EN FR

Tag: Gdpr

All blog posts with this tag.

€487M in CNIL Fines 2025: What Your Analytics Actually Risks

€487M in CNIL Fines 2025: What Your Analytics Actually Risks

On February 9, 2026, France's CNIL published its 2025 sanctions report. One number tells the story: €487 million in fines issued in a single year. That's nine times more than 2024. And it's no accident -- cookies and audience measurement tools now represent over a quarter of sanctions (21 out of 83). If you use Google Analytics, Hotjar, or any tracking tool on your website, you're potentially affected. Not because you're malicious. Simply because the rules have changed, enforcement has intensified, and "I didn't know" is no longer an acceptable defense. The two largest fines of 2025 target giants: Google (€325 million) and Shein (€150 million). But of the 83 sanctions issued, 67 targeted smaller organizations through simplified procedure. Amounts between €5,000 and €20,000. Less spectacular, but just as real for an SME or e-commerce business. This article decodes the 2025 CNIL report, identifies the three most common grounds for sanctions, and explains concretely what you risk with your current analytics setup. Because waiting for a formal notice to arrive is already too late. The 2025 CNIL Report in Numbers: Record High €487 Million: Nine Times More Than 2024 In 2024, the CNIL issued €55 million in fines. In 2025, that amount multiplied by nine. This explosion is explained by two record sanctions:Google: €325 million for Gmail advertisements without consent and cookies placed during Google account creation, without valid consent from French users. Shein: €150 million for cookies placed without consent on its e-commerce site.These two sanctions alone represent €475 million, or 97.5% of the total. But the remaining €12 million is distributed across 81 other decisions. And it's this "long tail" that directly concerns SMEs, startups, and web agencies. 83 Sanctions Issued, 67 via Simplified Procedure The CNIL rendered 259 decisions in 2025, including 83 effective sanctions. Among these 83 sanctions, 67 were issued via simplified procedure. This procedure, established in 2020, allows quick processing of cases without particular complexity, with fines capped at €20,000. Concretely, this means most sanctions don't target multinationals, but medium-sized actors: e-commerce sites, publishers, agencies, B2B SaaS. Organizations with neither dedicated legal departments nor budgets for specialized law firms. The CNIL's message is clear: compliance isn't negotiable, regardless of your size. The argument "we're too small to be audited" no longer holds. 21 Cookie-Related Sanctions: Over a Quarter of Total Of the 83 sanctions, 21 specifically concern failures to comply with cookie and tracker rules. That's 25% of the total, making it the second most common ground for sanctions after data security (data breaches, insufficient security measures). Analytics cookies -- those you install to measure your audience -- aren't spared. Even if your objective is legitimate (understanding where your traffic comes from, which pages work), the way you collect this data can be sanctioned. The three most commonly sanctioned types of violations are:Cookies placed without consent: Cookies are installed before the user clicks "Accept." Insufficient information: The consent banner doesn't clearly specify which cookies are placed and why. Refusal not respected: The user refuses cookies, but they continue to be read or aren't deleted.The Three Grounds for Sanctions That Affect Your Analytics Ground 1: Cookies Placed Before Consent This is the most frequent violation. You install Google Analytics (or equivalent) on your site. By default, the script loads as soon as the page displays, even before the consent banner appears. Result: cookies are placed and data collected before the user has given consent. Concrete example (American Express sanction, November 2025): Upon arriving at americanexpress.com/fr-fr/, several advertising cookies were placed before any interaction with the consent banner. Fine: €1.5 million. To avoid this trap, you must:Block the analytics script from loading until the user has consented. Use a Consent Management Platform (CMP) that manages this blocking automatically: OneTrust, Axeptio, Cookiebot, Didomi, etc. Verify regularly (at least quarterly) that blocking actually works, especially after each CMS or theme update.Ground 2: Insufficient or Deceptive Consent Banner The CNIL conducted over 40 online audits in 2024 following complaints targeting "deceptive" banners, designed to nudge users toward accepting cookies rather than making an informed choice. Most frequent defects:No visible "Reject" button: Only an "Accept" or "Customize" button is displayed. Refusing requires navigating through multiple sub-menus. Asymmetric buttons: The "Accept" button is large, colored, eye-catching, while the "Reject" button is small, grayed out, discreet. Vague information: The banner says "We use cookies to improve your experience," without specifying which ones, why, for how long. No distinction between cookies: Strictly necessary cookies (cart, login) aren't separated from analytics or advertising cookies.What's expected in 2026:A "Reject all" button as visible as "Accept all," with equivalent size and color. A clear list of purposes: "Audience measurement" (distinct from "Personalized advertising"). Information on cookie retention duration. A link to the privacy policy, accessible and readable.Ground 3: Consent Refusal Not Respected The user clicks "Reject," but cookies continue to be read or aren't deleted from the browser. This is exactly what American Express was sanctioned for: even after refusal, previously placed cookies continued to be read. This violation is particularly serious because it betrays user trust. They explicitly said "no," and you override it. To be compliant:When the user refuses, all non-strictly-necessary cookies must be deleted from the browser (via JavaScript). If the user previously accepted then changes their mind (consent withdrawal), cookies must be deleted immediately and their reading must cease. Modern CMPs handle this automatically, but you need to verify the configuration is correct.What You Actually Risk According to Your Profile SMEs: Between €5,000 and €20,000 via Simplified Procedure If you're a small organization (fewer than 50 employees, annual revenue under €10 million), you probably don't risk a multi-million fine. However, simplified procedure allows the CNIL to sanction quickly with amounts between €5,000 and €20,000. That may seem "reasonable" compared to Google's €325 million. But for an SME with tight cash flow, €15,000 in fines + compliance costs (GDPR consultant, banner redesign, technical audit) is a serious hit. And importantly, the sanction is often published. Your name, activity, identified violations: everything is visible on the CNIL website. The reputational impact can be costlier than the fine itself. E-commerce / SaaS: Risk of Intermediate Sanction (€50,000 to €500,000) If you collect data at scale (several tens of thousands of visitors per month, significant customer database), you're outside simplified procedure scope. The CNIL can then issue "intermediate" sanctions, according to violation severity and number of people affected. 2025 examples:Data transfer to social network (January 2026 sanction): €3.5 million for transmitting data of 10.5 million loyalty program members to a social network, without consent. France Travail: €5 million for data breach (insufficient security).If your e-commerce site uses Facebook, TikTok, or Google Ads pixels without obtaining prior consent, you're in a high-risk zone. Transmitting personal data (email, phone) to advertising platforms without consent is now sanctioned very harshly. Web Agencies / Freelancers: Liability as Processor If you're a developer, integrator, or web agency, you can be sanctioned as a processor under GDPR Article 28. Your liability is engaged if:You install tracking tools without informing your client of their GDPR obligations. You misconfigure a consent banner (script blocking not activated). You don't document implemented security measures.European DPAs have already sanctioned technical service providers. Your contract must specify:Who is responsible for what (client vs. provider). What technical measures you implement (script blocking, form masking, etc.). That you advise the client to consult a DPO or GDPR lawyer for legal aspects.And crucially: bill for compliance work. It's not "included" in a standard web development package. Analytics Tools Specifically in the Crosshairs Google Analytics: The Emblematic Case Google Analytics 4 (GA4) is the world's most-used tool. It's also the one posing the most compliance problems:Data transfers to the United States: Even though Google implemented "supplementary measures" after Privacy Shield invalidation, the CNIL (and other European authorities) consider that the risk of access by US authorities (FISA, CLOUD Act) persists.Data reuse by Google: Google can use data collected via GA4 to improve its own services, including advertising. Even if you disable data sharing, certain processing persists.Very broad default collection: GA4 collects far more data than necessary for simple audience measurement (advertising identifiers, device ID, precise geolocation if authorized).Consequence: Several companies received formal notices for using Google Analytics without valid legal basis. Some were forced to stop GA4 completely, others had to implement strict consent (no exemption possible). If you use GA4, you must:Obtain explicit consent (no exemption possible). Disable all data sharing features with Google. Anonymize IP addresses (GA4 native feature, but verify it's activated). Document your impact assessment (DPIA) concerning transfers outside the EU.Or switch to a European alternative that doesn't pose these structural problems. Hotjar, Clarity, Fullstory: The Next Wave Session replay tools (Hotjar, Microsoft Clarity, Fullstory) are in the CNIL's crosshairs. A public consultation is ongoing until April 22, 2026 to regulate these practices. These tools record the entire user journey: clicks, mouse movements, scrolling, form inputs. It's far more intrusive than a simple analytics cookie. If you use Hotjar without:Obtaining explicit consent. Automatically masking all sensitive form fields (passwords, banking details, health data). Limiting sampling (recording 100% of sessions is disproportionate). Reducing retention period (30 days maximum).You're in clear violation. And given 2025 fines for simple cookies, imagine the amounts for non-compliant session replay. Advertising Pixels (Meta, TikTok, LinkedIn) The Facebook pixel (Meta Pixel), TikTok pixel, LinkedIn Insight tag: these scripts transmit personal data (hashed email address, phone number, browsing behavior) to advertising platforms, often located outside the EU. January 2026 sanction: €3.5 million for transmitting data of 10.5 million loyalty program members to a social network, without consent. "Catch-all" consent ("We use cookies to improve your experience") isn't sufficient. You need specific consent for each advertising platform. If you use these pixels, your consent banner must explicitly mention: "Data sharing with Meta (Facebook, Instagram) for targeted advertising." And users must be able to refuse without affecting their site access. Concrete Solutions to Reduce Risk to Zero (or Nearly) Solution 1: Use a Consent-Exempt Tool The CNIL allows a consent exemption for audience measurement tools that meet 10 strict criteria. In summary:Purpose strictly limited to measurement (no advertising, no data sharing). Anonymized or heavily pseudonymized data. No cross-referencing with other files. Limited retention period (13 months for cookies, 25 months for data). Hosting and processing in Europe.If you use a tool compliant with these criteria (Matomo configured in exempt mode, AT Internet, or a privacy-first solution by design), you don't need a consent banner for analytics. You eliminate 90% of the risk. Warning: Google Analytics 4 cannot benefit from this exemption, even with strict configuration. US transfers and reuse by Google structurally disqualify it. Solution 2: Strictly Configure Your CMP If you must continue with Google Analytics or other tools requiring consent, your CMP must be impeccable:Block all scripts until consent is given. Use a tag management system (Google Tag Manager, OneTrust, Cookiebot) that manages blocking automatically.Display a "Reject all" button as visible as "Accept all," with identical size and color. Since January 2026, this is a quasi-formal obligation (CNIL recommendation on cross-device consent).Clearly separate purposes: Don't mix "Audience measurement," "Personalized advertising," "Social networks," and "Product improvement." Each purpose should be a distinct checkbox.Respect refusal: If the user refuses, delete the cookies (not just "stop reading them"). Test regularly with your browser's developer tools.Document everything: Screenshots of your configuration, purpose justification, impact assessment if you transfer data outside the EU.Solution 3: Audit and Correct Before Inspection The CNIL doesn't warn before an inspection. One day, you receive an email: "The CNIL has decided to conduct an inspection of your website. You have 24 hours to provide us with the following documents." It's too late to correct. If you wait for this moment to achieve compliance, you'll be sanctioned based on the state found at the time of inspection, not what you did afterward. Our advice: Audit your site now. Free tools:Cookie Scanner (Cookiebot, OneTrust): Scan your site to identify all placed cookies. CNIL Cookie Checker: Tool developed by the CNIL itself (available for Chrome). Browser developer tools: "Application" tab > "Cookies." Verify nothing is placed before consent.Correct identified anomalies. If you don't know how, budget €2,000 to €5,000 for a GDPR consultant or specialized agency. It's cheaper than a €15,000 fine. What Changes in 2026 and Beyond End of CNIL's "Validated" Tools List Until December 2025, the CNIL published an indicative list of analytics tools considered compliant with consent exemption (Matomo, AT Internet, etc.). This list was removed in January 2026. Now, it's up to you to self-assess your tool. The CNIL published a self-assessment online tool in July 2025 that guides you through the 10 criteria. You must document this self-assessment and keep it in case of inspection. Consequence: Even if you use Matomo, you must verify your configuration meets the criteria. Installing Matomo isn't enough. You must disable certain features (precise geolocation, cross-site tracking, etc.) to stay within the exemption framework. Intensified Cookie Audits in 2026 The CNIL's cookie action plan, launched in 2019, continues in 2026. Over 40 audits were conducted in 2024, focusing on dark patterns in consent banners. In 2026, the CNIL announced it would continue these audits, particularly on:High-traffic e-commerce sites. Media publishers (heavy reliance on programmatic advertising). B2B SaaS using advertising pixels for acquisition.If your site attracts over 100,000 visitors per month, or you're in a "sensitive" sector (health, finance, media), your chances of being audited increase mechanically. Digital Omnibus: Toward Relaxation? The European Commission proposed a regulatory simplification package called "Digital Omnibus" in November 2025. Among the proposals: a "whitelist" of analytics tools considered "low-risk," which could benefit from simplified consent (opt-out rather than opt-in). But warning: This text is still under discussion in the European Parliament and Council. Adoption likely mid-2026, application 2027 at earliest. Meanwhile, current rules (strict opt-in for everything not exempt) fully apply. Don't bet on hypothetical relaxation to delay your compliance. 2026 audits will be based on 2026 rules, not 2027 ones. Conclusion: 2026 Isn't 2019 In 2019, when the CNIL's cookie action plan launched, many thought: "They'll never audit everyone, we have time." Seven years later, €487 million in fines were issued in a single year. The "time" has run out. If you use Google Analytics, Hotjar, advertising pixels, or any tracking tool, you have two options. Either achieve strict compliance now: consent, CMP, script blocking, documentation. Or switch to tools designed for compliance, freeing you from this permanent mental and legal burden. Inaction costs more than action. A €15,000 fine + sanction publication + emergency compliance costs are far more expensive than a €3,000 preventive audit and migration to a compliant tool. 2025 numbers aren't an accident. They're the new normal. Adapt now, or pay later. For those seeking an analytics approach respecting GDPR minimization and transparency principles by design, you can join Pomelo's waitlist to be informed of the launch. FAQ What's the difference between normal and simplified CNIL procedure? Simplified procedure was introduced in 2020 to quickly process cases without particular complexity. Fines are capped at €20,000 and the procedure is faster (a few months instead of 1-2 years). In 2025, 67 out of 83 sanctions were issued via this procedure, showing it mainly targets SMEs and medium-sized organizations. Normal procedure, longer, is reserved for complex or serious cases, with fines up to €20 million or 4% of global annual turnover. Can I still use Google Analytics 4 in 2026? Yes, technically you can continue using Google Analytics 4, but under strict conditions: you must obtain explicit user consent (no exemption possible), disable all data sharing features with Google, anonymize IP addresses, and document an impact assessment on data transfers to the United States. In practice, many organizations consider these constraints make GA4 less attractive and prefer migrating to European alternatives like Matomo or cookieless solutions to avoid legal and technical complexity. How much does analytics compliance cost for an SME? For a typical SME (showcase site or e-commerce with 10,000 to 100,000 visitors/month), budget between €2,000 and €5,000 for complete compliance: initial cookie and tracker audit (€500-1,000), installation and configuration of professional CMP (€500-1,500), drafting or updating privacy policy (€500-1,000), and possibly migration to compliant analytics tool (€500-2,000 depending on chosen tool). If you have complex needs (multiple advertising pixels, session replay, transfers outside EU), budget can rise to €10,000-15,000. It's an investment, but significantly less than a €15,000 fine + reputational impact. What signals can trigger a CNIL audit? Several factors increase your chances of being audited: high traffic volume (> 100,000 visitors/month), a complaint from a user or association (like NOYB), a sensitive sector (health, finance, media, large-scale e-commerce), presence in the news (funding round, media controversy), or having been previously sanctioned. The CNIL also conducts thematic audits: in 2024-2025, the focus was on cookies and dark patterns in consent banners. In 2026, audits continue on this theme, with particular attention to session replay tools. Does the consent exemption for audience measurement apply to all analytics tools? No, the exemption only applies to tools that strictly meet the 10 criteria defined by the CNIL: purpose limited to audience measurement (no advertising), anonymized or heavily pseudonymized data, no cross-referencing with other files, limited retention period (13 months for cookies, 25 months for logs), hosting in Europe, clear user information, and no transfers outside EU. Google Analytics 4 cannot benefit from this exemption due to transfers to the United States and data reuse by Google. Matomo can benefit if properly configured (exempt mode activated). Since January 2026, there's no longer an official list of validated tools: you must self-assess your tool via the CNIL online tool. SourcesCNIL, "Sanctions and corrective measures: CNIL's actions in 2025", February 9, 2026 (https://www.cnil.fr/en/investigation-powers-cnil/sanctions-issued-cnil) CNIL, "Cookies and advertisements inserted between emails: GOOGLE fined 325 million euros by the CNIL", September 1, 2025 (https://www.cnil.fr/en/cookies-and-advertisements-inserted-between-emails-google-fined-325-million-euros-cnil) CNIL, "Cookies deposited without consent: the CNIL sanctions SHEIN with a fine of 150 million euros", September 2025 CNIL, "Cookies: AMERICAN EXPRESS fined €1.5 million by the CNIL", November 27, 2025 (https://www.cnil.fr/en/cookies-american-express-fined-eu15-million-cnil) CNIL, "Transfer of data to a social network for advertising purposes: the CNIL imposed a fine of €3.5 million", January 22, 2026 (https://www.cnil.fr/en/transfer-data-social-network-advertising-purposes-cnil-imposed-fine-eu35-million) La Cité Apprenante, "Bilan CNIL : Cookies, surveillance des salariés et sécurité des données, principaux sujets des sanctions en 2025", February 2026 (https://www.laciteapprenante.com/bilan-cnil-cookies-surveillance-des-salaries-et-securite-des-donnees-principaux-sujets-des-sanctions-en-2025/) Haas Avocats, "Sanctions CNIL et cookies : comment sont fixées les amendes ?", January 21, 2026 (https://www.haas-avocats.com/protection-des-donnees/sanctions-cnil-et-cookies-comment-sont-fixees-les-amendes/)

