EN FR

Tag: Cnil

All blog posts with this tag.

Session Replay (Hotjar, Clarity): France's Privacy Watchdog Opens Pandora's Box

Session Replay (Hotjar, Clarity): France's Privacy Watchdog Opens Pandora's Box

You might be using Hotjar, Microsoft Clarity, or Fullstory to understand how visitors navigate your website. These "session replay" tools show you their clicks, mouse movements, and hesitations. It's convenient for fixing bugs or improving user experience. The problem? You're probably recording far more than you think. And France's data protection authority just put the practice under the microscope. On February 25, 2026, the CNIL (Commission Nationale de l'Informatique et des Libertés) opened a public consultation on session replay tools. It's the first regulatory initiative of its kind in Europe. The consultation runs until April 22, 2026, with a final recommendation to follow. For website operators, agencies, and solution providers, the message is clear: the free-for-all is over. The numbers speak volumes. In 2025, the CNIL issued €487 million in fines, including 21 sanctions specifically targeting cookies and tracking technologies. Google paid €325 million, Shein €150 million. Session replay, far more intrusive than a simple analytics cookie, is now in the crosshairs. This consultation isn't theoretical: it's the prelude to enforcement actions and potential penalties. This article explains what session replay actually is, why it's riskier than standard analytics tools, what the CNIL's draft recommendation says, and how to achieve compliance before the final text becomes binding. Waiting for the final version to act means scrambling to fix everything under time pressure. What Session Replay Is and Why It's Different From Google Analytics The Difference Between Audience Measurement and Full Recording When you install Google Analytics, Matomo, or a privacy-first analytics tool, you collect aggregated metrics: visit counts, page views, bounce rates, traffic sources. You know 1,000 people visited your product page, but you don't see how each person navigated, pixel by pixel. Session replay is the opposite. It records a user's entire browsing journey, as if filming their screen. Mouse movements, clicks, scrolling, touch interactions on mobile, and sometimes even form inputs. This data is then replayed as a video. You see the user hesitate, go back, click three times on a button that doesn't work. This is extremely useful for identifying bugs invisible in standard statistics. A form that crashes on Safari iOS 14, a poorly positioned payment button, an incomprehensible error message: everything becomes visible. But this granularity has a price: you're collecting personal data at a level of detail far beyond what standard analytics tools permit. What These Tools Actually Record Most session replay solutions capture by default:Cursor movements and positions (or finger touches on mobile). All clicks and double-clicks. Page scrolling. "Rage clicks" (repeated clicks on the same spot, indicating frustration). Prolonged hovers over certain elements. Tab or window changes (sometimes). Form inputs, unless explicitly masked.This last point is critical. By default, some tools record what users type in form fields. Name, email, address, phone number, and even sensitive data like banking coordinates or health information if your site collects it. Most solutions offer automatic masking, but you need to activate it correctly. Result: you can end up with recordings showing a user filling out a medical form, correcting a typo in their credit card number, or deleting and rewriting a message in a "cancellation reason" field. See the problem? The Tools Involved The three market leaders are:Hotjar: The most popular solution for SMEs and agencies. Simple interface, integrated heatmaps, free up to 35 sessions/day. Microsoft Clarity: Completely free, easy integration with Azure and Google Tag Manager, widely adopted since 2023. Fullstory: Enterprise-focused, with automatic behavior analysis and AI-driven anomaly detection.But dozens of others exist: Lucky Orange, Smartlook, Mouseflow, SessionCam, Inspectlet, etc. The CNIL isn't targeting a specific solution -- it's regulating the entire category. What the CNIL Says in Its Draft Recommendation Acceptable Uses According to the Authority The CNIL doesn't say session replay should be banned. It sets a strict framework. According to the draft recommendation published on February 25, 2026, three uses are considered legitimate:Detection and understanding of technical errors: Identifying bugs, crashes, broken forms, elements not displaying properly on certain browsers or devices.User experience (UX) improvement: Spotting friction points, confusing paths, poorly placed elements. For example, discovering that 80% of users click a "Submit" button three times before understanding they first need to check a box.Customer support and assistance: Replaying a user's session