Publisher analytics • Xavier Leune

What Consent Means for Analytics in 2026

For any publisher operating in Europe, consent management is an angular stone to build a successful business. Even if you’re not an ad-based publisher, you still need consent to deal with your visitors’ data for analytics purposes. In this article we’ll cover what you can and can’t do without explicit consent.

The regulatory stack: three layers you need to know

Let’s start with the boring (but essential) part. Three pieces of regulation shape what you can and can’t do with analytics data in Europe. They work together, and you need to comply with all of them.

The ePrivacy Directive is the oldest and most direct. Its Article 5(3) says: storing or accessing anything on a user’s device — cookies, local storage, fingerprinting scripts — requires informed consent. Period. Unless it’s strictly necessary to deliver a service the user explicitly asked for. This directive was written in 2002, amended in 2009, and it’s still very much alive today, transposed into each EU country’s national law (Article 82 of France’s “Informatique et Libertés” act, for instance).

The GDPR adds a layer on top. Even if you don’t drop a single cookie, the moment you process personal data — and yes, IP addresses, device characteristics combined with timestamps, and user identifiers all count — you need a lawful basis. For analytics, that’s typically consent.

The CNIL guidelines (and those of other national DPAs) are where theory meets practice. Since 2020, the CNIL has published detailed recommendations on how to implement these rules, including a specific exemption that allows audience measurement without consent — under strict conditions. We’ll get to those conditions in a minute.

The bottom line: most analytics setups require explicit, informed, opt-in consent before any data hits your servers. But there is one well-defined exception.

How the CNIL exemption evolved — and where it stands today

The idea that basic audience measurement shouldn’t need a consent banner didn’t come from nowhere. Back in 2012, the EDPB (then called the Article 29 Working Party) stated that first-party analytics cookies limited to aggregated statistics, with proper safeguards and clear user information, do not present a threat to privacy and can be exempted from consent.

France’s CNIL turned this principle into practice. When it published its revised cookie guidelines in late 2020, it carved out a formal exemption: audience measurement cookies can be deployed without prior consent, provided they meet a strict set of conditions.

Phase 1: the CNIL-evaluated list (2021–2025)

To make this actionable, the CNIL launched an evaluation program in March 2021. Analytics vendors could submit their solution for review. The CNIL would audit the tool, check its configuration, and — if everything was in order — add it to a public list of exempt-compatible solutions.

A handful of tools made it: Piano Analytics (AT Internet), Matomo, Piwik PRO, and a few smaller players. Google Analytics, predictably, never qualified and almost certainly never will — its architecture feeds data into Google’s advertising ecosystem, which is fundamentally incompatible with the exemption criteria.

For publishers, this list was convenient. If your tool was on it, you had a reasonable basis to claim exemption. If it wasn’t, you were on your own.

Phase 2: self-assessment (2025 onwards)

In July 2025, the CNIL announced a significant shift. The evaluation program was over. The public list would be removed on January 1st, 2026.

In its place: a self-assessment framework. The CNIL published a detailed grid with 5 objectives and 14 criteria that analytics providers must evaluate themselves against. No more “CNIL-approved” badge. No more shortcut.

The responsibility now sits on two shoulders:

  • Vendors must self-assess, document their compliance, provide publishers with a configuration guide, and make it absolutely clear that they are not certified by the CNIL.
  • Publishers must verify their actual implementation meets every criterion — and be able to prove it in case of an audit.

“We use a tool that was on the CNIL list” is no longer a valid answer. That list no longer exists.

What’s coming next: the EU Digital Omnibus

One more thing worth watching. In November 2025, the European Commission published the Digital Omnibus proposal. Among many changes, a new Article 88a would be inserted directly into the GDPR, formally allowing cookies used for aggregated audience measurement without consent — when done by the website controller solely for its own use.

If adopted, this would harmonize what France, Spain, and Italy have been doing nationally, extending the exemption EU-wide. The proposal still needs Parliament and Council approval. But the direction is clear.

What you CAN collect without consent

Now let’s get into the specifics. The CNIL’s self-assessment grid is very precise about what falls inside the exemption perimeter. Here’s what you can collect and report on, without asking for consent.