GDPR analytics checklist: 10 compliance checks before installing any tracking tool

GDPR analytics checklist: 10 compliance checks before installing any tracking tool

You just installed an analytics tool on your website. The script is live, data is flowing, the dashboard is coming to life. Everything looks fine. Except nobody on the team checked whether this setup complies with European data protection law. And this is not a minor oversight: in 2025, France's data protection authority (CNIL) imposed a record 487 million euros in fines, with 21 sanctions specifically targeting cookies and trackers. Cookies were the single largest enforcement category, ahead of data security and employee surveillance. The problem is rarely the tool itself. It is how the tool is configured, documented, and used. A tool that is compliant "on paper" can become non-compliant in three clicks if the default settings are left untouched. This checklist gives you ten concrete points to verify the GDPR compliance of your analytics setup, whether you use Google Analytics 4, Matomo, Plausible, or any other tool. It is written for website owners, marketing leads, and DPOs who want to make sure their audience measurement does not create an avoidable legal risk.1. Is the purpose strictly limited to audience measurement? This is the foundation of any analytics compliance assessment. Article 5(1)(b) of the GDPR requires that personal data be collected for specified, explicit, and legitimate purposes. For an analytics tool, this means data must be used exclusively to understand how visitors interact with the site: pages viewed, traffic sources, load times, navigation errors. Nothing else. In practice, scope creep is common. Many analytics tools let you enable remarketing, ad targeting, or CRM cross-referencing. The moment any of these features is activated, you leave the territory of strict audience measurement. You lose eligibility for the consent exemption (more on this in point 2) and must deploy a full cookie consent banner. What to verify: Document the exact purpose in your Record of Processing Activities (Article 30 GDPR). If the stated purpose reads "audience measurement and marketing optimization," it is too broad. The wording should be limited to producing anonymous statistics for the exclusive benefit of the site publisher. If you use analytics alongside an advertising tool (Meta Pixel, Google Ads), both processing activities must be listed separately in your records, with distinct legal bases.2. Is the legal basis correctly identified? The GDPR provides six possible legal bases for processing personal data (Article 6). For analytics, two scenarios dominate. Scenario A: consent exemption. If your tool is configured to meet the strict criteria set by your national data protection authority (in France, the CNIL), you may rely on legitimate interest (Article 6(1)(f)) combined with the exemption under Article 5(3) of the ePrivacy Directive (transposed in each EU member state). In this case, no cookie banner is needed for analytics. This is the most favorable scenario, which we detail in our guide to the CNIL consent exemption. Scenario B: consent. If your tool collects data for purposes beyond strict measurement (profiling, advertising, third-party sharing), user consent is mandatory before any tracker is placed. This consent must be freely given, informed, specific, and unambiguous under Article 7 GDPR. In practice, this requires a compliant cookie banner with a "Reject" button as prominent as the "Accept" button. The CNIL regularly sanctions non-compliant consent mechanisms: in 2025, fines of 325 million and 150 million euros were imposed for cookie-related violations. What to verify: Determine which scenario applies to you. If you are unsure, it is almost certainly Scenario B. And if you claim the exemption, be prepared to demonstrate it in writing. Since January 2026, the CNIL no longer publishes an official list of "approved" tools. Each publisher must now prove their own compliance, notably through the self-assessment framework published by the CNIL. Other EU data protection authorities (such as the ICO in the UK, the DSB in Austria, and the AEPD in Spain) apply similar principles under the ePrivacy Directive, though specific criteria may vary.3. What cookies and trackers are actually being placed? Many sites claim to use "cookieless" analytics while their configuration actually deposits trackers in the browser. The reverse also happens: a properly configured tool paired with a CMP (Consent Management Platform) that triggers undeclared third-party scripts on its own. The only way to know what is really happening is to check for yourself. What to verify: Open your site in a private browsing window. Open the developer tools (F12 in Chrome or Firefox), go to the "Application" tab, then "Cookies." Note every cookie deposited before any interaction with a consent banner. Also check the "Network" tab to identify requests sent to third-party domains. If cookies are placed before consent and they do not correspond to a tracker strictly necessary for the site to function, that is a violation. If your analytics tool is supposed to work without cookies but you see a persistent identifier in localStorage or sessionStorage, this may still constitute a tracker under the ePrivacy Directive. For a more thorough audit, tools like Cookiebot Scanner or browser extensions such as Ghostery can automatically scan the trackers deployed by your site.4. Does the tracker lifespan comply with regulatory limits? The CNIL is explicit: the lifespan of an audience measurement tracker must not exceed 13 months. And this duration must not be automatically renewed on subsequent visits. This rule is one of the most frequently ignored. Google Analytics 4, for example, renews the duration of its cookies by default on every visit. This behavior is incompatible with the consent exemption. Matomo offers a similar option that must be manually disabled. Other EU authorities apply comparable limits. The general principle across the EU is that tracker lifespans must be proportionate and limited to what is necessary for meaningful audience comparison over time. What to verify: Check your tool's documentation for the default cookie duration. Confirm that the active configuration does not extend trackers beyond the applicable limit. If your tool allows it, set a shorter duration (some privacy-first tools use 24-hour or 30-day windows, which are compliant by design). Tools that operate without persistent cookies, such as the cookieless solutions described in our comparison, bypass this constraint entirely since there is no tracker to expire.5. Is data retention within the authorized limits? Tracker lifespan (point 4) and data retention are two separate topics. The CNIL recommends that information collected through analytics trackers be retained for a maximum of 25 months. Beyond that period, raw data (individual events, session identifiers) must be deleted or irreversibly aggregated. Aggregated statistics (total visits per month, top pages) can be kept longer, as they no longer contain personal data. What to verify: Check the data retention settings in your analytics tool. Google Analytics 4 offers configurable durations (2 months or 14 months for user-level data). Matomo allows automatic deletion of raw logs. If your tool does not offer automatic purging, set up a documented manual procedure. The regulatory recommendation of periodic review means you must also be able to justify why you retain data for the duration you have chosen. If 6 months meets your needs, do not configure 25 months "just in case." The principle of data minimization applies to duration, not just volume.6. Is data hosted within the European Economic Area? This is the question that triggered a wave of enforcement actions across Europe in 2022, when several data protection authorities (including the CNIL, the Austrian DSB, and the Italian Garante) ruled that using Google Analytics resulted in data transfers to the United States that were incompatible with the GDPR, following the invalidation of the EU-US Privacy Shield. Since July 2023, the EU-US Data Privacy Framework (DPF) has restored a legal basis for transfers. But this framework faces legal challenges (NOYB announced a challenge before the CJEU upon its adoption), and there is no guarantee it will survive, given that its two predecessors (Safe Harbor and Privacy Shield) were both struck down. What to verify: Identify where the data collected by your analytics tool is physically hosted. If the provider is US-based, check whether it is certified under the DPF and document this verification. For maximum legal certainty, choose a provider with exclusively European hosting, which makes the transfer question moot. The CNIL notes that when using a tool involving transfers, a server-side proxy can serve as a supplementary measure, provided it is correctly configured to prevent any identifiable data from reaching the provider's servers. As we explain in our article on the 5 essential analytics KPIs, the question is not purely legal: European hosting also reduces latency and improves dashboard performance.7. Is the data processor governed by a compliant contract? Article 28 of the GDPR requires that any processing carried out by a processor on behalf of a controller be governed by a specific contract or legal act. This is commonly known as a DPA (Data Processing Agreement). For analytics, the processor is your tool provider (Google, Matomo Cloud, Plausible, Fathom, etc.). The DPA must specify the processing purposes, the nature of the data processed, security measures, sub-processors, and breach notification obligations. What to verify: Have you signed (or accepted online) a DPA with your analytics provider? If so, read it. Pay particular attention to three sensitive points. First: does the provider commit to not reusing the data for its own purposes? This is a disqualifying criterion for the consent exemption. The CNIL explicitly cites the privacy policies of several major analytics offerings that indicate data reuse for their own services. Second: is the list of sub-processors accessible and up to date? You need to know who processes your data downstream. Third: are the data breach notification clauses compliant with Article 33 GDPR (notification within 72 hours)?8. Is user information complete and accessible? Even if you benefit from the consent exemption, you are not exempt from informing your visitors. The CNIL recommends that users be informed about the deployment of these trackers, for example through the site's privacy policy. Article 13 of the GDPR lists the mandatory information: identity of the controller, purposes, legal basis, recipients, retention periods, data subject rights (access, rectification, erasure, objection). For analytics, you should also specify the tool name, the nature of data collected (pages viewed, visit duration, device type, approximate geolocation, etc.), and the DPO contact details if applicable. What to verify: Reread your "Privacy Policy" or "Legal Notice" page. Is analytics mentioned? Is the information current (correct tool, correct purposes, correct retention periods)? If your privacy policy is a generic template mentioning Google Analytics when you switched to Matomo two years ago, that is a breach of the information obligation. A practical tip: add a dedicated "Audience measurement" section to your privacy policy, specifying the tool name, the legal basis, tracker duration, and data retention period. This level of clarity is what separates a compliant site from one that merely displays a banner.9. Is data cross-referencing excluded? This is one of the strictest criteria for the consent exemption: data collected by the analytics tool must not be cross-referenced with other processing activities, nor shared with third parties. This concretely prohibits several common practices: matching analytics data with a CRM to identify users, sharing identifiers with an advertising platform, using the same cookie for analytics and retargeting, or sending data to a social network to build lookalike audiences. It also prohibits cross-site tracking: the same identifier cannot be used to measure navigation across different domains. If you manage multiple sites, each property must be isolated with independent trackers. What to verify: Review the active integrations in your analytics tool. Have you enabled the link between GA4 and Google Ads? Between GA4 and BigQuery with CRM data? These connections, even if not actively exploited, are enough to disqualify the exemption. If you use UTM parameters or campaign tags in your URLs, verify that this information stays within the analytics perimeter and is not shared with third-party tools. The principle is simple: what goes into analytics must stay in analytics. For practical guidance on measuring campaign performance without cross-referencing data, see our article on SEO without Google Analytics.10. Is the configuration documented and auditable? This is the point everyone forgets. GDPR compliance is not a fixed state. It is an ongoing process that must be documented, auditable, and periodically reviewed. Since January 2026, the CNIL's shift in approach is clear: it no longer validates tools. It is up to each publisher, with support from its provider if needed, to demonstrate that the deployed configuration is compliant. The self-assessment tool published by the CNIL in July 2025 is now the central mechanism for verifying exemption eligibility. What to verify: Maintain an internal document (even a simple one) describing your analytics configuration: tool name, version, active settings, purposes, legal basis, retention periods, hosting location, processors. Date it. Update it with every change. If the regulator ever asks, or if a user exercises their right of access, you need to be able to respond within minutes. Schedule an annual audit of your analytics configuration. Verify that settings have not changed after a tool update, that third-party integrations have not been enabled by a team member, and that your retention periods are still being respected. Finally, if you use an external agency to manage your analytics, make sure that compliance responsibility is clearly assigned in your contract. The data controller is you, not your agency.Quick verification grid Here are the 10 points condensed. If you can answer "yes" to each question, your analytics setup is solid. Every "no" or "I don't know" identifies a risk to address.Is the purpose strictly limited to audience measurement? Is the legal basis identified and documented? Do you know exactly which cookies and trackers are being placed? Does the tracker lifespan comply with the 13-month limit? Is raw data retained for 25 months or less? Is data hosted in the EEA, or is the transfer legally covered? Is a DPA signed with your provider, with no data reuse? Does your privacy policy mention analytics? Is no cross-referencing performed with other processing activities? Is the configuration documented and regularly audited?Two common mistakes to avoid "My tool is compliant, so my site is compliant." No. A tool can be compliant in one configuration and non-compliant in another. Compliance depends on your settings, not on the logo on the box. Matomo can be compliant or not depending on its configuration. Google Analytics can be used with supplementary measures (proxy, restrictive settings) or triggered only after consent. It is the configuration that matters. As we discuss in our analysis of data obesity, the instinct to "collect everything by default" is precisely what the GDPR was designed to counter. "I'm too small to be audited." The CNIL's simplified procedure, operational since 2022, allows for rapid handling of straightforward cases, including against very small businesses. Fines are capped at 20,000 euros under this procedure, but they do happen: in 2025, the CNIL issued 67 decisions through this track. The risk is not proportional to your size. It is proportional to your visibility and the number of complaints received.Conclusion: compliance as an advantage, not a burden Verifying these ten points takes a few hours, not a few weeks. And the payoff goes well beyond legal compliance. A site with properly configured analytics inspires greater trust. The data collected is more reliable, because it is not polluted by unnecessary scripts or phantom trackers. The technical footprint is lighter. And if you meet the conditions for the consent exemption, you eliminate the cookie banner for analytics, which directly improves user experience and data completeness, as we explain in our guide to the consent exemption. Compliance is not an obstacle to measurement. It is the foundation on which trustworthy audience measurement is built.FAQ Does my personal site or blog need this checklist? Yes, as soon as you collect browsing data through any analytics tool, even a free or self-hosted one. The GDPR applies to anyone processing personal data of European residents, regardless of the organization's size. That said, if your tool places no cookies, collects no IP addresses, and enables no identification (even indirect), the practical risk is very low. Can Google Analytics 4 be GDPR-compliant? Technically, it is possible to configure GA4 in ways that significantly reduce risk: IP anonymization, disabling Google signals, no link to Google Ads, consent obtained before the script fires. However, GA4 is not eligible for the consent exemption in its standard configuration, because Google states that it reuses data for its own services. You will therefore need a cookie banner and will only collect data from visitors who accept. What is the difference between anonymization and pseudonymization? Pseudonymization replaces a direct identifier (name, email) with an indirect one (hash, token). The data remain personal data because re-identification is theoretically possible. Anonymization renders re-identification impossible and irreversible, even through cross-referencing. Only truly anonymized data fall outside the scope of the GDPR. This distinction is critical for analytics: pseudonymized data remain subject to the GDPR and must comply with retention limits. How do I know if my tool qualifies for the consent exemption? Since January 2026, the CNIL no longer publishes a list of validated tools. Your solution provider can perform a self-assessment using the framework published by the CNIL in July 2025 and provide you with a compliance attestation. It is then your responsibility as the publisher to verify that your actual configuration matches that assessment. Other EU authorities apply similar principles; check with your national DPA for specific guidance. When in doubt, the safest approach is to obtain consent. How often should I re-audit my analytics configuration? At minimum once a year, or whenever a significant change occurs: tool update, new third-party integration, change of provider, change of purpose. The CNIL recommends periodic review of retention periods, which implies at least an annual documented review.SourcesSource: CNIL, "Cookies: solutions pour les outils de mesure d'audience," deliberation of July 4, 2025 (https://www.cnil.fr/fr/cookies-solutions-pour-les-outils-de-mesure-daudience) Source: CNIL, "Mesurer la fréquentation de vos sites web et de vos applications" (https://www.cnil.fr/fr/mesurer-la-frequentation-de-vos-sites-web-et-de-vos-applications) Source: CNIL, Self-assessment tool for audience measurement solutions, July 2025 (https://www.cnil.fr/sites/default/files/2025-07/outil_d_auto-evaluation_mesure_d_audience.pdf) Source: CNIL, "Mesure d'audience et transferts de données: comment mettre son outil en conformité avec le RGPD" (https://www.cnil.fr/fr/mesure-daudience-et-transferts-de-donnees-comment-mettre-son-outil-de-mesure-daudience-en-conformite) Source: L'Usine Digitale, "Avec 487 millions d'euros d'amendes en 2025, la CNIL sanctionne moins mais frappe beaucoup plus fort," February 9, 2026 (https://www.usine-digitale.fr/reglementation/gdpr-rgpd/avec-487-millions-deuros-damendes-en-2025-la-cnil-sanctionne-moins-mais-frappe-beaucoup-plus-fort) Source: Optimal Ways, "Nouvelles règles CNIL sur les solutions de mesure d'audience," December 2025 (https://www.optimalways.com/fr/2025/09/cnil-consentement-mesure-audience/)

Piwik PRO kills its free plan: deadline extended to March 31, but the end is final

Piwik PRO kills its free plan: deadline extended to March 31, but the end is final

