Category: Gdpr
All blog posts in this category.
- 04 May, 2026
Session replay and CNIL: what teams should verify after the 2026 consultation
On February 25, 2026, the CNIL opened a public consultation on a draft recommendation for session replay tools. The consultation period ended on April 22, 2026. As of this article's publication date, teams should treat the draft as a strong warning signal while monitoring the final recommendation. Session replay tools are not ordinary audience-measurement tools. They can record detailed interactions: scrolling, clicks, form behavior, interface hesitations and sometimes typed content if masking is incomplete. That level of detail creates a different risk profile from aggregated traffic statistics. The practical consequence is simple: product, marketing and support teams should not activate session replay as a casual dashboard add-on. It needs a documented purpose, minimization settings, masking, access control, retention limits and a clear decision on when recording is allowed. What makes session replay sensitive Session replay can help diagnose UX issues, broken forms or confusing flows. But the same recording can reveal personal data, sensitive fields, account context or unexpected behavior. A misconfigured tool can collect more than the team intended. That is why the CNIL draft focuses on proportionality and safeguards. The useful question is not whether a vendor is popular. It is whether your configuration actually limits what is captured, who can view it and how long it remains available. A launch checklist for teams Before enabling session replay, review these points:define the exact purpose: UX debugging, support investigation, quality assurance or another documented need; disable recording by default on sensitive pages and authenticated areas unless there is a validated reason; mask form fields, free-text inputs, account data and any field that can contain personal or sensitive information; limit the share of sessions recorded instead of recording every visit; restrict access to named roles and audit who can view recordings; set a short retention period and delete recordings after the operational need ends; document the tool, provider, transfers and retention in your privacy materials; verify that the recording state follows your consent and preference-management setup; keep a rollback procedure to disable recording quickly if a leak or spike is detected.How this differs from Pomelo's core analytics Pomelo's launch positioning is deliberately different. The default analytics model is cookieless, minimal and report-oriented. It is designed to answer operational questions with aggregate data, not to replay individual user journeys. That distinction matters. Session replay can be useful in a narrow debugging workflow, but it should not be confused with privacy-first audience measurement. For most SME, SaaS and multi-site teams, the baseline analytics stack should remain lighter than a recording tool. What to do now If you already use Hotjar, Microsoft Clarity, FullStory or a similar tool, run a short audit before launch:list every page where recording is active; inspect the last 20 recordings for accidental personal data capture; review masking rules with a non-technical stakeholder; confirm retention and access controls; decide whether the tool is still needed permanently or only during limited research windows.If the team cannot explain why recordings are necessary, it is safer to disable them until the purpose and safeguards are documented. Sources Sources checked on May 9, 2026.CNIL, Session replay consultation, February 25, 2026 CNIL, Cookies and audience measurement solutions Hotjar, Privacy and security Microsoft Clarity, Privacy overview
- 30 Mar, 2026
CNIL sanctions: what analytics teams should learn before launch
CNIL sanction decisions are useful because they show patterns, not just headline amounts. For analytics teams, the lesson is clear: risk rarely comes from measuring traffic in itself. It comes from unclear purposes, tracking before a valid choice, excessive collection, weak information, poor retention and provider relationships that nobody has reviewed. This article does not try to predict a fine. It gives product, marketing and legal teams a launch checklist grounded in the CNIL's public sanction list and cookie guidance. The recurring analytics risks 1. Tracking starts too early If advertising, personalization or advanced tracking fires before the visitor's valid choice is recorded, the compliance issue is immediate. Teams should verify scripts in the browser, not only in a tag manager diagram. 2. The purpose is too broad "Analytics" can hide several purposes: audience measurement, ad attribution, retargeting, product analytics, support, personalization and CRM enrichment. These purposes do not carry the same risk or consent analysis. They must be separated in configuration and documentation. 3. Data is kept too long Retention is a recurring sanction theme across CNIL decisions. Analytics teams should define retention for raw events, derived reports, exports and backups. The answer cannot be "as long as the tool allows". 