Three types of events, no more

The CNIL framework limits data collection to exactly three categories of events:

  1. Page views: the presence of a person on a page, along with information about that page (name, type, category, etc.)
  2. User interactions: clicks on buttons, links, and functional elements — with associated metadata (destination, label, etc.)
  3. Performance and engagement stats: page load times, scroll depth, time spent on page

That’s it. No custom event taxonomies with dozens of actions. Three types.

Traffic sources — but only at the domain level

You can capture the referrer host. If someone comes from google.com or twitter.com, you know that. What you get is the domain — nothing more.

From this, your analytics tool can infer aggregated traffic source categories: organic search, social, referral, direct. These channel groupings give you a high-level picture of where your audience comes from.

Technical and performance data

You can collect HTTP header information, but it must be minimized: major browser version, major OS version, device type, screen size. Not the full, detailed user agent string.

Page load time statistics are allowed and explicitly covered. This includes server response times, rendering metrics, and Core Web Vitals (LCP, INP, CLS) — all legitimate performance measurement.

Geographic data — coarse only

IP addresses can be used for city-level geolocation, but must then be pseudonymized by removing at least the last octet. No precise geolocation, no GPS data.

Cookies are allowed

Yes, you can deposit cookies under the exemption. First-party cookies only, with a lifespan capped at 13 months and that must not be renewed on each visit. This allows for basic visit counting and session management within the defined limits.

A/B testing

Comparing content variants is covered by the “content analysis” purpose. You can run A/B tests as long as the data stays aggregated and anonymous, and as long as you’re not creating persistent user cohorts based on previously collected data.

What you CANNOT collect without consent

This is where it gets restrictive — and where many publishers get tripped up. The CNIL self-assessment document is explicit about what’s excluded.

No UTM parameters, no campaign identifiers

This is stated in black and white: all collection of UTMs or campaign identifiers in URLs must be disabled. This is not a gray area. If your analytics tool reads ?utm_source=newsletter&utm_campaign=spring2026, you’re outside the exemption.

The practical consequence is massive: you cannot evaluate the performance of your acquisition campaigns without consent. No “which newsletter drove the most traffic.” No “how did our paid search campaign perform.” No conversion channel measurement. The CNIL document explicitly lists these as marketing measurements that must be disabled by default.

No session replay

Explicitly called out: any “session replay” functionality must be disabled. The reasoning is straightforward — session replay tracks individual user navigation, which is the opposite of anonymous aggregate statistics.

No user identifiers (direct or indirect)

You cannot collect or import any CRM identifier, login-based user ID, or email-derived identifier. No form data capture that could reveal personal information. No cross-referencing with customer databases.

And it goes further: if you use fingerprinting instead of cookies, the fingerprint must include a site-specific component (to prevent cross-site tracking) and a temporal component (to limit its lifespan). You can’t build a persistent, portable identity.

No cross-domain tracking

Each site or application must be measured independently. No unified user journey across multiple domains — even if you own them all. No reach deduplication across properties. The data stays siloed per site.

No integration with external tools

All integrations with third-party tools must be excluded. No feeding data into your DMP, your CRM, your ad server, your email platform. No data exports to external systems for cross-referencing. The analytics data lives in its own silo.

No data reuse by the vendor

Your analytics provider must operate as a data processor (sub-contractor). They cannot pool your data with other clients’ data, and they cannot reuse your data for their own purposes — not even to “improve their service.” This alone disqualifies most of the major platforms.

Reports must be truly anonymous

All reports — in the interface and in exports — must contain only anonymous statistics, aggregated to the nearest ten. If a combination of filters could isolate a single user, the anonymization isn’t effective and the exemption doesn’t apply.

What this means concretely for publishers

Let’s translate all of this into daily reality.

What you lose without consent

Campaign performance is a black box. You can’t tell whether your latest newsletter drove traffic, whether your SEO investment is paying off relative to paid search, or which social posts converted. You’ll see “organic search: X visits” as an aggregate channel, but you won’t be able to attribute those visits to specific campaigns or content pieces.

No user-level analytics. No returning visitor analysis. No cohort analysis. No engagement scoring. No frequency metrics tied to individual users. The unit of analysis is the page view and the session — never the person.