February 28, 2026 was supposed to be the deadline. Piwik PRO was ending its free Core plan, forcing users to either upgrade or find something else. Then, on March 3 -- three days after that date -- the company emailed its users with a one-month extension: the new deadline is March 31, 2026. The company cited the volume of users who had reached out asking for more time, and wanted to ensure everyone had a fair chance to preserve their data. One more month. But Piwik PRO is explicit: no further extensions will be granted. The Core plan is gone -- this extra time only changes the schedule, not the decision that needs to be made. For the tens of thousands of organisations that relied on this tool, the core message is unchanged: move to the Business plan at €35/month, or look elsewhere. The extension buys time; it changes nothing fundamental. This matters. Piwik PRO was one of the few analytics platforms to combine serious GDPR compliance, European hosting, and free access. Its Core plan represented a credible entry point into privacy-first analytics for SMEs, agencies, and independent developers -- without budget approval processes or finance negotiations. That door closes in a month. And it illustrates something many overlook: a freemium without a viable business model doesn't eliminate costs -- it defers them. What Piwik PRO offered for years without sustainable funding had to be paid for eventually. Now it is -- seven years late. This article covers what happened, why it matters, and which serious alternatives exist if your organisation was on the Core plan.What happened: the full timeline August 2025: the official announcement In August 2025, Piwik PRO announced a complete pricing overhaul. The free Core plan -- available since the platform's commercial launch -- would be discontinued. A new two-tier structure (Business and Enterprise) would apply to new accounts from August 4, 2025, and to existing Core accounts from December 2025. The stated rationale: delivering a unified platform combining analytics, tag management, consent management, and data activation. In practice, Piwik PRO decided to pivot toward a more complex, integrated offering that couldn't coexist with a freemium model. December 2025: forced migration In December 2025, all free Core accounts were transitioned to the Business plan. Existing users were offered transition discounts to soften the move. The underlying message was unchanged: the free tier is over. February 28, 2026: the first deadline February 28 arrived. Piwik PRO's website displayed a persistent banner: "Free Core plan ends February 28. Existing users must upgrade to Business or Enterprise plan before this date to preserve data and continue tracking." March 3, 2026: a one-month extension under pressure Three days later, Piwik PRO emailed Core users. User pressure had clearly played a role -- many had contacted the company saying they needed more time to complete their migration. The new deadline is March 31, 2026. Piwik PRO specifies this is the final deadline, with no further extensions. The scale: 28,000 organisations affected According to the same email, over 28,000 organisations had been using the free Core plan since its launch. That figure shows how widely adopted the plan had become -- and how significant the disruption is for a meaningful portion of Europe's analytics ecosystem. The fact that an extension was necessary confirms many hadn't anticipated the urgency.The economics of freemium: why this model always breaks Google Analytics created an impossible expectation Google Analytics being free is not generosity. It's a business model: you pay with your data and your visitors' data, which feeds one of the largest advertising ecosystems in the world. This implicit contract is documented, contested, and at the root of most analytics-related GDPR enforcement across Europe over the past several years -- from the French CNIL to the Austrian DSB, the Italian Garante, and the Irish DPC. But that free tier created a market expectation: analytics should be free. Every startup positioning itself as a "privacy-first alternative to Google Analytics" had to respond to that expectation -- by offering at least a freemium tier to lower the barrier to entry. Piwik PRO did. Plausible did it through its self-hostable open source model. Matomo still does with its self-hosted version. Piwik PRO chose a different game The decision to remove the free tier reflects a clear strategic repositioning. Piwik PRO is no longer pursuing SMEs with an accessible entry-level offer. It's targeting mid-to-large organisations in regulated sectors -- healthcare, finance, public sector -- that need a unified platform: analytics, tag management, consent, data activation. Analyst Brian Clifton, who joined Piwik PRO's advisory board in 2025, made this point clearly in his July 2025 analysis: only companies of the scale of Google, Microsoft, or Meta can sustainably fund a large-scale freemium model. Smaller vendors need to find their own path -- and that path often means abandoning free tiers. The real cost of the switch For an organisation on the Core plan, moving to Business means a minimum of €35/month, or €420/year. That's the entry price; the actual bill depends on the number of domains and data volumes involved. For a larger company, that's manageable. For a small NGO, a solo consultant, or a side project, it's a budget line that didn't exist before and now needs to be justified. And for organisations running multiple domains, the costs quickly exceed the entry tier.What Piwik PRO Core offered -- and what you'll need to rebuild What the Core plan actually delivered The free Core plan wasn't trivial. It included features that few free tools offered at this compliance level: European hosting (Elastx infrastructure in Sweden), integrated consent management, no advertising data resale, an included tag manager, and 500,000 monthly actions -- more than enough for most SME sites. It was, in short, enterprise-grade tooling at no cost. That paradox had a limit, and that limit has now been reached. What the Business plan adds Piwik PRO isn't just removing the free tier. The Business plan brings concrete improvements: data retention increases from 14 to 25 months. Dashboards, reports, configurations, and historical data all carry over intact during migration. EU-first hosting via Elastx in Sweden is guaranteed across all plans. For organisations that had already invested time in Piwik PRO configuration, migrating to Business may be rational -- budget permitting. Three paths forward If you were on the Core plan, you have three options before March 31: Option 1: migrate to the Business plan at €35/month. The simplest path if Piwik PRO meets your needs and the budget is there. Everything carries over. Data retention improves significantly. Option 2: switch to self-hosted Matomo. Matomo Analytics remains open source and free to self-host. You manage infrastructure, updates, and security yourself. Viable for technical teams, but the indirect cost in time and expertise is consistently underestimated. Option 3: adopt a lighter, simpler analytics tool. If you didn't actually need Piwik PRO's full feature set -- advanced tag management, CDP, data activation -- more accessible alternatives exist. This is where the frugal analytics market becomes relevant.A map of serious alternatives Plausible Analytics: accessible open source Plausible is European (Estonia-based), open source, and starts at €9/month for 10,000 page views. Its script weighs ~1 KB versus ~45 KB for GA4. It's cookieless by default -- meaning no consent banner required under most configurations, and a straightforward path to compliance under GDPR and the ePrivacy Directive across European jurisdictions. Its limit: no native consent management or tag manager. If you relied on those features in Piwik PRO, you'll need to handle them separately. Fathom Analytics: simple and compliant Fathom, US-hosted with an EU option, starts at $15/month for 100,000 page views. Its positioning is explicitly around simplicity and compliance. No cookies, no fingerprinting. A solid option, though costs scale quickly with traffic volume. Simple Analytics: unlimited retention as a differentiator Simple Analytics (Netherlands-based) starts at $19/month for 100,000 datapoints with unlimited data retention. That last point is meaningful for organisations coming from Piwik PRO Core, where retention was capped at 14 months. If you care about multi-year trend analysis, this is a notable advantage. Pirsch Analytics: the budget-friendly German option Pirsch, based in Germany, starts at €5/month for 10,000 page views -- one of the lowest entry points for a European-hosted, privacy-first tool. Less well-known, but functionally sufficient for common use cases. Comparison tableTool Entry price Volume included EU hosting Cookieless by defaultPiwik PRO Business €35/month Variable (actions) Yes (Elastx/Azure) No (banner often required)Plausible €9/month 10k page views Yes YesFathom ~€14/month 100k page views Optional YesSimple Analytics ~€18/month 100k datapoints Yes (NL) YesPirsch €5/month 10k page views Yes (DE) YesMatomo self-hosted Infrastructure cost Unlimited Depends on host No (banner often required)The picture is clear. The end of Piwik PRO Core opens up a market segment. Organisations that never considered paying for analytics are now comparing options between €5 and €35/month -- and many will find that simpler, lighter, cheaper alternatives cover their actual needs. Our comparison of Google Analytics, Matomo, and frugal analytics goes deeper if you want a more thorough evaluation.What this episode reveals about the analytics market Unsustainable freemium: a model that always breaks Piwik PRO Core's end isn't an accident. It's the logical conclusion of a specific business model: large-scale freemium without sustainable funding, where free access serves as an acquisition lever without a clear path to profitability. Two very different forms of "free" are worth distinguishing here. The first is data-funded free: Google Analytics can afford to be free because your visitors' data fuels an advertising ecosystem worth hundreds of billions of dollars. That implicit contract is documented, challenged, and the root cause of most analytics-related GDPR enforcement by European data protection authorities -- including decisions by the CNIL (France), DSB (Austria), Garante (Italy), and others under both GDPR and the ePrivacy Directive. Our guide on GDPR-compliant analytics and consent exemptions covers the regulatory landscape in detail. The second is structured free: a deliberately limited free tier, backed by a transparent business model where monetisation is explicit -- on volume, on team features, on complementary services. This approach is honest and viable; it respects users because it doesn't trap them. Piwik PRO Core belonged to neither category. It was a generous free plan -- no meaningful volume constraints, no obvious conversion lever -- funded by investors hoping to convert users to Enterprise eventually. When that funding reaches its limit, forced migration is inevitable. Small organisations take the biggest hit Piwik PRO's decision hits smaller organisations hardest. A large enterprise on an Enterprise plan is unaffected by the end of Core. A cultural association, a five-person consultancy, or an independent e-commerce operator who installed Piwik PRO because it was "free and GDPR-compliant" now faces a choice they hadn't planned for. This is exactly what frugal analytics is designed to address: simple tools, honest business models, calibrated for real needs rather than for features 90% of users will never touch. Our article on 5 essential KPIs for a frugal analytics dashboard illustrates what "measuring what matters" looks like in practice. A signal for the whole ecosystem Piwik PRO Core's end sends a clear signal: large-scale freemium without a coherent business model isn't a durable strategy. The privacy-first analytics tools that will survive and grow are those that build transparent business models with honest value propositions -- not those that use free access as an acquisition mechanism before forcibly repricing. For users, this means one question is worth asking before adopting any tool: how is it funded if I'm not paying? A limited free tier backed by explicit, coherent monetisation is structurally reliable. A generous freemium with no visible path to profitability is not.What to do before March 31 Export your historical data now. Before anything else, recover your data even if you haven't decided on your next tool. Piwik PRO offers CSV exports from the dashboard. Don't lose what you've built. Audit your actual usage. Did you actually use the tag manager, CDP, and integrated consent management? Or mainly core metrics -- visits, page views, traffic sources, conversions? If it's the latter, significantly simpler and cheaper alternatives will cover your needs. Compare total cost of ownership, not just entry price. A €9/month tool you understand and actually use is worth more than a €35/month tool where you're using 10% of the features. Factor in configuration time, learning curve, and ongoing maintenance. Review your compliance posture. This transition is also a prompt to reassess your analytics setup against GDPR and ePrivacy requirements. Our 10-point GDPR analytics checklist lets you quickly identify whether your new configuration is compliant -- or needs adjustment.Conclusion Piwik PRO's extension to March 31, 2026 gives organisations that weren't ready a useful window. But it doesn't change what needs to happen: the free Core plan is ending, and the decision needs to be made in the next four weeks. This is also an opportunity. After years of using a tool "because it was free," this disruption forces a straightforward question: what do I actually need to run my business? The answer is often more modest than Piwik PRO -- or GA4 -- led you to believe. The underlying issue deserves a dedicated exploration. In an upcoming article, we'll examine what a genuinely ethical analytics model looks like: basic analytics accessible for free, monetisation tied to growth and team usage, no data exploitation, no pricing traps. If that approach resonates and you're looking for a simple, privacy-first tool with an honest business model, you can join the Pomelo Analytics waitlist.FAQ What is the new deadline for Piwik PRO Core users? Piwik PRO announced on March 3, 2026 a one-month extension of its original February 28 deadline. The new final deadline is March 31, 2026. The company has explicitly stated that no further extensions will be granted. Why did Piwik PRO remove its free plan? Piwik PRO cited the goal of delivering a unified platform combining analytics, tag management, consent management, and data activation. In practice, the freemium model was incompatible with the platform's upmarket pivot. The company now targets mid-to-large organisations in regulated industries, where enterprise pricing is more appropriate. Was the Piwik PRO Core plan genuinely GDPR-compliant out of the box? Not automatically. Piwik PRO Core could be configured for GDPR compliance, but required careful setup. The platform uses cookies, meaning a consent banner was typically required. Compliance depended on how the integrated consent manager was configured by each account administrator. What serious free alternatives exist to replace Piwik PRO? The only genuinely serious free alternative is self-hosted Matomo Analytics. It's free as software but requires hosting and technical maintenance. For organisations without in-house technical expertise, low-cost paid alternatives -- Plausible at €9/month, Pirsch at €5/month -- offer a better cost/simplicity balance than a poorly maintained Matomo installation. Could this happen with other privacy-first analytics tools? Yes, but the distinction matters. The risk is highest for tools offering generous free tiers without sustainable funding -- like Piwik PRO Core. A deliberately limited free tier, backed by transparent monetisation (volume, team features, advanced capabilities), is structurally stable. The question to ask isn't "is there a free plan?" but "how is this tool funded if I'm not paying?" Business model transparency is a selection criterion in its own right.SourcesPiwik PRO, "Here's our new pricing structure", August 2025 (https://piwik.pro/blog/new-pricing-structure/) Piwik PRO Community, "Will the free Piwik Pro remain active after February 2026?", August 2025 (https://community.piwik.pro/t/will-the-free-piwik-pro-remain-active-after-february-2026/5300) Brian Clifton, "Piwik PRO Ends Freemium: My Take", July 2025 (https://brianclifton.com/blog/2025/07/03/piwik-pro-ends-freemium-my-take/) R-bloggers / rstats-tips.net, "Piwik Pro doesn't offer a free plan anymore", September 2025 (https://www.r-bloggers.com/2025/09/piwik-pro-doesnt-offer-a-free-plan-anymore/) Piwik PRO, "Business Plan" official page (https://piwik.pro/business-plan/) European Alternatives, Piwik PRO listing (https://european-alternatives.eu/product/piwik-pro) Piwik PRO, email to Core users announcing the deadline extension, March 3, 2026