when they encounter a problem to better understand their case and help resolve it.These three uses share a common trait: they're technical or support-oriented. They're not marketing uses. What's Excluded: Marketing and Retargeting The CNIL is crystal clear on this. Session replay must not be used for:Advertising retargeting (showing targeted ads to a user who hesitated on a product page). Advanced marketing segmentation (creating audiences based on fine-grained behavior). Aggressive commercial optimization (identifying "hesitant buyers" to send them promotions).Why this exclusion? Because these uses violate the data minimization principle. If your goal is to sell, you don't need to see every mouse movement. Aggregated statistics suffice. Session replay is disproportionate for these purposes. If you're using Hotjar or Clarity to "better understand your customers" from a conversion marketing angle, you're out of bounds. And during a CNIL audit, that won't go well. Mandatory Consent: No Exemption Possible The draft recommendation is unambiguous: session replay requires prior and explicit consent from users. It cannot benefit from the cookie consent exemption for audience measurement. Why? Because the exemption, governed by Article 5(3) of the ePrivacy Directive (implemented through national laws like France's Article 82 of the Data Protection Act), only covers trackers strictly necessary for service provision or exclusively dedicated to audience measurement in a very limited framework. Session replay fits neither category. It's a detailed behavioral analysis tool, not anonymized statistical measurement. Concretely, this means:You must display a consent banner (via a CMP, Consent Management Platform). Session replay must appear as a distinct choice in the banner, with a clear description. Users must be able to refuse without affecting site access. If users refuse or withdraw consent, recording must stop immediately and already-collected data must be deleted (or irreversibly anonymized).Minimization and Masking: Precise Technical Requirements The CNIL emphasizes the minimization principle under GDPR Article 5(1)(c). You must only collect what's strictly necessary for your objective. In practice, this requires:Automatic masking of all sensitive form fields: passwords, banking details, health data, social security numbers, etc. Default masking of input fields, unless you can justify that recording is indispensable (for example, to reproduce a bug that only occurs with specific input). Sampling: Recording only a percentage of sessions, not 100%. If you have 10,000 daily visits, recording all 10,000 sessions is disproportionate. Sampling 5% or 10% is more than sufficient to identify bugs. Short retention period: Sessions should be deleted as soon as the objective is achieved. A session recorded to fix a bug doesn't need to be kept for 12 months "just in case."The CNIL also recommends documenting your configurations. During an audit, you'll need to prove you activated masking, configured sampling, and limited retention periods. Responsibilities: Who Does What? Provider vs. Website Operator The CNIL recommendation distinguishes two actors:The solution provider (Hotjar, Microsoft, Fullstory, etc.): They design the tool, define default settings, offer (or don't offer) masking and minimization options. They can be considered data controllers for their own uses (improving their product, for example) or processors if they only host data on behalf of the website operator.The website or mobile app operator: That's you, if you install Hotjar on your site. You're the data controller for your use of session replay. You must obtain consent, configure masking, define retention periods.In some cases, the CNIL mentions joint controllership (GDPR Article 26): if the provider and operator pursue common purposes (for example, if Hotjar uses your data to improve its anomaly detection algorithm), they must sign a joint controller agreement. Web Agencies: Beware the Contractual Trap If you're a web agency installing Hotjar or Clarity for clients, the responsibility question gets complicated. Who must obtain consent? Who configures masking? Who gets sanctioned for non-compliance? By default, it's the client (the website operator) who remains responsible as the controller. But if you haven't informed them of obligations, haven't properly configured the tool, or haven't documented settings, you can be held liable. European data protection authorities have already sanctioned technical service providers for failing their processor obligations under GDPR Article 28. Our advice: Add a clause to your contracts now specifying:Who is responsible for session replay GDPR compliance. Who configures masking and sampling. Who updates the consent banner. Who maintains compliance documentation.And bill for compliance work. It's not included in a standard "Hotjar installation" package. Alternatives and Best Practices for Staying Compliant