Tag: Privacy
All blog posts with this tag.
- 13 Apr, 2026
GDPR audience measurement: the CNIL framework to understand before choosing a tool
Audience measurement is no longer just a tooling decision. It is a governance decision. An SMB may legitimately want to understand pages, sources and simple conversions without turning its website into a heavy marketing stack. That is a reasonable goal. The mistake is to turn a privacy-first product choice into a blanket legal promise. The CNIL framework is more specific. It describes conditions under which strictly limited audience measurement can, in some cases, be implemented with a lighter consent burden. That position depends on the real purpose, configuration, retention period, absence of cross-use, provider role and visitor information. The useful question is therefore not "which tool removes all legal work?". The useful question is: does my actual setup remain within a documented, minimal and verifiable audience-measurement perimeter? What the CNIL framework says The CNIL explains that traffic and performance statistics can be necessary for operating a website or application. It therefore describes a limited perimeter for audience-measurement trackers, provided the purpose stays strictly focused on the site or app audience and is carried out for the publisher's exclusive account. The framework excludes uses that combine the data with other processing, send non-anonymous data to third parties, or follow a person globally across several websites or applications. The CNIL also recommends informing users, limiting tracker lifetime, capping retention for collected information and periodically reviewing those periods. It provides a self-assessment tool to help vendors document their analysis. That nuance matters. Self-assessment is not certification, and it does not prejudge what the CNIL could conclude during an investigation. Site publishers still need a cautious, documented reading of their setup. The criteria that should guide the choice Before choosing an analytics solution, check these points first. 1. Strictly limited purpose Collection should help understand traffic, performance, content viewed or navigation issues. If the same tool is used for retargeting, advertising activation, profiling or CRM enrichment, the setup no longer fits a minimal audience-measurement perimeter. 2. No vendor reuse The provider should process data for your account. Reuse for the provider's own services, advertising, global benchmarks or loosely governed product improvement increases risk. 3. No cross-site tracking An identifier shared across several publishers or domains to follow global browsing behavior is incompatible with minimal audience measurement. 4. Statistical data and limited retention The logic should remain aggregated and proportionate. Retention periods should be limited and reviewed. Raw or pseudonymized records should not become a permanent marketing archive. 5. Clear visitor information Even when a lighter collection setup is possible, visitors still need clear information. The privacy policy should explain what is collected, why, for how long, by whom and how rights can be exercised. Strict and Extended: a useful product separation For privacy-first analytics, separating a minimal mode from an enriched mode is clearer than offering one vague switch. Strict should cover the core needs: page views, readable sources when available without enrichment, volumes, trends and simple conversions. It should minimize fields and avoid data that is not necessary for the stated purpose. Extended should be explicit. It can support richer needs: detailed UTM campaigns, advanced events, goals, technical context, segmentation or multi-site analysis. Those uses can be legitimate, but they should be treated as configuration choices, not as the silent default. This distinction helps product teams, DPOs, marketers and clients talk about the same operational reality. The checklist before publishing Before presenting your analytics setup as launch-ready, document at least:the exact measurement purpose; the fields collected in Strict; the fields added in Extended; retention periods; absence of cross-use with other processing; potential transfers and contractual basis; the updated privacy policy; the internal or vendor analysis based on CNIL sources; the profile-change procedure; the owner who approves collection changes.This documentation does not replace legal review, but it prevents marketing copy from becoming operational debt. What Pomelo should promise publicly The strongest position is not an absolute claim. It is a controlled product promise:cookieless by default; minimal collection; clear documentation of collected fields; explicit Extended configuration when teams need richer detail.That is more durable than a slogan. European SMBs, B2B SaaS teams and multi-site digital teams need analytics that is readable, governable and stable over time. Sources Sources checked on May 9, 2026.CNIL, Cookies and audience measurement solutions CNIL, audience-measurement self-assessment tool, July 2025 Article 82 of the French Data Protection Act
- 30 Mar, 2026
CNIL sanctions: what analytics teams should learn before launch
CNIL sanction decisions are useful because they show patterns, not just headline amounts. For analytics teams, the lesson is clear: risk rarely comes from measuring traffic in itself. It comes from unclear purposes, tracking before a valid choice, excessive collection, weak information, poor retention and provider relationships that nobody has reviewed. This article does not try to predict a fine. It gives product, marketing and legal teams a launch checklist grounded in the CNIL's public sanction list and cookie guidance. The recurring analytics risks 1. Tracking starts too early If advertising, personalization or advanced tracking fires before the visitor's valid choice is recorded, the compliance issue is immediate. Teams should verify scripts in the browser, not only in a tag manager diagram. 2. The purpose is too broad "Analytics" can hide several purposes: audience measurement, ad attribution, retargeting, product analytics, support, personalization and CRM enrichment. These purposes do not carry the same risk or consent analysis. They must be separated in configuration and documentation. 3. Data is kept too long Retention is a recurring sanction theme across CNIL decisions. Analytics teams should define retention for raw events, derived reports, exports and backups. The answer cannot be "as long as the tool allows". 4. Provider roles are unclear The site publisher remains responsible for understanding what the provider does. Review data-processing terms, hosting, transfers, sub-processors and reuse clauses before launch. 5. The public explanation is vague A privacy policy that only says "we use cookies to improve the experience" is not enough for a modern analytics stack. Explain the tool, purpose, data categories, retention and choice mechanism in concrete terms. How to reduce risk before launch Run this practical check:open a clean browser profile and inspect which scripts fire before any choice; map each tag to a purpose and owner; remove tags nobody can justify; separate minimal audience reporting from richer marketing tracking; document retention and export rules; review provider terms and transfer mechanisms; update privacy copy with actual tool names; keep evidence of the test in the release checklist.For Pomelo, this means keeping the public promise conservative: cookieless by default, minimal collection, clear documentation, Strict first and Extended by explicit configuration. Why this matters for SMEs SMEs often assume enforcement only targets large platforms. The CNIL sanction list shows that smaller organizations can also be sanctioned, including through simplified procedures. The amounts differ, but the operational lesson is the same: a small team still needs traceability, minimization and a clean release process. Good analytics governance is not bureaucracy. It prevents last-minute launches from becoming privacy incidents. Sources Sources checked on May 9, 2026.CNIL, public list of sanctions, updated April 14, 2026 CNIL, Cookies and other trackers CNIL, Cookies and audience measurement solutions