Session Replay (Hotjar, Clarity): France's Privacy Watchdog Opens Pandora's Box

Session Replay (Hotjar, Clarity): France's Privacy Watchdog Opens Pandora's Box

You might be using Hotjar, Microsoft Clarity, or Fullstory to understand how visitors navigate your website. These "session replay" tools show you their clicks, mouse movements, and hesitations. It's convenient for fixing bugs or improving user experience. The problem? You're probably recording far more than you think. And France's data protection authority just put the practice under the microscope. On February 25, 2026, the CNIL (Commission Nationale de l'Informatique et des Libertés) opened a public consultation on session replay tools. It's the first regulatory initiative of its kind in Europe. The consultation runs until April 22, 2026, with a final recommendation to follow. For website operators, agencies, and solution providers, the message is clear: the free-for-all is over. The numbers speak volumes. In 2025, the CNIL issued €487 million in fines, including 21 sanctions specifically targeting cookies and tracking technologies. Google paid €325 million, Shein €150 million. Session replay, far more intrusive than a simple analytics cookie, is now in the crosshairs. This consultation isn't theoretical: it's the prelude to enforcement actions and potential penalties. This article explains what session replay actually is, why it's riskier than standard analytics tools, what the CNIL's draft recommendation says, and how to achieve compliance before the final text becomes binding. Waiting for the final version to act means scrambling to fix everything under time pressure. What Session Replay Is and Why It's Different From Google Analytics The Difference Between Audience Measurement and Full Recording When you install Google Analytics, Matomo, or a privacy-first analytics tool, you collect aggregated metrics: visit counts, page views, bounce rates, traffic sources. You know 1,000 people visited your product page, but you don't see how each person navigated, pixel by pixel. Session replay is the opposite. It records a user's entire browsing journey, as if filming their screen. Mouse movements, clicks, scrolling, touch interactions on mobile, and sometimes even form inputs. This data is then replayed as a video. You see the user hesitate, go back, click three times on a button that doesn't work. This is extremely useful for identifying bugs invisible in standard statistics. A form that crashes on Safari iOS 14, a poorly positioned payment button, an incomprehensible error message: everything becomes visible. But this granularity has a price: you're collecting personal data at a level of detail far beyond what standard analytics tools permit. What These Tools Actually Record Most session replay solutions capture by default:Cursor movements and positions (or finger touches on mobile). All clicks and double-clicks. Page scrolling. "Rage clicks" (repeated clicks on the same spot, indicating frustration). Prolonged hovers over certain elements. Tab or window changes (sometimes). Form inputs, unless explicitly masked.This last point is critical. By default, some tools record what users type in form fields. Name, email, address, phone number, and even sensitive data like banking coordinates or health information if your site collects it. Most solutions offer automatic masking, but you need to activate it correctly. Result: you can end up with recordings showing a user filling out a medical form, correcting a typo in their credit card number, or deleting and rewriting a message in a "cancellation reason" field. See the problem? The Tools Involved The three market leaders are:Hotjar: The most popular solution for SMEs and agencies. Simple interface, integrated heatmaps, free up to 35 sessions/day. Microsoft Clarity: Completely free, easy integration with Azure and Google Tag Manager, widely adopted since 2023. Fullstory: Enterprise-focused, with automatic behavior analysis and AI-driven anomaly detection.But dozens of others exist: Lucky Orange, Smartlook, Mouseflow, SessionCam, Inspectlet, etc. The CNIL isn't targeting a specific solution -- it's regulating the entire category. What the CNIL Says in Its Draft Recommendation Acceptable Uses According to the Authority The CNIL doesn't say session replay should be banned. It sets a strict framework. According to the draft recommendation published on February 25, 2026, three uses are considered legitimate:Detection and understanding of technical errors: Identifying bugs, crashes, broken forms, elements not displaying properly on certain browsers or devices.User experience (UX) improvement: Spotting friction points, confusing paths, poorly placed elements. For example, discovering that 80% of users click a "Submit" button three times before understanding they first need to check a box.Customer support and assistance: Replaying a user's session when they encounter a problem to better understand their case and help resolve it.These three uses share a common trait: they're technical or support-oriented. They're not marketing uses. What's Excluded: Marketing and Retargeting The CNIL is crystal clear on this. Session replay must not be used for:Advertising retargeting (showing targeted ads to a user who hesitated on a product page). Advanced marketing segmentation (creating audiences based on fine-grained behavior). Aggressive commercial optimization (identifying "hesitant buyers" to send them promotions).Why this exclusion? Because these uses violate the data minimization principle. If your goal is to sell, you don't need to see every mouse movement. Aggregated statistics suffice. Session replay is disproportionate for these purposes. If you're using Hotjar or Clarity to "better understand your customers" from a conversion marketing angle, you're out of bounds. And during a CNIL audit, that won't go well. Mandatory Consent: No Exemption Possible The draft recommendation is unambiguous: session replay requires prior and explicit consent from users. It cannot benefit from the cookie consent exemption for audience measurement. Why? Because the exemption, governed by Article 5(3) of the ePrivacy Directive (implemented through national laws like France's Article 82 of the Data Protection Act), only covers trackers strictly necessary for service provision or exclusively dedicated to audience measurement in a very limited framework. Session replay fits neither category. It's a detailed behavioral analysis tool, not anonymized statistical measurement. Concretely, this means:You must display a consent banner (via a CMP, Consent Management Platform). Session replay must appear as a distinct choice in the banner, with a clear description. Users must be able to refuse without affecting site access. If users refuse or withdraw consent, recording must stop immediately and already-collected data must be deleted (or irreversibly anonymized).Minimization and Masking: Precise Technical Requirements The CNIL emphasizes the minimization principle under GDPR Article 5(1)(c). You must only collect what's strictly necessary for your objective. In practice, this requires:Automatic masking of all sensitive form fields: passwords, banking details, health data, social security numbers, etc. Default masking of input fields, unless you can justify that recording is indispensable (for example, to reproduce a bug that only occurs with specific input). Sampling: Recording only a percentage of sessions, not 100%. If you have 10,000 daily visits, recording all 10,000 sessions is disproportionate. Sampling 5% or 10% is more than sufficient to identify bugs. Short retention period: Sessions should be deleted as soon as the objective is achieved. A session recorded to fix a bug doesn't need to be kept for 12 months "just in case."The CNIL also recommends documenting your configurations. During an audit, you'll need to prove you activated masking, configured sampling, and limited retention periods. Responsibilities: Who Does What? Provider vs. Website Operator The CNIL recommendation distinguishes two actors:The solution provider (Hotjar, Microsoft, Fullstory, etc.): They design the tool, define default settings, offer (or don't offer) masking and minimization options. They can be considered data controllers for their own uses (improving their product, for example) or processors if they only host data on behalf of the website operator.The website or mobile app operator: That's you, if you install Hotjar on your site. You're the data controller for your use of session replay. You must obtain consent, configure masking, define retention periods.In some cases, the CNIL mentions joint controllership (GDPR Article 26): if the provider and operator pursue common purposes (for example, if Hotjar uses your data to improve its anomaly detection algorithm), they must sign a joint controller agreement. Web Agencies: Beware the Contractual Trap If you're a web agency installing Hotjar or Clarity for clients, the responsibility question gets complicated. Who must obtain consent? Who configures masking? Who gets sanctioned for non-compliance? By default, it's the client (the website operator) who remains responsible as the controller. But if you haven't informed them of obligations, haven't properly configured the tool, or haven't documented settings, you can be held liable. European data protection authorities have already sanctioned technical service providers for failing their processor obligations under GDPR Article 28. Our advice: Add a clause to your contracts now specifying:Who is responsible for session replay GDPR compliance. Who configures masking and sampling. Who updates the consent banner. Who maintains compliance documentation.And bill for compliance work. It's not included in a standard "Hotjar installation" package. Alternatives and Best Practices for Staying Compliant Option 1: Strictly Configure Session Replay If you want to continue using Hotjar, Clarity, or equivalent, here are the steps:Activate automatic masking of all form fields. Most tools offer a "strict" mode that masks everything by default.Reduce sampling to 5-10% of sessions. You don't need to record 100% of traffic to detect bugs.Limit retention to 30 days maximum. If you haven't fixed the bug in 30 days, it wasn't urgent.Update your CMP (OneTrust, Axeptio, Cookiebot, Didomi, etc.) to add a specific "Behavioral Analysis" or "Session Replay" option, distinct from "Audience Measurement."Document everything: Screenshots of settings, spreadsheet listing masked fields, purpose justification.Option 2: Replace with Heatmaps or Privacy-First Analytics Session replay is often used for needs that don't require full recording. Some alternatives:Heatmaps: They show where users click most, without recording individual paths. Much less intrusive. Event-based analytics: Configure specific events in Google Analytics, Matomo, or a privacy-first tool to measure clicks on certain buttons, form errors, cart abandonments. A/B testing: Test two versions of a page rather than trying to "understand" why the current version doesn't work.These approaches give you 80% of useful information with 10% of legal risk. Option 3: Session Replay Strictly on User Request An emerging practice is activating session replay only when users explicitly request it. For example:A user contacts support saying "I have a problem with the form." Support sends them a unique link that temporarily activates recording of their session, with explicit consent. The session is recorded, analyzed, then immediately deleted after problem resolution.This is the most compliant method, but requires slightly more complex technical infrastructure. What Happens After the Consultation Timeline and Next Steps The public consultation ends on April 22, 2026. Then the CNIL will:Analyze contributions received (professionals, trade associations, consumer groups, NGOs). Revise the draft recommendation if necessary. Adopt the final version, probably during the second half of 2026. Publish the recommendation on its website, with a transition period (typically 6 to 12 months).During the transition period, the CNIL won't sanction immediately, but expects gradual compliance. After this deadline, enforcement will begin. Risks of Non-Compliance If you continue using session replay without consent or with non-compliant configurations, you risk:A formal notice from the CNIL or other European DPA (first step, public or not). A financial penalty up to €20 million or 4% of global annual turnover (GDPR Article 83). Publication of the sanction, with reputational impact.In 2025, 67 out of 83 CNIL sanctions were issued via simplified procedure, with fines capped at €20,000 for "minor" violations. But for serious cases (massive collection, complete absence of consent, exposed sensitive data), amounts can be much higher. Shein took €150 million for cookies, and session replay is objectively more intrusive than a cookie. Domino Effect Across Europe France isn't alone. Other European authorities are watching closely. If the CNIL adopts a strict recommendation, it's likely that:The EDPB (European Data Protection Board) will use it as inspiration for an opinion or guidelines at the European level. German (DSB), Italian (Garante), Spanish (AEPD), or Irish (DPC) authorities will follow with their own texts.In other words, if you operate in Europe, complying with CNIL rules will be necessary anyway in the short term, even if you don't have French traffic. Conclusion: Act Now, Not in April 2027 The CNIL consultation on session replay is a warning signal, not a surprise. Tools that record complete user journeys have been in regulators' sights for years. What's changing in 2026 is that the CNIL is moving from awareness-raising to formal regulation. If you use Hotjar, Clarity, or any other session replay tool, you have two options. Either configure the tool strictly right now: masking, sampling, consent, documentation. Or consider less intrusive alternatives: heatmaps, privacy-first analytics, A/B testing. Inaction is no longer a viable strategy. SMEs and web agencies have until the end of 2026 to comply without immediate risk. But the longer you wait, the more costly and rushed compliance will be. And given the fine amounts issued in 2025 (€487 million total), the risk is no longer theoretical. For those seeking a simpler approach, there are audience measurement solutions that respect minimization and transparency principles by design. If this approach resonates with you, you can join Pomelo's waitlist to be informed of the launch. FAQ Can I continue using Hotjar or Clarity after the CNIL recommendation? Yes, provided you meet the requirements: obtain explicit consent via a CMP banner, activate masking of all sensitive fields, limit sampling (5-10% of sessions maximum), reduce retention to 30 days, and document all your configurations. If you meet these conditions, you can continue using these tools for technical purposes (bug detection, UX improvement, customer support). However, marketing uses (retargeting, advanced segmentation) are excluded. Is session replay covered by the consent exemption for audience measurement? No. The consent exemption under Article 5(3) of the ePrivacy Directive only applies to audience measurement tools strictly limited to aggregated and anonymous statistics. Session replay, which records detailed individual paths, cannot benefit from it. You must therefore obtain user consent before activating recording, even if your objective is purely technical. If I'm a web agency, who's responsible for compliance: me or my client? By default, the website operator (your client) is the data controller for data collected via session replay. But you, as an agency, are responsible as a processor for proper technical configuration of the tool under GDPR Article 28. If you install Hotjar without activating masking, configuring sampling, or adding a consent banner option, you can be held liable. It's essential to clarify this responsibility allocation in a written contract and bill GDPR compliance work as a separate service. What sanctions apply if I don't follow the CNIL recommendation? The CNIL recommendation doesn't have force of law, but it clarifies how to apply GDPR and ePrivacy rules. Not respecting it exposes you to a formal notice, then a financial sanction up to €20 million or 4% of global turnover under GDPR Article 83. In practice, for SMEs, fines via simplified procedure are capped at €20,000 for less serious violations. But for massive collection without consent or exposed sensitive data, amounts can be much higher, as illustrated by 2025 sanctions (Google €325M, Shein €150M). Are there less risky alternatives to session replay for improving UX? Yes, several alternatives provide UX insights without recording complete individual paths. Heatmaps show most-clicked areas without identifying users. Event-based analytics measure specific actions (button clicks, form errors) with tools like Google Analytics, Matomo, or privacy-first solutions. A/B testing compares two page versions to identify the best performer. User surveys (post-purchase or exit-intent) provide direct qualitative feedback. These approaches provide 80% of useful information with much lower legal risks. SourcesCNIL, "Session replay: the CNIL launches a public consultation on its draft recommendation", February 25, 2026 (https://www.cnil.fr/en/session-replay-cnil-launches-public-consultation-its-draft-recommendation) CNIL, "Sanctions and corrective measures: CNIL's actions in 2025", February 9, 2026 (https://www.cnil.fr/en/investigation-powers-cnil/sanctions-issued-cnil) CNIL, "Cookies and advertisements inserted between emails: GOOGLE fined 325 million euros by the CNIL", September 1, 2025 (https://www.cnil.fr/en/cookies-and-advertisements-inserted-between-emails-google-fined-325-million-euros-cnil) Nomos, "Session replay: the CNIL's draft recommendation", February 27, 2026 (https://www.nomosparis.com/en/session-replay-the-cnils-draft-recommendation/) PPC Land, "France's CNIL puts session replay tools under the privacy microscope", February 26, 2026 (https://ppc.land/frances-cnil-puts-session-replay-tools-under-the-privacy-microscope/) Solutions Numériques, "Rejeu de session : la CNIL ouvre une consultation publique pour encadrer ces outils de suivi", February 25, 2026 (https://www.solutions-numeriques.com/rejeu-de-session-la-cnil-ouvre-une-consultation-publique-pour-encadrer-ces-outils-de-suivi/) August Debouzy, "Cookies et autres traceurs, une action de régulation ciblée au niveau national", February 2026 (https://www.august-debouzy.com/fr/blog/2281-cookies-et-autres-traceurs-une-action-de-regulation-ciblee-au-niveau-national)