Option 1: Strictly Configure Session Replay If you want to continue using Hotjar, Clarity, or equivalent, here are the steps:Activate automatic masking of all form fields. Most tools offer a "strict" mode that masks everything by default.Reduce sampling to 5-10% of sessions. You don't need to record 100% of traffic to detect bugs.Limit retention to 30 days maximum. If you haven't fixed the bug in 30 days, it wasn't urgent.Update your CMP (OneTrust, Axeptio, Cookiebot, Didomi, etc.) to add a specific "Behavioral Analysis" or "Session Replay" option, distinct from "Audience Measurement."Document everything: Screenshots of settings, spreadsheet listing masked fields, purpose justification.Option 2: Replace with Heatmaps or Privacy-First Analytics Session replay is often used for needs that don't require full recording. Some alternatives:Heatmaps: They show where users click most, without recording individual paths. Much less intrusive. Event-based analytics: Configure specific events in Google Analytics, Matomo, or a privacy-first tool to measure clicks on certain buttons, form errors, cart abandonments. A/B testing: Test two versions of a page rather than trying to "understand" why the current version doesn't work.These approaches give you 80% of useful information with 10% of legal risk. Option 3: Session Replay Strictly on User Request An emerging practice is activating session replay only when users explicitly request it. For example:A user contacts support saying "I have a problem with the form." Support sends them a unique link that temporarily activates recording of their session, with explicit consent. The session is recorded, analyzed, then immediately deleted after problem resolution.This is the most compliant method, but requires slightly more complex technical infrastructure. What Happens After the Consultation Timeline and Next Steps The public consultation ends on April 22, 2026. Then the CNIL will:Analyze contributions received (professionals, trade associations, consumer groups, NGOs). Revise the draft recommendation if necessary. Adopt the final version, probably during the second half of 2026. Publish the recommendation on its website, with a transition period (typically 6 to 12 months).During the transition period, the CNIL won't sanction immediately, but expects gradual compliance. After this deadline, enforcement will begin. Risks of Non-Compliance If you continue using session replay without consent or with non-compliant configurations, you risk:A formal notice from the CNIL or other European DPA (first step, public or not). A financial penalty up to €20 million or 4% of global annual turnover (GDPR Article 83). Publication of the sanction, with reputational impact.In 2025, 67 out of 83 CNIL sanctions were issued via simplified procedure, with fines capped at €20,000 for "minor" violations. But for serious cases (massive collection, complete absence of consent, exposed sensitive data), amounts can be much higher. Shein took €150 million for cookies, and session replay is objectively more intrusive than a cookie. Domino Effect Across Europe France isn't alone. Other European authorities are watching closely. If the CNIL adopts a strict recommendation, it's likely that:The EDPB (European Data Protection Board) will use it as inspiration for an opinion or guidelines at the European level. German (DSB), Italian (Garante), Spanish (AEPD), or Irish (DPC) authorities will follow with their own texts.In other words, if you operate in Europe, complying with CNIL rules will be necessary anyway in the short term, even if you don't have French traffic. Conclusion: Act Now, Not in April 2027 The CNIL consultation on session replay is a warning signal, not a surprise. Tools that record complete user journeys have been in regulators' sights for years. What's changing in 2026 is that the CNIL is moving from awareness-raising to formal regulation. If you use Hotjar, Clarity, or any other session replay tool, you have two options. Either configure the tool strictly right now: masking, sampling, consent, documentation. Or consider less intrusive alternatives: heatmaps, privacy-first analytics, A/B testing. Inaction is no longer a viable strategy. SMEs and web agencies have until the end of 2026 to comply without immediate risk. But the longer you wait, the more costly and rushed compliance will be. And given the fine amounts issued in 2025 (€487 million total), the risk is no longer theoretical. For those seeking a simpler approach, there are audience measurement solutions that respect minimization and transparency principles by design. If this approach resonates with you, you can join Pomelo's waitlist to be informed of the launch. FAQ Can I continue using Hotjar or Clarity after the CNIL recommendation? Yes, provided you meet the requirements: obtain explicit consent via a CMP banner, activate masking of all sensitive fields, limit sampling (5-10% of sessions maximum), reduce retention