4. Provider roles are unclear The site publisher remains responsible for understanding what the provider does. Review data-processing terms, hosting, transfers, sub-processors and reuse clauses before launch. 5. The public explanation is vague A privacy policy that only says "we use cookies to improve the experience" is not enough for a modern analytics stack. Explain the tool, purpose, data categories, retention and choice mechanism in concrete terms. How to reduce risk before launch Run this practical check:open a clean browser profile and inspect which scripts fire before any choice; map each tag to a purpose and owner; remove tags nobody can justify; separate minimal audience reporting from richer marketing tracking; document retention and export rules; review provider terms and transfer mechanisms; update privacy copy with actual tool names; keep evidence of the test in the release checklist.For Pomelo, this means keeping the public promise conservative: cookieless by default, minimal collection, clear documentation, Strict first and Extended by explicit configuration. Why this matters for SMEs SMEs often assume enforcement only targets large platforms. The CNIL sanction list shows that smaller organizations can also be sanctioned, including through simplified procedures. The amounts differ, but the operational lesson is the same: a small team still needs traceability, minimization and a clean release process. Good analytics governance is not bureaucracy. It prevents last-minute launches from becoming privacy incidents. Sources Sources checked on May 9, 2026.CNIL, public list of sanctions, updated April 14, 2026 CNIL, Cookies and other trackers CNIL, Cookies and audience measurement solutions
- 23 Mar, 2026
GDPR analytics checklist: 10 checks before installing a tracking tool
Installing analytics is easy. Governing analytics is harder. A script can be live in five minutes, but the team still needs to know what it collects, why it collects it, how long the data stays available and which choices are presented to visitors. Use this checklist before adding or changing a measurement tool. It is not legal advice. It is a practical review framework for product, marketing, engineering and privacy stakeholders. 1. Define the purpose Write the purpose in one sentence. "Understand audience and site performance" is not the same as advertising attribution, retargeting, product behavior analysis or CRM enrichment. Separate the purposes before discussing tools. 2. Split baseline and enriched collection Define what belongs in minimal audience reporting and what belongs in enriched tracking. Campaign parameters, detailed events, goals, technical context and multi-site segmentation should be deliberate configuration choices. 3. List the fields collected Review the payload, not only the dashboard. Check URL, referrer, user agent, language, screen data, campaign parameters, identifiers, events and custom properties. Remove fields that do not serve the stated purpose. 4. Check tracker timing Use a clean browser profile and inspect which scripts fire before any visitor choice is recorded. Do this on the homepage, landing pages, forms, checkout or signup flows and authenticated areas. 5. Set retention rules Define retention for raw events, aggregated reports, exports and backups. Long retention should be justified by a real operational need, not by a vendor default. 6. Review provider terms Confirm the provider role, hosting location, sub-processors, transfers, support access and reuse clauses. Keep the current data-processing agreement with the launch record. 7. Update public information Your privacy policy should name the tool, describe the purpose, list the main data categories, explain retention and point to the relevant choice or objection mechanism. 8. Test Strict and Extended behavior If your product separates Strict and Extended collection, verify both modes in the browser and in storage. Strict should not persist enriched fields. Extended should be explicit and documented. 9. Control access and exports Analytics data often spreads through CSV exports, screenshots and shared dashboards. Restrict access to people who need it and define how exports are handled. 10. Keep evidence Save the browser test, payload review, provider links, privacy-policy update and release owner in your launch checklist. Evidence matters when decisions are challenged later. Pomelo launch reading For Pomelo, this checklist translates into a simple doctrine: Strict by default, Extended by configuration, no profile mutation from reports, and clear dashboard explanations when data availability changes with collection mode. SourcesCNIL, Cookies and other trackers: https://www.cnil.fr/fr/cookies-et-autres-traceurs CNIL, Cookies and audience measurement solutions: https://www.cnil.fr/fr/cookies-solutions-pour-les-outils-de-mesure-daudience EDPB, Guidelines 05/2020 on consent under Regulation 2016/679: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en EDPB, Guidelines 07/2020 on controller and processor concepts: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en