Plausible vs Fathom vs Simple Analytics: the 2026 privacy-first analytics comparison

Plausible vs Fathom vs Simple Analytics: the 2026 privacy-first analytics comparison

You have decided to leave Google Analytics behind. You understand that "free" comes at a real cost, that GA4's complexity exceeds your actual needs, and that GDPR compliance deserves more than a poorly configured cookie banner. Good. You are part of a fast-growing movement. Now comes the hard part: among the privacy-first alternatives, which one actually fits your situation? Three names keep coming up: Plausible, Fathom and Simple Analytics. They are the most cited, most mature and most credible options in the "frugal analytics" segment. But their differences, often invisible in marketing copy, have very real consequences on your bill, your compliance posture and your daily workflow. This comparison does not aim to crown a universal winner. It provides the factual elements you need to make an informed choice. We verified pricing on official pages, documented actual features, and added two outsiders often overlooked in these discussions: Pirsch and Umami. What these three solutions share Before diving into differences, let us establish common ground. Plausible, Fathom and Simple Analytics share a foundation that radically separates them from Google Analytics: None of them use cookies by default. They do not build advertising profiles. Their scripts weigh less than 5 KB (compared to roughly 45 KB for GA4, according to HTTP Archive measurements). They display all essential metrics on a single page, with no nested menus and no training required. On the legal front, all three claim GDPR compliance without a cookie banner. In practice, the strength of that claim varies, and that is one of the points we will detail below. Finally, all three are independent companies with no major venture capital, funded by their subscriptions. That is a strong signal of long-term sustainability. Real pricing, compared side by side The entry price does not tell the full story. What matters is the cost at comparable volume. Here are the rates verified on each solution's official page as of February 2026. Monthly pricing grid (USD, monthly billing)Monthly volume Plausible (Starter) Fathom Simple Analytics (Simple)10,000 pageviews $9 $15 $15100,000 pageviews $9 (same tier) $15 ~$19200,000 pageviews $14 (Growth) $25 ~$29500,000 pageviews ~$19 (Business) $45 ~$491,000,000 pageviews Custom $60 CustomSources: plausible.io/pricing, usefathom.com/pricing, simpleanalytics.com/pricing. Rates verified February 2026. Key takeaways: Plausible is the cheapest option at low volume ($9/month for 10k pageviews). But pricing rises quickly: the Growth plan at $14 and the Business plan at $19 unlock additional features (more sites, team access, funnels). Fathom offers a single feature set across all tiers, with pricing based solely on pageview volume, starting at $15/month. No free plan. No discounts. Their stated philosophy: the same price for everyone, no promotions ever. Simple Analytics offers a free plan (limited to 30 days of history) and a Simple plan at $15/month. The Team plan ($40/month) adds collaboration and API access. Their billing adjusts automatically based on the three-month rolling average of your traffic. Two outsiders worth knowing Pirsch (based in Germany) offers one of the lowest entry prices on the market: $6/month for 10,000 pageviews, $10/month for 100,000 pageviews. It includes white-labelling and up to 50 domains. Source: pirsch.io/pricing. Umami is open source and fully self-hostable at no cost. It is the only solution in this comparison with zero licensing fees, provided you manage hosting yourself. For those who prefer a managed service, Umami Cloud starts at $9/month. Source: umami.is. Data hosting and location This is the critical point for GDPR compliance. The question is not just "where are the servers?" but "who operates the infrastructure and under which jurisdiction?"Solution Data location Infrastructure Legal entityPlausible European Union (Hetzner, Germany) Owned by European companies Plausible Insights OÜ (Estonia)Fathom Servers in Germany (via AWS EU) Amazon Web Services Conva Ventures Inc. (Canada)Simple Analytics Netherlands European-owned servers Simple Analytics B.V. (Netherlands)Pirsch Germany German servers Emvi Software GmbH (Germany)Umami (Cloud) Variable by plan Vercel/Cloud Umami Software Inc. (USA)Plausible emphasises that its entire infrastructure is operated by European companies. As of early 2026, they report over 16,000 paying subscribers, including 600+ enterprise accounts. Source: plausible.io/enterprise-web-analytics. Fathom uses AWS in the EU region (Frankfurt), but the legal entity is Canadian. Canada benefits from an adequacy decision by the European Commission, which simplifies data transfers. However, for organisations with strict data sovereignty requirements, this is not equivalent to a fully European entity. Simple Analytics is the most explicit about data location: data exclusively in the Netherlands, proprietary servers, no US-based subprocessors. This is the strongest argument for organisations subject to strict sovereignty policies. Pirsch, based and hosted in Germany, offers a comparable alternative in terms of European data localisation. The privacy question All three solutions call themselves "privacy-first". But the technical details matter. Plausible uses a hash of the visitor's IP address combined with the User-Agent and a daily salt to identify unique visitors. The raw IP address is never stored. The hash is renewed daily, which prevents long-term tracking. This is a form of pseudonymisation. Fathom uses a similar hashing approach but adds a routing layer through what they call "unique signatures". Like Plausible, the raw IP is not retained. Simple Analytics stands apart by claiming to collect no personal data whatsoever, including in hashed form. No IP hash, no User-Agent recorded. Their unique visitor counting relies on a different mechanism based on referrers and URLs. This is the most radical approach to data minimisation. This difference has a direct consequence: Simple Analytics can legitimately claim not to process personal data within the meaning of the GDPR, which strengthens the case for consent exemption. For Plausible and Fathom, the question is more nuanced: a hashed IP, even if non-reversible, could be considered pseudonymised data. In practice, data protection authorities (including the CNIL in France and the ICO in the UK) tend to accept these approaches if they meet exemption criteria (no cross-referencing, limited retention, strictly statistical purpose). For more on consent exemption conditions, see our dedicated article: Audience measurement, GDPR and cookie banner exemption. Features: what each one does (and does not do) All these solutions have chosen simplicity. But "simple" does not mean identical. Here are the differences that matter in daily use. Feature comparison tableFeature Plausible Fathom Simple AnalyticsSingle-page dashboard Yes Yes YesCustom events Yes Yes YesGoals / Conversions Yes (advanced funnels) Yes YesMulti-step funnels Yes (Business plan) No NoGoogle Search Console integration Yes No NoE-commerce tracking (revenue) Yes (Business plan) Yes NoGA4 data import Yes Yes NoExport API Yes Yes Yes (Team plan)Email reports Yes Yes YesDashboard sharing Yes (public/private link) Yes (shareable link) YesMulti-site 1 (Starter) / 3+ (Growth) 50 included 5 (Free) / 10+ (Simple)Team members 1 (Starter) / 3 (Growth) 1 (base plan) 1 (Simple) / 2+ (Team)Data retention 3-5 years by plan Unlimited 30 days (Free) / 3-5 yearsOpen source Yes (Community Edition) No NoSelf-hosting Yes (CE, reduced features) No NoWhite-label No (except Enterprise) No NoKey highlights: Plausible is the most feature-rich of the three. The Google Search Console integration is a significant advantage for SEO: it lets you see search queries directly in the analytics dashboard, without switching tools. Multi-step funnels (Business plan) bring it closer to more advanced tools. And being open source reassures organisations that want to audit the code. Fathom stands out with its unlimited data retention policy and the inclusion of 50 sites from the base plan. For a freelancer or agency managing many low-traffic sites, this is a real economic advantage. Their infrastructure is built for scale: they claim to handle sites with one billion pageviews per month. Simple Analytics bets everything on simplicity and absolute privacy. Their "Mini Websites" feature lets you see the exact pages that referred your site (for example, a specific tweet), which other solutions do not offer. Their built-in AI tool lets you query your analytics in natural language. Script weight and performance impact For a website, every kilobyte of JavaScript affects loading time and Core Web Vitals. This is a criterion that should not be overlooked, especially if SEO is a priority.Solution Script weight Estimated impactPlausible < 1 KB NegligibleFathom ~2 KB NegligibleSimple Analytics ~6 KB Very lowPirsch < 1 KB (or server-side) Negligible to zeroGoogle Analytics (GA4) ~45 KB Measurable (LCP, FID)All solutions in this comparison have a negligible performance impact, especially compared to GA4. The advantage goes to Plausible and Pirsch, whose scripts are lightest. Pirsch also offers server-side integration (via API or SDK), which eliminates client-side JavaScript entirely. To understand in detail why analytics script weight matters for SEO, see our article: Myth: you need Google Analytics for SEO. Which tool for which profile? Rather than declaring a winner, here is a decision guide by real-world situation. You are an indie developer or maker with a SaaS You manage one or two projects, traffic is moderate (< 100k pageviews/month), and you want a tool that installs in 30 seconds. Best pick: Plausible (Starter at $9/month) for the best value at the first tier, open source, and Search Console integration. Alternative: Pirsch ($6/month) if budget is very tight, or Umami (free) if you are comfortable with self-hosting. You are a freelancer or agency managing 10-30 client sites Volume per site is low, but the number of sites is high. You need separate dashboards and simple reporting. Best pick: Fathom ($15/month, 50 sites included). No competitor includes as many sites in the base plan. Unlimited data retention means you never lose client history. Alternative: Pirsch, which also offers 50 domains from the first plan. You are an SME with strict compliance obligations (DPO, processing register) The question is not price but demonstrating compliance to your DPO or supervisory authority. Best pick: Simple Analytics, for the "zero personal data" argument. This is the easiest position to defend in a data processing register. Alternative: Plausible, whose 100% European hosting on European-owned infrastructure (not AWS) strengthens the sovereignty case. You are an organisation that needs funnels, e-commerce tracking or advanced analysis You have outgrown a minimalist dashboard. You need multi-step conversion tracking. Best pick: Plausible (Business plan). It is the only solution in this comparison that offers advanced funnels and e-commerce revenue tracking while staying within the privacy-first paradigm. For a broader view including GA4 and Matomo, see our general comparison: Google Analytics, Matomo and frugal analytics: a 2026 guide to choosing. Total cost: beyond the sticker price The monthly fee is only part of the equation. Here are the hidden costs (or avoided costs) to factor into your calculation. Costs avoided compared to GA4: no training required (GA4 often requires days of training), no consultant for configuration, no Consent Management Platform to maintain if you qualify for the consent exemption, no legal risk from data transfers to the United States. Migration cost: Plausible and Fathom let you import Google Analytics history. Simple Analytics does not. If historical continuity matters to you, this is a consideration. Self-hosting cost (Plausible CE, Umami): free in licensing, but factor in maintenance time, updates, and server cost (roughly $5 to $20/month for a VPS depending on volume). And Plausible Community Edition does not include all cloud features (funnels, e-commerce, Sites API). To go deeper on the real cost of analytics, our article on data obesity explains the economic consequences of over-collection: Data obesity: why your SME does not need Big Data. Final summary tableCriterion Plausible Fathom Simple Analytics PirschEntry price $9/month $15/month Free (limited) $6/monthEntry volume 10k pvs 100k pvs Unlimited (Free) 10k pvsSites included 1-10+ 50 5-20+ 50Data location EU (Hetzner) EU (AWS Frankfurt) Netherlands GermanyLegal entity Estonia (EU) Canada Netherlands (EU) Germany (EU)IP hash Yes (daily) Yes No YesOpen source Yes (CE) No No Yes (partial)Retention 3-5 years Unlimited 30d - 5 years UnspecifiedGA4 import Yes Yes No YesFunnels Yes (Business) No No Yes (basic)GSC integration Yes No No YesScript < 1 KB ~2 KB ~6 KB < 1 KBFAQ Plausible, Fathom or Simple Analytics: which is cheapest? It depends on volume. For under 10,000 pageviews per month, Pirsch is cheapest ($6/month). Among the three main solutions, Plausible is most affordable at low volume ($9/month for 10k pvs). At 100,000 pageviews, Plausible and Fathom converge around $15/month. Beyond that, Plausible generally remains cheaper, but its features are spread across multiple plans (Starter, Growth, Business). Is Plausible truly GDPR compliant without a cookie banner? Plausible is designed to work without cookies. Their identification method uses a daily-rotated IP hash, with no raw address stored. Under the criteria set by the CNIL for consent exemption (and similar guidance from the ICO and other European DPAs), this approach is accepted when strictly limited to audience measurement with no cross-referencing with other processing. However, the "personal data" status of an IP hash is subject to ongoing legal debate. The prudent approach is to consult your DPO and document your analysis in your processing register. Is Fathom a good fit for agencies managing many client sites? Yes, this is one of its strongest points. Fathom includes up to 50 sites in every plan, with separate dashboards. Unlimited data retention and automated email reports make it well suited for multi-client management. However, Fathom does not offer white-labelling or per-user permission management on the standard plan. What is the difference between Plausible Cloud and Plausible Community Edition? Plausible Cloud is the hosted, managed service run by the Plausible team (from $9/month). Plausible Community Edition (CE) is the open-source version, self-hostable for free. But CE does not include all cloud features: marketing funnels, e-commerce revenue tracking and the Sites API are excluded. CE is suited for developers who want basic analytics on their own server. Are there solutions even cheaper than these three? Yes. Umami is entirely free to self-host (open source, MIT licence). Pirsch starts at $6/month. And for very small sites, Simple Analytics offers a free plan with 30 days of retention. Beyond these options, it is also worth considering that "cheapest" is not always most economical: ease of installation, infrastructure reliability and company sustainability have real value. A tool that disappears or locks your dashboard when you exceed your quota costs more than a slightly higher subscription.Last updated: February 2026. Pricing and features verified on official solution websites. This article will be updated at minimum every six months.

