profiling.
Aggregate channel and conversion counts only. No identifier, no profile, no audience export to ad platforms.
No cross-site tracking
The tool must not enable tracking the visitor across other websites.
First-party server-side. The pixel runs on your own domain. No third-party cookie, no cross-site identifier.
IP anonymisation or non-collection
Last octet of IP addresses must be removed before processing (or IPs not collected at all).
We do not collect IP addresses at all. The CNIL requirement is met by exceeding it.
No merging with other personal data
Analytics data must not be combined with personal data from other sources.
There is no personal data to merge. Aggregate counts are isolated from any CRM, advertising or marketing identifier.
Aggregate-only reporting
Reports must be aggregate. No individual-level data may be exposed.
Every report is aggregate — by channel, campaign, landing page, country, device class. No per-visitor view exists in the product.
The 14-point self-assessment
In July 2025 the CNIL published an auto-évaluation tool translating the five high-level criteria into 14 concrete technical requirements covering data retention, IP anonymisation, cookie use, cross-site behaviour, exports and more. Each must be met for the exemption to apply.
We published our complete answer to each of the 14 points in a public blog post — copy patterns directly into your DPO review, or send the link with our DPA and the TPSR package. Two examples of the shape:
CNIL: Last octet of IP must be removed.
SealMetrics: We do not collect IP addresses at all.
CNIL: Cookies must not exceed 13 months retention.
SealMetrics: No persistent cookies are used.
What the 2026 Digital Omnibus changed
The EU Digital Omnibus (Nov 2025, in force 2026) consolidated the patchwork of five existing data instruments and gave authorities sharper enforcement tools. Three things matter for French operators:
- Reject-all parity is now formal. Banner asymmetry (highlighting “accept” vs hiding “reject”) is enforceable at the EU level, not just by CNIL national action. Costs of running a defensible banner went up.
- Article 5(3) enforcement clarified. Authorities have explicit jurisdiction over breaches involving terminal-device storage. The CNIL no longer has to reach for adjacent grounds.
- The exemption itself survived intact. Anonymous non-tracking analytics remains explicitly out of Art. 5(3) scope. The economics now favour exempt architectures more strongly than before.
For the operator’s view of what changed, see the marketer’s guide to the Digital Omnibus.
What it means for your French site
Three practical outcomes for an operator running a French site with SealMetrics installed:
Banner scope shrinks (or disappears)
If SealMetrics is the only analytics layer and the only tools that set cookies are strictly-necessary (cart, session, fraud), no consent dialog is required. If you also run ad pixels or A/B testing tools, the banner shrinks to those specific consents.
Privacy policy still required
Transparency obligations apply regardless of consent. The privacy policy must mention the analytics tool, its purpose, data categories, retention, and lawful basis. A template is included in our TPSR package.
100% of French traffic measured
French rejection rates against standard banners run 50–60%. With no banner gate, every visitor is counted on the same anonymous-aggregate basis — no Consent Mode modelling required to fill the gap.
Common DPO questions
- Does the CNIL exemption mean no cookie banner at all?
- It means no cookie banner is required for the analytics layer specifically. If your site also runs Google Ads pixels, Meta pixels, A/B testing tools or any tool that sets cookies, those tools still require consent. The banner scope shrinks to the tools that actually need it — often substantially. Many French eCommerce teams reduce the banner scope to one or two products instead of the catch-all banner.
- Is the CNIL exemption a 'workaround'?
- No. The CNIL has published explicit criteria for analytics exemption since 2020, reaffirmed in 2024 and aligned with the EDPB Opinion 5/2019. The exemption is the original carve-out the regulation contemplated for genuine audience measurement that does not enable tracking. Architectures that meet the criteria are not exploiting a loophole; they are using the regulation as written.
- How does the 2025 CNIL self-assessment tool work?
- In July 2025 the CNIL released an auto-évaluation covering 5 permitted objectives and 14 technical criteria. Operators document how their analytics implementation meets each requirement. We published our complete self-assessment in a public blog post — useful to copy patterns from or share with your DPO.
- What if my analytics is hosted in another EU country?
- The exemption applies as long as the processing happens in the EU (no third-country transfer). SealMetrics processes exclusively in Dublin, Ireland — within scope of GDPR adequacy, no Schrems II transfer assessment required.
- Did the Digital Omnibus 2026 change the CNIL position?
- Not on the exemption itself. The Omnibus formalised reject-all banner parity, harmonised dark-pattern enforcement, and gave authorities sharper teeth on Art. 5(3) violations — all of which raise the cost of running cookie-based analytics. The exemption for anonymous non-tracking analytics survived intact and now contrasts even more favourably with the banner-dependent path.
- What does the privacy policy still need to say?
- Transparency is required even when consent is not. The privacy policy must describe the analytics tool, its purpose, the data categories processed (channel, landing page, aggregate counts), the retention period, and the lawful basis (Art. 6(1)(f) legitimate interest, paired with the ePrivacy Art. 5(3) exemption). A privacy policy template is included in our TPSR package.
Related reading
Consentless analytics
The full legal framework — GDPR Art. 6, ePrivacy Art. 5(3), six EU authorities aligned.
BlogThe CNIL self-assessment, published
All 14 technical criteria with SealMetrics’ actual answers — copy directly into your DPO review.
BlogGDPR analytics without consent
The Art. 6 / Art. 5(3) reasoning that underpins the CNIL exemption — explained for marketers.
BlogEU Digital Omnibus — marketer guide
What changed in the 2026 enforcement framework and what to action this quarter.
One CNIL review. Done.
Book a walkthrough with the founder. Bring your DPO. We answer the 14 self-assessment points live and ship the DPA + TPSR package on the call.
Built by a founder · supported by a founder · EU-hosted by design