Back to articles
Analytics
Analytics CNIL GDPR Cookies

CNIL Analytics Consent Exemption: Requirements and Eligible Tools

7 January 2026 9 min read DPLIANCE

The CNIL analytics consent exemption is probably the most misunderstood topic in French web regulation. Many site operators think that using a “GDPR-friendly” tool is enough to skip the cookie banner. That’s wrong. The exemption exists, but it’s governed by strict conditions that the majority of implementations fail to meet.

At DPLIANCE, we believe compliance shouldn’t be a headache. But it shouldn’t be an illusion either. Here’s everything you need to know about the consent exemption for analytics tools under CNIL (French data protection authority) rules.

What Is the CNIL Exemption?

In France, the ePrivacy directive, transposed by Article 82 of the French Data Protection Act (loi Informatique et Libertés), establishes a clear principle: any tracker (cookie or otherwise) deployed on a user’s device requires prior consent.

However, there is an exception: trackers that are “strictly necessary” for the service to function, or those whose “sole purpose is to enable or facilitate electronic communication.” CNIL has interpreted this exception to include, under strict conditions, audience measurement tools.

The logic is straightforward: measuring how many people visit a site, which pages are viewed, and how to improve the service is a legitimate purpose that can be exempt from consent — provided that measurement serves only that purpose.

What CNIL Says

CNIL has published detailed guidelines on cookies and trackers, regularly updated. Regarding audience measurement, it specifies that trackers can be exempt from consent if they meet cumulative, strict conditions.

CNIL also launched an evaluation program for audience measurement solutions, which produced a list of tools that could be configured to qualify for the exemption. This program has since been replaced by a self-assessment tool for solution providers.

Exemption Conditions

The conditions are cumulative. You must meet all of them. Missing even one is enough to lose the exemption.

1. Purpose Strictly Limited to Audience Measurement

Trackers must have a purpose strictly limited to measuring the site or application’s audience. This includes:

  • Measuring site performance
  • Detecting navigation issues
  • Optimizing technical performance or usability
  • Estimating required server capacity
  • Analyzing content consumption

Any other use invalidates the exemption. If data is used for marketing, targeting, personalization, or commercial optimization, the exemption no longer applies.

2. Producing Exclusively Anonymous Statistical Data

Trackers must serve to produce exclusively anonymous statistical data. Measurement results must be aggregated and must not allow identifying, directly or indirectly, any individual.

3. No Cross-referencing With Other Processing

Collected data must not be cross-referenced with other data processing. Concretely:

  • No crossing with CRM data
  • No matching with user profiles
  • No linking with marketing campaigns
  • No enrichment with third-party data

This is the condition most frequently violated in practice. Many analytics tools are connected to advertising platforms, CRMs, or marketing automation tools. These connections invalidate the exemption.

4. No Transmission to Third Parties

Non-anonymized data must not be transmitted to third parties. The measurement tool must operate exclusively on behalf of the site publisher.

This is why Google Analytics has never qualified for the exemption: collected data flows through Google’s servers and feeds its advertising ecosystem.

5. No Cross-Site Tracking

Trackers must not enable global tracking of a person’s navigation across different applications or websites. Each site must be measured independently.

6. Limited Lifespan

  • Tracker lifespan: limited to a duration allowing meaningful audience comparison over time. CNIL recommends a maximum of 13 months, without automatic extension on each visit.
  • Raw data retention: collected data must be retained for a maximum of 25 months.

7. User Information

Even with the exemption, users must be informed about the use of trackers and their right to opt out. The exemption covers prior consent, not the right to information or the right to object.

Which Tools Are Eligible?

CNIL’s Evaluation Program

Since 2021, CNIL has evaluated several audience measurement solutions to verify their ability to be configured in compliance with the exemption conditions. This program produced a list of evaluated tools, available on CNIL’s website.

Among the solutions favorably evaluated:

  • Analytics Suite Delta (AT Internet / Piano)
  • SmartProfile (Net Solution Partner)
  • Wysistat Business
  • Matomo (with specific configuration)
  • Abla Analytics
  • Beyable Analytics

Since January 1, 2026, the evaluation program has been replaced by a self-assessment tool. Solution providers are now invited to verify their tool’s compliance against the criteria published by CNIL.

Matomo: The Best-Documented Case

Matomo is the tool for which CNIL has published the most detailed configuration guide. To benefit from the exemption with Matomo, you must:

  • Use Matomo in self-hosted or Cloud mode with European hosting
  • Disable cross-site tracking
  • Anonymize IP addresses
  • Limit data retention to 25 months
  • Not export data to third-party tools
  • Configure the config_id for a maximum duration of 24 hours
  • Not activate heatmap or session replay plugins (which may require specific consent)

The configuration is technical and requires rigor. A misconfiguration can cause loss of the exemption.

Google Analytics: Never Exempt

Google Analytics (neither Universal Analytics nor GA4) has never qualified for CNIL’s consent exemption. The reasons are multiple:

  • Data is sent to Google’s servers (third party)
  • Google uses the data for its own purposes (advertising)
  • Data may be transferred outside the EU
  • Google’s model cannot guarantee the absence of cross-referencing with other processing

No configuration of Google Analytics can meet the exemption conditions.