Analytics Without Consent: How to Track Visitors Without Cookie Banners (Legally)

Analytics Without Consent: How to Track Visitors Without Cookie Banners (Legally)

It has become the web's most annoying ritual. You arrive on a site, and before you can even read the headline, a window pops up: "We value your privacy… Do you accept our 85 partners?" For the user, it's a nuisance (the now-famous consent fatigue). For the site owner, it's a dilemma: display this banner and lose a chunk of your data, or skip it and risk a fine from the regulator. Yet a third path exists. A lesser-known path that is 100% legal and far more respectful: the consent exemption. In short:The banner is not automatic: it's only mandatory if you track visitors for advertising or profiling purposes. The consent exemption: it's possible to measure your audience without asking for consent, provided you follow strict data frugality rules. The double win: by removing the banner, you improve user experience and recover the statistics of visitors who were refusing tracking.1. Why Cookie Banners Destroy Your Data Why do we see these banners everywhere? Because most traditional analytics tools (like the default configuration of Google Analytics) collect personal data and often share it with advertising services. The GDPR is clear: for that, you need explicit consent. The problem is that internet users are fed up. According to the latest Eurobarometer, 72% of European citizens say they are worried about how their data is processed online. → Source: Eurobarometer – Digital Rights and Principles The consequence is immediate: when given a choice, many refuse. Data from European regulators shows that cookie refusal rates have risen significantly since enforcement began. It's estimated today that a site using a classic cookie banner loses between 30% and 50% of its actual data. → Source: CNIL – Cookie action plan impact evaluation Your dashboard is lying to you: it only shows you a fraction of your real audience. As we explain in our article on data obesity, this is the paradox: the more you collect, the less you see.2. Understanding the Consent Exemption The Principle The CNIL (France's Data Protection Authority) is one of the most pragmatic regulators in Europe on this topic. It has established a clear doctrine: audience measurement is essential to the proper functioning of a web service. Consequently, certain measurement tools can be exempted from consent. In other words: you have the right to use a tracking mechanism for audience measurement without asking the user's permission, and therefore without displaying a banner. This principle has been echoed by other European DPAs and aligns with the ePrivacy Directive's provision for "strictly necessary" cookies and similar technologies. While the specifics vary by country, the underlying logic is the same: if the measurement is truly frugal and serves only the site owner, exemption is possible. But it's not a free pass. It's a strict framework that rewards what we call frugal analytics. Checklist: Criteria for Qualifying To benefit from the exemption, your tool and its configuration must meet these conditions. The list below is a synthesis of the CNIL's official guidelines, which are among the most detailed in Europe:Strictly limited purpose: data must only be used for audience measurement for the exclusive benefit of the site publisher. No retargeting, no ad profiling, no data resale.No data cross-referencing: collected data must not be merged with other databases (CRM, customer files) or cross-referenced with data from other sites or applications.IP anonymization or pseudonymization: the IP address must not allow geolocation more precise than the city level. In practice, the last octets of the IP address must be deleted or hashed before any storage.Limited tracker lifespan: if a cookie is used, its lifetime must not exceed 13 months. Raw collected data must not be retained beyond 25 months.User information: even without consent, users must be informed of the tracker's existence and their right to opt out. This information typically appears in the site's privacy policy.No uncontrolled transfers outside the EU: data must not be transferred to third countries without the safeguards required by the GDPR (standard contractual clauses, adequacy decisions, etc.).→ Official source: CNIL – Audience measurement solutions Which Tools Qualify? The CNIL has evaluated several solutions and published a (non-exhaustive) list of audience measurement tools that can qualify for exemption when properly configured. This list includes tools like Matomo (in a specific configuration), as well as several tools from the frugal new wave. To check whether your current tool is eligible, verify each point of the checklist above against the vendor's documentation. When in doubt, the CNIL's official page is the reference.3. Why Go Privacy-First? Adopting a consent-exempt analytics solution isn't just a legal hack. It's a competitive advantage on three fronts. 3.1 You Recover 100% of Your Visibility Since you no longer need to wait for the user to click "Accept," the measurement script loads the moment they arrive on the site. You go from a partial view (the 50 to 60% who accept) to a near-total view of your traffic. For an SMB making decisions based on its stats — which page works, which channel to invest in — the difference between "seeing 60%" and "seeing 100%" is enormous. The 5 essential KPIs finally become reliable. 3.2 You Improve Your Brand Image A site without an aggressive pop-up is a site that inspires trust. You send a strong signal to visitors: "Here, we don't spy on you — we just look at aggregate statistics to improve the service." This is particularly powerful if you're in a sector where trust matters (healthcare, finance, legal, education). But even for a small retailer or e-commerce store, a banner-free site delivers a better first impression. 3.3 You Simplify Your Compliance No more updating complex CMPs (Consent Management Platforms) or worrying about a formal notice because a button is misplaced or the banner's visual hierarchy subtly favors acceptance. By collecting less data (data minimization), you mechanically reduce your legal risk. Less data to protect, fewer flows to document, fewer awkward questions during an audit. 3.4 You Improve Your Site's Performance Exempt tools are generally much lighter than their traditional counterparts. We detail the impact on Core Web Vitals in our article on SEO without Google Analytics: switching from a 45 KB script to a 1-6 KB script has a direct effect on load time — and therefore potentially on search rankings.4. The Limitations to Know The exemption isn't a magic bullet. Here are the important nuances. What You LoseUser-level tracking: individual journeys, user profiles, retargeting. If you need to know that "User X returned 3 times this week and viewed the pricing page," frugal analytics won't answer that (and it's a design choice, not a technical limitation). Demographic data: age, gender, interests. These require profiling that's incompatible with the exemption. Advertising integration: connections to Google Ads, Meta Ads, etc. The exemption is reserved for audience measurement, not ad optimization.What You Keep Everything an SMB actually needs to steer their business, as detailed in our analytics tool comparison: visitors, pages, sources, UTM campaigns, conversions, trends. Aggregated data is not only sufficient but often more readable and more actionable than individual tracking. The Exemption Is Not Automatic This is essential: the exemption depends on the configuration of the tool, not just its name. A tool can be eligible for exemption in one configuration and lose that eligibility if certain options are enabled (data cross-referencing, secondary purposes, uncontrolled transfers).5. How to Check If Your Site Qualifies Here's a quick 4-question diagnostic:Does your analytics tool collect personal data beyond (truncated) IP addresses?If yes → consent required. If no → continue.Is the data cross-referenced with other sources (CRM, customer files, other sites)?If yes → consent required. If no → continue.Is the data used for anything other than audience measurement for your own site? (advertising, resale, profiling)If yes → consent required. If no → continue.Is the data transferred outside the EU without GDPR safeguards?If yes → consent required. If no → exemption likely possible.If your setup passes all 4 tests, consult your local DPA's guidelines to confirm eligibility and mention the tool in your privacy policy.Conclusion: Compliance Through Simplicity For a long time, people believed the GDPR would kill web performance measurement. In reality, it only killed the "bad" kind: the kind that surveils individuals to serve targeted advertising. For SMBs, freelancers, and agencies, the future belongs to lean tools that natively respect these exemption criteria. It's the guarantee of sleeping well at night while having reliable numbers to steer your business. The equation is simple: less collection + more respect = better data + less risk.FAQ: Analytics and Consent Is Google Analytics 4 (GA4) exempt from consent? By default, no. GA4 collects personal data and often transfers it outside the European Union. The CNIL has specified that making GA4 exempt requires complex and costly "server-side proxying" that demands dedicated infrastructure. It's out of reach for most SMBs. In the majority of cases, choosing a natively eligible tool is simpler. If I don't have a cookie banner, am I breaking the law? Not necessarily. If you don't use any advertising trackers (like Meta Pixel, Google Ads tags, or retargeting scripts) and your analytics tool strictly meets consent exemption criteria, you're perfectly legal without a banner. You simply need to mention the tool in your privacy policy and inform users of their right to opt out. What is IP address anonymization? It's a technique that deletes the last portion of a visitor's IP address before recording it. This prevents tracing back to a specific person or household, while still allowing you to know, for example, that the visit came from the "London" or "Paris" region. It's a sine qua non condition for the exemption. Is the 13-month cookie lifetime mandatory? Under the CNIL's guidelines, yes — if a cookie is used, its lifetime must not exceed 13 months. Raw collected data can be retained for up to 25 months. Beyond that, only statistical aggregates (non-personal) may be kept for trend analysis. These are upper limits: retaining for shorter periods is always preferable in a data minimization approach. Do I still need a privacy policy? Yes, always. Consent exemption doesn't exempt you from the obligation to inform users. Your privacy policy must mention the measurement tool used, the data collected, the purposes (audience measurement), the retention period, and the right to object. This is a GDPR obligation independent of the cookie consent question.

