Tag: Compliance
All blog posts with this tag.
- 30 Mar, 2026
CNIL sanctions: what analytics teams should learn before launch
CNIL sanction decisions are useful because they show patterns, not just headline amounts. For analytics teams, the lesson is clear: risk rarely comes from measuring traffic in itself. It comes from unclear purposes, tracking before a valid choice, excessive collection, weak information, poor retention and provider relationships that nobody has reviewed. This article does not try to predict a fine. It gives product, marketing and legal teams a launch checklist grounded in the CNIL's public sanction list and cookie guidance. The recurring analytics risks 1. Tracking starts too early If advertising, personalization or advanced tracking fires before the visitor's valid choice is recorded, the compliance issue is immediate. Teams should verify scripts in the browser, not only in a tag manager diagram. 2. The purpose is too broad "Analytics" can hide several purposes: audience measurement, ad attribution, retargeting, product analytics, support, personalization and CRM enrichment. These purposes do not carry the same risk or consent analysis. They must be separated in configuration and documentation. 3. Data is kept too long Retention is a recurring sanction theme across CNIL decisions. Analytics teams should define retention for raw events, derived reports, exports and backups. The answer cannot be "as long as the tool allows". 4. Provider roles are unclear The site publisher remains responsible for understanding what the provider does. Review data-processing terms, hosting, transfers, sub-processors and reuse clauses before launch. 5. The public explanation is vague A privacy policy that only says "we use cookies to improve the experience" is not enough for a modern analytics stack. Explain the tool, purpose, data categories, retention and choice mechanism in concrete terms. How to reduce risk before launch Run this practical check:open a clean browser profile and inspect which scripts fire before any choice; map each tag to a purpose and owner; remove tags nobody can justify; separate minimal audience reporting from richer marketing tracking; document retention and export rules; review provider terms and transfer mechanisms; update privacy copy with actual tool names; keep evidence of the test in the release checklist.For Pomelo, this means keeping the public promise conservative: cookieless by default, minimal collection, clear documentation, Strict first and Extended by explicit configuration. Why this matters for SMEs SMEs often assume enforcement only targets large platforms. The CNIL sanction list shows that smaller organizations can also be sanctioned, including through simplified procedures. The amounts differ, but the operational lesson is the same: a small team still needs traceability, minimization and a clean release process. Good analytics governance is not bureaucracy. It prevents last-minute launches from becoming privacy incidents. Sources Sources checked on May 9, 2026.CNIL, public list of sanctions, updated April 14, 2026 CNIL, Cookies and other trackers CNIL, Cookies and audience measurement solutions
- 23 Mar, 2026
GDPR analytics checklist: 10 checks before installing a tracking tool
Installing analytics is easy. Governing analytics is harder. A script can be live in five minutes, but the team still needs to know what it collects, why it collects it, how long the data stays available and which choices are presented to visitors. Use this checklist before adding or changing a measurement tool. It is not legal advice. It is a practical review framework for product, marketing, engineering and privacy stakeholders. 1. Define the purpose Write the purpose in one sentence. "Understand audience and site performance" is not the same as advertising attribution, retargeting, product behavior analysis or CRM enrichment. Separate the purposes before discussing tools. 2. Split baseline and enriched collection Define what belongs in minimal audience reporting and what belongs in enriched tracking. Campaign parameters, detailed events, goals, technical context and multi-site segmentation should be deliberate configuration choices. 3. List the fields collected Review the payload, not only the dashboard. Check URL, referrer, user agent, language, screen data, campaign parameters, identifiers, events and custom properties. Remove fields that do not serve the stated purpose. 4. Check tracker timing Use a clean browser profile and inspect which scripts fire before any visitor choice is recorded. Do this on the homepage, landing pages, forms, checkout or signup flows and authenticated areas. 5. Set retention rules Define retention for raw events, aggregated reports, exports and backups. Long retention should be justified by a real operational need, not by a vendor default. 6. Review provider terms Confirm the provider role, hosting location, sub-processors, transfers, support access and reuse clauses. Keep the current data-processing agreement with the launch record. 7. Update public information Your privacy policy should name the tool, describe the purpose, list the main data categories, explain retention and point to the relevant choice or objection mechanism. 8. Test Strict and Extended behavior If your product separates Strict and Extended collection, verify both modes in the browser and in storage. Strict should not persist enriched fields. Extended should be explicit and documented. 9. Control access and exports Analytics data often spreads through CSV exports, screenshots and shared dashboards. Restrict access to people who need it and define how exports are handled. 10. Keep evidence Save the browser test, payload review, provider links, privacy-policy update and release owner in your launch checklist. Evidence matters when decisions are challenged later. Pomelo launch reading For Pomelo, this checklist translates into a simple doctrine: Strict by default, Extended by configuration, no profile mutation from reports, and clear dashboard explanations when data availability changes with collection mode. SourcesCNIL, Cookies and other trackers: https://www.cnil.fr/fr/cookies-et-autres-traceurs CNIL, Cookies and audience measurement solutions: https://www.cnil.fr/fr/cookies-solutions-pour-les-outils-de-mesure-daudience EDPB, Guidelines 05/2020 on consent under Regulation 2016/679: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en EDPB, Guidelines 07/2020 on controller and processor concepts: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en
- 16 Feb, 2026
Cookieless 2026: why SMEs can move faster when analytics stays small
Large organizations often need months to change analytics tools. They have tag managers, consent platforms, data warehouses, agency workflows, advertising pixels, dashboards and historical reporting commitments. SMEs usually have less legacy. That can be an advantage if they keep the migration disciplined. Cookieless analytics is not magic. It is a product and governance choice: collect less, document more clearly, and focus on reports the team actually reads. Why SMEs can move faster SMEs usually have fewer stakeholders, fewer custom tags and fewer legacy dashboards. A small team can audit its measurement stack in a day, remove unnecessary scripts and agree on a simpler reporting model. The advantage is not size by itself. The advantage is decision speed. A founder, marketing lead, product manager and developer can sit together and decide what is genuinely needed for launch. The practical playbook Start with four questions:Which decisions will analytics support each week? Which fields are necessary for those decisions? Which fields belong only in enriched collection? Who owns future changes to the tracking plan?Then implement the simplest baseline possible. Page views, sources, top content, key actions and trend comparison are enough for many SME sites. Campaign details, advanced goals, technical slices and multi-site segmentation should be added deliberately when they create real value. What to avoid Avoid rebuilding the complexity you were trying to escape:installing multiple analytics scripts for the same question; keeping old pixels "just in case"; collecting campaign parameters nobody reviews; adding custom events before the team has defined success; presenting privacy posture as a generic guarantee instead of documenting the setup.Where Pomelo fits Pomelo's launch doctrine is Strict by default and Extended by configuration. That fits SMEs that want useful reporting without expanding the tracking stack unnecessarily; compliance still depends on the site's documented configuration. Strict should answer the baseline questions. Extended should be reserved for richer acquisition, events, goals and technical context. The setting belongs in site collection settings, not inside reports. Sources Sources checked on May 9, 2026.CNIL, Cookies and audience measurement solutions CNIL, Cookies and other trackers Google, Consent Mode overview Pomelo, GDPR audience measurement framework article