Mirage Analytics and the Exemption

Mirage Analytics was designed to be compatible with CNIL exemption conditions. Its architecture meets the fundamental criteria:

  • No third-party cookies, no persistent tracker: tracking is session-based, without persistent identifiers
  • Sovereign hosting on Scaleway (France): no data transfer outside the EU
  • Data processed exclusively for the publisher: DPLIANCE does not use the data for its own purposes
  • No cross-referencing with other processing: analytics data remains siloed

For session replay and heatmap features, which go beyond strict audience measurement, a case-by-case analysis is required. Pure audience measurement (pageviews, sessions, sources, etc.) is compatible with the exemption.

Common Mistakes

Mistake 1: “My tool is cookieless, so I’m exempt”

Wrong. The absence of cookies is a necessary but not sufficient condition. A cookieless tool that transmits data to a third party, enables cross-site tracking, or is used for marketing purposes does not qualify for the exemption.

Mistake 2: “The tool is on the CNIL list, so I’m all set”

Wrong. The CNIL list (now replaced by self-assessment) indicated that the tool could be configured to qualify for the exemption. It did not certify that every installation was automatically compliant. Configuration is the responsibility of the data controller (you).

Mistake 3: “The exemption exempts me from informing users”

Wrong. The exemption covers prior consent, not the right to information. You must still inform your users about audience measurement and their right to opt out.

Mistake 4: “I can use the data to optimize my marketing campaigns”

Wrong. If you use audience measurement data to optimize campaigns, target ads, or personalize content, you fall outside the exemption’s scope. The exemption covers strictly audience measurement only.

Mistake 5: “The exemption is permanent”

Wrong. The exemption conditions can evolve with CNIL guidelines. In 2025, CNIL launched a public consultation on new recommendations. In 2026, work on cross-domain consent is planned. Regular monitoring is essential.

How to Implement the Exemption Correctly

Step 1: Choose a Compatible Tool

Select an audience measurement tool that can be configured to meet all exemption conditions. Check first:

  • Where data is hosted (EU required)
  • Whether the tool transmits data to third parties
  • Whether the tool allows limiting data retention
  • Whether the tool can operate without cookies or with trackers limited to 13 months

Step 2: Configure the Tool Strictly

Apply the necessary configurations:

  • Disable all data sharing with third parties
  • Anonymize IP addresses
  • Limit raw data retention to 25 months
  • Disable cross-site tracking if you have multiple domains
  • Configure tracker lifespan to 13 months maximum

Step 3: Document

Document your configuration and legal basis in your processing records. Clearly state that audience measurement is based on the consent exemption and detail the measures taken to comply with the conditions.

Step 4: Inform Users

Even without a cookie banner, you must:

  • Mention audience measurement in your privacy policy
  • Provide an opt-out mechanism
  • Explain what data is collected and why

Step 5: Audit Regularly

Periodically verify that your configuration hasn’t been altered (tool updates, parameter changes) and that exemption conditions are still met.

FAQ

Is the CNIL exemption valid across all of Europe?

No. The exemption is CNIL’s interpretation of the ePrivacy directive, applicable in France. Other European authorities have different positions. If your site targets visitors in multiple EU countries, verify the positions of local authorities.

How many tools are currently eligible for the exemption?

CNIL’s evaluation program favorably assessed about ten tools before being replaced by self-assessment. Among the best-known: Analytics Suite Delta (AT Internet), Matomo (with specific configuration), SmartProfile, Wysistat Business, Abla Analytics. Since January 2026, any provider can self-assess their solution.

Can I use session replay with the exemption?

Session replay goes beyond strict audience measurement and may require specific consent. However, if session replay is implemented without persistent identifiers and without collecting personal data, a case-by-case analysis is needed. CNIL has not published a specific position on session replay within the exemption framework.

What happens if I lose the exemption?

If your configuration no longer meets the exemption conditions, you must obtain prior user consent before deploying trackers. In practice, this means implementing a compliant cookie banner. Lack of consent constitutes a sanctionable offense.

Does the exemption cover A/B testing?

No, in principle. A/B tests serve commercial optimization purposes, not strictly audience measurement. They generally require user consent.

Sources: CNIL, “Cookies: solutions for audience measurement tools” (cnil.fr); CNIL, “Audience measurement solutions exempt from consent: CNIL launches an evaluation program” (cnil.fr); CNIL, amended guidelines and cookie recommendations (cnil.fr); CNIL, Matomo configuration guide for the exemption (cnil.fr); Article 82 of French law No. 78-17 of January 6, 1978 on data processing, files, and freedoms.

Looking for an analytics tool compatible with the CNIL exemption, hosted in France? Discover Mirage Analytics: cookieless web analytics, session replay, and heatmaps built in. Starting at EUR 19 excl. tax/month.

Write to us

contact@dpliance.com
Contact us