Why the Era of 'Data Obesity' Is Paralyzing Small Businesses (And How to Break Free)

Why the Era of 'Data Obesity' Is Paralyzing Small Businesses (And How to Break Free)

We were sold a dream. The "Big Data" dream. For the past decade, the promise made to SMB owners, freelancers, and marketing managers has been the same: "The more data you collect about your visitors, the better you'll sell." The reality in 2025? It's often the opposite. Tools have become bloated, data piles up unread, and decisions are slower than before. This is what we call data obesity: the accumulation of data that doesn't serve decisions, but costs you in time, money, compliance, and performance. In short:Too much data kills decisions: information overload clutters dashboards and paralyzes action. The "Vanity Metrics" trap: you track flattering curves instead of focusing on what actually drives revenue. A triple cost: technical (slower site), legal (GDPR), and trust (visitors refusing tracking). The solution exists: frugal analytics — measure less, decide better.1. The "Dashboard Nobody Looks At" Syndrome Open your current analytics tool. In under 10 seconds, can you tell:whether your week was good? which page generated the most leads? which traffic source is performing best?If the answer is no, you're not alone. You're in the overwhelming majority. Big Data Isn't for SMBs According to Eurostat, only 8% of EU enterprises analyze Big Data. That number drops even further for small businesses. The "Big Data for everyone" promise didn't hold: SMBs don't have the teams, budgets, or time to exploit massive, complex datasets. → Source: Eurostat – Big Data analysis by enterprises Yet these same SMBs end up with tools designed for 20-person data teams. GA4 offers hundreds of reports, dozens of dimensions, customizable explorations. For a 2-person marketing team (or a solo founder), it's like getting an airliner cockpit when all you need is a car dashboard. The Choice That Paralyzes The abundance of options, reports, and dimensions creates user fatigue. This is a well-documented phenomenon in behavioral science: choice overload. The more options you have, the less capable you are of choosing — and the less satisfied you are with your choice when you make one. → Source: The Decision Lab – Choice Overload Bias Applied to analytics: more information ≠ better decisions. On the contrary, too much data leads to inaction. You close the tab and fly blind.2. The Race for "Vanity Metrics" In many small businesses, the metrics sitting at the top of dashboards are also the ones least useful for decision-making:pageviews (without knowing which pages convert), total session count (without distinguishing prospects from bots), bounce rate (an ambiguous metric, often misinterpreted), visitors by country (rarely actionable for a local business).These metrics flatter the ego — "we had 10,000 visits this month!" — but they say nothing about a site's actual performance. The 3-Question Test For a small business, a useful dashboard should answer three questions:How many people are discovering my site? (acquisition) Which pages generate the most inquiries or sales? (performance) What does that represent each week? (results)If your tool can't answer these immediately, it's pulling you away from your main goal: understanding what works so you can grow your business. We've detailed which metrics to keep (and which to ignore) in our guide to The "5 KPIs" Method.3. The Hidden Cost of Complexity Data obesity doesn't just cost time. It has three concrete costs that most businesses underestimate. 3.1 The Technical Cost: A Slower Website Traditional analytics tools often ship heavy scripts that degrade Core Web Vitals — the web performance metrics Google uses as a ranking factor. An independent audit by Bejamas shows that third-party scripts (analytics, chat widgets, marketing pixels) can significantly slow down page loads, with analytics scripts often leading in main-thread blocking time. → Source: Bejamas – How Popular Scripts Slow Down Your Website The GA4 script weighs approximately 45 KB compressed. Frugal alternatives weigh between 1 and 6 KB — 7 to 45 times lighter. As we explain in our article on SEO without Google Analytics, this difference directly impacts Core Web Vitals and therefore potentially your search rankings. Slower sites = fewer conversions = less revenue. 3.2 The Legal Cost: GDPR Risk The more signals you collect — precise geolocation, cross-page navigation, technical fingerprinting, per-page session duration — the higher your legal exposure. Every piece of data collected is a piece of data to protect, to document in your processing registry, and to justify during an audit. European Data Protection Authorities — including the French CNIL — explicitly provide a consent exemption for audience measurement tools that meet strict frugality conditions. Tools that collect the bare minimum can operate without cookie banners, without prior consent, and with a dramatically reduced compliance burden. → Source: CNIL – Audience measurement solutions We've detailed the conditions for this exemption in our dedicated guide. This is probably the most underappreciated argument for frugal analytics: by collecting less, you mechanically simplify your compliance. 3.3 The Trust Cost: Visitors Who Refuse Another side effect of traditional analytics: cookie banners. According to data from European regulators, cookie refusal rates have risen significantly since enforcement began in earnest. Estimates suggest that a site using a classic cookie banner loses between 30% and 50% of its actual data. → Source: CNIL – Cookie action plan impact evaluation In some sectors, ad blockers and script blockers amplify the loss further. Result: your dashboard is lying to you. It only shows a fraction of your real audience — sometimes only 50 to 60%. A cookieless tool, by design, doesn't depend on consent. It measures 100% of visits from the moment of arrival. That's a business argument, not just a legal one.4. The Solution: Frugal Analytics Frugal analytics isn't about measuring less out of laziness or ideology. It's about measuring better, by focusing on what:concretely helps you make decisions, respects visitor privacy, doesn't slow down your site, doesn't create legal friction.What It Changes in PracticeBefore (Data Obesity) After (Frugal Analytics)200+ metrics available 5-7 actionable KPIsDashboard opened once a month (and closed immediately) Dashboard checked weekly, understood in 30 secondsMandatory cookie banner, 40% data loss Cookieless, 100% of visits measured45 KB script, Core Web Vitals impact 1-6 KB script, negligible impactComplex GDPR compliance (CMP, registry, proxying) Consent exemption, simplified compliance40-page monthly report 10-line results-oriented reportFrugal analytics is the equivalent of seasonal cooking: fewer ingredients, better chosen, better prepared. The result is superior to accumulation. The Core PrinciplesCollect only what drives decisions. If a data point wouldn't change your actions, don't collect it. Simplify to democratize. A dashboard the founder understands is worth more than a report only the data analyst can interpret. Respect by design. Compliance shouldn't be a bolt-on ("let's proxy GA4 to get compliant") but a prerequisite ("let's choose a tool that's compliant natively"). Measure performance, not people. Aggregated trends (popular pages, traffic sources, conversion rates) are more useful and less risky than individual-level tracking.5. Where to Start If you're convinced your current analytics is too complex, here are the first three steps. Step 1: Identify your 5 KPIs. Use the 5 KPIs method to define the only metrics that matter for your business. If an indicator doesn't pass the test "would I change how I work if this number moved?", remove it. Step 2: Evaluate your current tool. Compare it honestly against the alternatives. Our analytics tool comparison details the strengths, weaknesses, and pricing of each family (GA4, Matomo, frugal). Step 3: Test. Most frugal solutions install in 2 minutes (one script to paste) and offer a free trial. Run both tools in parallel for a month. Compare: which one gives you an answer faster?Conclusion: Put Your Analytics on a Diet The era of collecting data "just in case" is behind us. Regulation, web performance, and common sense all converge on the same conclusion: less data, better chosen, is better for everyone — for the business, for visitors, and for the web. For 2026, the best strategy for an SMB isn't adding dashboards — it's removing them. Less noise. Less friction. More concrete decisions. Frugal analytics means putting data in service of the business, not the other way around.FAQ: Understanding Frugal Analytics What is frugal analytics? An approach to audience measurement that limits collection to the strict minimum needed to make business decisions. It's built on three principles: collect only what drives action, prefer aggregated data over individual profiles, and choose tools that are compliant by design (no cookies, no user profiles). Which metrics should I absolutely keep? Unique visitors, traffic sources, top pages, key events (CTA clicks, form submissions), and conversions. These 5 metrics are enough to steer a brochure site, a blog, or a small e-commerce store. Everything else is bonus — or noise. Can you do frugal analytics with GA4? Technically yes, but it requires advanced expertise: disabling granular collection, configuring consent mode, proxying data for GDPR compliance, and building custom reports limited to essential KPIs. For most SMBs, it's simpler and lower-risk to choose a natively frugal tool. Is frugal analytics enough for e-commerce? For a small e-commerce site (under 1,000 orders/month), yes. The 5 essential KPIs cover acquisition, engagement, and conversion. For e-commerce with multi-channel attribution, retargeting, or advanced segmentation needs, a more comprehensive tool (Matomo, GA4) will be necessary — but the frugality principle still applies: start with the essentials, and add complexity only if it's justified. How many businesses actually use Big Data? According to Eurostat, only 8% of EU enterprises analyze Big Data. For SMBs, the number is even lower. The vast majority of small businesses don't have the teams, tools, or need to collect data massively. Frugal analytics is the approach suited to this reality.