No connection to your revenue stack. If you’re an ad-based publisher, you can’t correlate analytics data with ad serving data, RPMs, or fill rates without consent. The wall between measurement and monetization is absolute.

No heatmaps, no session recordings. Forget about watching how users interact with your pages. These tools track individual behavior by design.

What you keep

Content performance visibility on 100% of your traffic. This is the big upside. While consent-based analytics typically only cover the 40–60% of users who accept cookies, exempt analytics cover everyone. Page views, time on page, scroll depth, bounce rate — on every single visit. For editorial decision-making, this is significantly more reliable.

Full web performance monitoring. Core Web Vitals, server response times, page load speeds — all on 100% of traffic. For publishers where SEO matters (that’s everyone), this is critical.

High-level traffic source understanding. You know how much comes from search vs. social vs. direct vs. referral. You just can’t drill into specific campaigns.

Real-time data. Nothing in the exemption framework prevents real-time reporting. If your tool supports it, you get instant visibility into traffic spikes and drops.

What you must do

Even under the exemption, you have obligations:

Inform your users. The exemption moves you from opt-in to opt-out, but you still need to tell people what you’re doing. Your privacy policy must mention the exempt analytics tracker and explain its purpose.

Provide an opt-out mechanism. A clickable button or link within your privacy policy that lets users refuse the tracking. This isn’t optional — the CNIL self-assessment grid explicitly requires it.

Handle data access and deletion requests. Since you’re still processing personal data (until it’s aggregated), users have the right to access their data and request its deletion under the GDPR. Your analytics provider must support this.

Enforce retention limits. Cookie lifetime: 13 months max, not renewed on revisit. Data retention: 25 months max. These are hard limits.

The smart publisher’s approach: two layers

The reality is that most publishers need both: broad coverage without consent, and deeper analysis with consent. The winning strategy is a dual-layer setup:

Layer 1 — Without consent: Collect aggregated, anonymous audience measurement data on 100% of your traffic. This is your editorial compass: content performance, traffic trends, technical health, audience volume.

Layer 2 — With consent: Unlock the full depth of your analytics — user-level tracking, campaign attribution, CRM correlation, cross-domain analysis, ad performance monitoring — for visitors who opt in.

The critical rule: these two layers must remain strictly separated. You cannot retroactively enrich consent-exempt data with consented data. They exist in parallel.

Where Alke Analytics fits in

We built Alke Analytics with this exact reality in mind. Our consent-exempt mode isn’t a stripped-down afterthought — it’s designed from the ground up to deliver maximum insight within the regulatory boundaries.

What you get out of the box, without consent:

  • Content performance across all your properties, in real time
  • Core Web Vitals and web performance monitoring as a built-in RUM solution
  • CMP tracking — consent rates, banner impact on bounce rates — built into the default measurement
  • Group-level analysis across all your sites from a single screen
  • Cross-comparison filters that let you slice your data by any available dimension

And when visitors grant consent, the full depth of Alke’s analytics engine unlocks — campaign attribution, advanced dimensions, deeper correlation — without requiring a separate tool or a complicated data pipeline.

If you’re a publisher looking to get more from your analytics while staying cleanly within the rules, let’s talk.

This article is provided for informational purposes and does not constitute legal advice. Privacy regulations vary across jurisdictions and evolve frequently. We recommend consulting a qualified legal professional for guidance specific to your situation.

Xavier Leune

About Xavier Leune

11 published articles

Xavier Leune is the founder and CEO of Alke Analytics, with 2 decades of experience and over 10 years at one of France's largest digital media groups 4 years as VP of Engineering. He led analytics initiatives for high-traffic publisher properties, specializing in GDPR compliance, Core Web Vitals optimization, and cross-property data aggregation. Xavier's expertise in Privacy Sandbox implementation, CMP tracking, and advertising technology integration addresses the unique challenges of modern digital publishing. An active member of the French PHP User Association, he combines technical depth with editorial understanding.

🌐 Website 💼 LinkedIn
← Video Analytics, Engagement Reports & Self-Service Access
Smarter Filters, Sharper Comparisons →