to 30 days, and document all your configurations. If you meet these conditions, you can continue using these tools for technical purposes (bug detection, UX improvement, customer support). However, marketing uses (retargeting, advanced segmentation) are excluded. Is session replay covered by the consent exemption for audience measurement? No. The consent exemption under Article 5(3) of the ePrivacy Directive only applies to audience measurement tools strictly limited to aggregated and anonymous statistics. Session replay, which records detailed individual paths, cannot benefit from it. You must therefore obtain user consent before activating recording, even if your objective is purely technical. If I'm a web agency, who's responsible for compliance: me or my client? By default, the website operator (your client) is the data controller for data collected via session replay. But you, as an agency, are responsible as a processor for proper technical configuration of the tool under GDPR Article 28. If you install Hotjar without activating masking, configuring sampling, or adding a consent banner option, you can be held liable. It's essential to clarify this responsibility allocation in a written contract and bill GDPR compliance work as a separate service. What sanctions apply if I don't follow the CNIL recommendation? The CNIL recommendation doesn't have force of law, but it clarifies how to apply GDPR and ePrivacy rules. Not respecting it exposes you to a formal notice, then a financial sanction up to €20 million or 4% of global turnover under GDPR Article 83. In practice, for SMEs, fines via simplified procedure are capped at €20,000 for less serious violations. But for massive collection without consent or exposed sensitive data, amounts can be much higher, as illustrated by 2025 sanctions (Google €325M, Shein €150M). Are there less risky alternatives to session replay for improving UX? Yes, several alternatives provide UX insights without recording complete individual paths. Heatmaps show most-clicked areas without identifying users. Event-based analytics measure specific actions (button clicks, form errors) with tools like Google Analytics, Matomo, or privacy-first solutions. A/B testing compares two page versions to identify the best performer. User surveys (post-purchase or exit-intent) provide direct qualitative feedback. These approaches provide 80% of useful information with much lower legal risks. SourcesCNIL, "Session replay: the CNIL launches a public consultation on its draft recommendation", February 25, 2026 (https://www.cnil.fr/en/session-replay-cnil-launches-public-consultation-its-draft-recommendation) CNIL, "Sanctions and corrective measures: CNIL's actions in 2025", February 9, 2026 (https://www.cnil.fr/en/investigation-powers-cnil/sanctions-issued-cnil) CNIL, "Cookies and advertisements inserted between emails: GOOGLE fined 325 million euros by the CNIL", September 1, 2025 (https://www.cnil.fr/en/cookies-and-advertisements-inserted-between-emails-google-fined-325-million-euros-cnil) Nomos, "Session replay: the CNIL's draft recommendation", February 27, 2026 (https://www.nomosparis.com/en/session-replay-the-cnils-draft-recommendation/) PPC Land, "France's CNIL puts session replay tools under the privacy microscope", February 26, 2026 (https://ppc.land/frances-cnil-puts-session-replay-tools-under-the-privacy-microscope/) Solutions Numériques, "Rejeu de session : la CNIL ouvre une consultation publique pour encadrer ces outils de suivi", February 25, 2026 (https://www.solutions-numeriques.com/rejeu-de-session-la-cnil-ouvre-une-consultation-publique-pour-encadrer-ces-outils-de-suivi/) August Debouzy, "Cookies et autres traceurs, une action de régulation ciblée au niveau national", February 2026 (https://www.august-debouzy.com/fr/blog/2281-cookies-et-autres-traceurs-une-action-de-regulation-ciblee-au-niveau-national)

Analytics Without Consent: How to Track Visitors Without Cookie Banners (Legally)

Analytics Without Consent: How to Track Visitors Without Cookie Banners (Legally)

It has become the web's most annoying ritual. You arrive on a site, and before you can even read the headline, a window pops up: "We value your privacy… Do you accept our 85 partners?" For the user, it's a nuisance (the now-famous consent fatigue). For the site owner, it's a dilemma: display this banner and lose a chunk of your data, or skip it and risk a fine from the regulator. Yet a third path exists. A lesser-known path that is 100% legal and far more respectful: the consent exemption. In short:The banner is not automatic: it's only mandatory if you track visitors for advertising or profiling purposes. The consent exemption: it's possible to measure your audience without asking for consent, provided you follow strict data frugality rules. The double win: by removing the banner, you improve user experience and recover the statistics of visitors who were refusing tracking.1. Why Cookie Banners Destroy Your Data Why do we see these banners everywhere? Because most traditional analytics tools (like the default configuration of Google Analytics) collect personal data and often share it with advertising services. The GDPR is clear: for that, you need explicit consent. The problem is that internet users are fed up. According to the latest Eurobarometer, 72% of European citizens say they are worried about how their data is processed online. → Source: Eurobarometer – Digital Rights and Principles The consequence is immediate: when given a choice, many refuse. Data from European regulators shows that cookie refusal rates have risen significantly since enforcement began. It's estimated today that a site using a classic cookie banner loses between 30% and 50% of its actual data. → Source: CNIL – Cookie action plan impact evaluation Your dashboard is lying to you: it only shows you a fraction of your real audience. As we explain in our article on data obesity, this is the paradox: the more you collect, the less you see.2. Understanding the Consent Exemption The Principle The CNIL (France's Data Protection Authority) is one of the most pragmatic regulators in Europe on this topic. It has established a clear doctrine: audience measurement is essential to the proper functioning of a web service. Consequently, certain measurement tools can be exempted from consent. In other words: you have the right to use a tracking mechanism for audience measurement without asking the user's permission, and therefore without displaying a banner. This principle has been echoed by other European DPAs and aligns with the ePrivacy Directive's provision for "strictly necessary" cookies and similar technologies. While the specifics vary by country, the underlying logic is the same: if the measurement is truly frugal and serves only the site owner, exemption is possible. But it's not a free pass. It's a strict framework that rewards what we call frugal analytics. Checklist: Criteria for Qualifying To benefit from the exemption, your tool and its configuration must meet these conditions. The list below is a synthesis of the CNIL's official guidelines, which are among the most detailed in Europe:Strictly limited purpose: data must only be used for audience measurement for the exclusive benefit of the site publisher. No retargeting, no ad profiling, no data resale.No data cross-referencing: collected data must not be merged with other databases (CRM, customer files) or cross-referenced with data from other sites or applications.IP anonymization or pseudonymization: the IP address must not allow geolocation more precise than the city level. In practice, the last octets of the IP address must be deleted or hashed before any storage.Limited tracker lifespan: if a cookie is used, its lifetime must not exceed 13 months. Raw collected data must not be retained beyond 25 months.User information: even without consent, users must be informed of the tracker's existence and their right to opt out. This information typically appears in the site's privacy policy.No uncontrolled transfers outside the EU: data must not be transferred to third countries without the safeguards required by the GDPR (standard contractual clauses, adequacy decisions, etc.).→ Official source: CNIL – Audience measurement solutions Which Tools Qualify? The CNIL has evaluated several solutions and published a (non-exhaustive) list of audience measurement tools that can qualify for exemption when properly configured. This list includes tools like Matomo (in a specific configuration), as well as several tools from the frugal new wave. To check whether your current tool is eligible, verify each point of the checklist above against the vendor's documentation. When in doubt, the CNIL's official page is the reference.3. Why Go Privacy-First? Adopting a consent-exempt analytics solution isn't just a legal hack. It's a competitive advantage on three fronts. 3.1 You Recover 100% of Your Visibility Since you no longer need to wait for the user to click "Accept," the measurement script loads the moment they arrive on the site. You go from a partial view (the 50 to 60% who accept) to a near-total view of your traffic. For an SMB making decisions based on its stats — which page works, which channel to invest in — the difference between "seeing 60%" and "seeing 100%" is enormous. The 5 essential KPIs finally become reliable. 3.2 You Improve Your Brand Image A site without an aggressive pop-up is a site that inspires trust. You send a strong signal to visitors: "Here, we don't spy on you — we just look at aggregate statistics to improve the service." This is particularly powerful if you're in a sector where trust matters (healthcare, finance, legal, education). But even for a small retailer or e-commerce store, a banner-free site delivers a better first impression. 3.3 You Simplify Your Compliance No more updating complex CMPs (Consent Management Platforms) or worrying about a formal notice because a button is misplaced or the banner's visual hierarchy subtly favors acceptance. By collecting less data (data minimization), you mechanically reduce your legal risk. Less data to protect, fewer flows to document, fewer awkward questions during an audit. 3.4 You Improve Your Site's Performance Exempt tools are generally much lighter than their traditional counterparts. We detail the impact on Core Web Vitals in our article on SEO without Google Analytics: switching from a 45 KB script to a 1-6 KB script has a direct effect on load time — and therefore potentially on search rankings.4. The Limitations to Know The exemption isn't a magic bullet. Here are the important nuances. What You LoseUser-level tracking: individual journeys, user profiles, retargeting. If you need to know that "User X returned 3 times this week and viewed the pricing page," frugal analytics won't answer that (and it's a design choice, not a technical limitation). Demographic data: age, gender, interests. These require profiling that's incompatible with the exemption. Advertising integration: connections to Google Ads, Meta Ads, etc. The exemption is reserved for audience measurement, not ad optimization.What You Keep Everything an SMB actually needs to steer their business, as detailed in our analytics tool comparison: visitors, pages, sources, UTM campaigns, conversions, trends. Aggregated data is not only sufficient but often more readable and more actionable than individual tracking. The Exemption Is Not Automatic This is essential: the exemption depends on the configuration of the tool, not just its name. A tool can be eligible for exemption in one configuration and lose that eligibility if certain options are enabled (data cross-referencing, secondary purposes, uncontrolled transfers).5. How to Check If Your Site Qualifies Here's a quick 4-question diagnostic:Does your analytics tool collect personal data beyond (truncated) IP addresses?If yes → consent required. If no → continue.Is the data cross-referenced with other sources (CRM, customer files, other sites)?If yes → consent required. If no → continue.Is the data used for anything other than audience measurement for your own site? (advertising, resale, profiling)If yes → consent required. If no → continue.Is the data transferred outside the EU without GDPR safeguards?If yes → consent required. If no → exemption likely possible.If your setup passes all 4 tests, consult your local DPA's guidelines to confirm eligibility and mention the tool in your privacy policy.Conclusion: Compliance Through Simplicity For a long time, people believed the GDPR would kill web performance measurement. In reality, it only killed the "bad" kind: the kind that surveils individuals to serve targeted advertising. For SMBs, freelancers, and agencies, the future belongs to lean tools that natively respect these exemption criteria. It's the guarantee of sleeping well at night while having reliable numbers to steer your business. The equation is simple: less collection + more respect = better data + less risk.FAQ: Analytics and Consent Is Google Analytics 4 (GA4) exempt from consent? By default, no. GA4 collects personal data and often transfers it outside the European Union. The CNIL has specified that making GA4 exempt requires complex and costly "server-side proxying" that demands dedicated infrastructure. It's out of reach for most SMBs. In the majority of cases, choosing a natively eligible tool is simpler. If I don't have a cookie banner, am I breaking the law? Not necessarily. If you don't use any advertising trackers (like Meta Pixel, Google Ads tags, or retargeting scripts) and your analytics tool strictly meets consent exemption criteria, you're perfectly legal without a banner. You simply need to mention the tool in your privacy policy and inform users of their right to opt out. What is IP address anonymization? It's a technique that deletes the last portion of a visitor's IP address before recording it. This prevents tracing back to a specific person or household, while still allowing you to know, for example, that the visit came from the "London" or "Paris" region. It's a sine qua non condition for the exemption. Is the 13-month cookie lifetime mandatory? Under the CNIL's guidelines, yes — if a cookie is used, its lifetime must not exceed 13 months. Raw collected data can be retained for up to 25 months. Beyond that, only statistical aggregates (non-personal) may be kept for trend analysis. These are upper limits: retaining for shorter periods is always preferable in a data minimization approach. Do I still need a privacy policy? Yes, always. Consent exemption doesn't exempt you from the obligation to inform users. Your privacy policy must mention the measurement tool used, the data collected, the purposes (audience measurement), the retention period, and the right to object. This is a GDPR obligation independent of the cookie consent question.