Skip to main content

CNIL Self-Assessment: Sealmetrics

This document provides the official self-assessment of Sealmetrics against CNIL's criteria for consent-exempt audience measurement tools, as defined in the CNIL's auto-evaluation framework (July 2025).

Important Notice

This self-assessment follows CNIL guidelines but does not constitute CNIL certification. Per CNIL guidance, providers cannot claim to be "certified" or "validated" by CNIL. This document demonstrates how Sealmetrics meets the published exemption criteria when properly configured.

Executive Summary

CategoryStatus
5 Permitted Objectives✅ All compliant
14 Technical Criteria✅ All compliant
Consent Exemption Eligible✅ Yes
Last Assessment DateFebruary 2026

Part 1: Permitted Objectives

CNIL allows consent exemption only when analytics are used for these 5 specific purposes:

Objective 1: Performance Measurement

Requirement: Measure website/application performance metrics.

CriterionSealmetrics Compliance
Measures page load times✅ Yes
Tracks error rates✅ Yes
Limited to performance data✅ Yes - no behavioral profiling

Evidence: Sealmetrics tracks pageviews, load events, and technical errors exclusively for performance analysis.

Objective 2: Navigation Problem Detection

Requirement: Identify navigation issues affecting user experience.

CriterionSealmetrics Compliance
Detects 404 errors✅ Yes
Identifies broken user flows✅ Yes
Tracks exit pages✅ Yes

Evidence: Funnel reports and page analytics identify drop-off points and navigation issues.

Objective 3: Technical & Ergonomic Optimization

Requirement: Optimize technical performance and user experience.

CriterionSealmetrics Compliance
Device/browser analysis✅ Yes
Screen resolution data✅ Yes
Used only for optimization✅ Yes - not for targeting

Evidence: Device reports provide aggregated, anonymized data for UX optimization only.

Objective 4: Server Capacity Estimation

Requirement: Estimate necessary server infrastructure.

CriterionSealmetrics Compliance
Traffic volume metrics✅ Yes
Peak usage identification✅ Yes
Real-time visitor counts✅ Yes

Evidence: Real-time dashboard and traffic reports enable infrastructure planning.

Objective 5: Content Analysis

Requirement: Analyze which content is consulted by visitors.

CriterionSealmetrics Compliance
Page view tracking✅ Yes
Content grouping✅ Yes
Aggregated statistics only✅ Yes

Evidence: Pages report shows aggregated content performance without individual user tracking.

Part 2: Technical Criteria (14 Points)

Criterion 1: Purpose Limitation

Requirement: Tool must be used exclusively for audience measurement for the publisher's own account.

AspectCompliance
Single-purpose tool✅ Sealmetrics is exclusively for analytics
Publisher's own account✅ Each client has isolated account
No secondary uses✅ No advertising, profiling, or resale

Configuration: Default configuration. No additional setup required.

Criterion 2: Anonymous Statistical Output

Requirement: Must produce only anonymous statistical data.

AspectCompliance
Aggregated reports✅ All reports show aggregated data
No individual user data export✅ Cannot export individual sessions
Statistical anonymization✅ Data aggregated before display

Configuration: Built into platform architecture. Cannot be disabled.

Criterion 3: No Cross-Site Tracking

Requirement: Cannot track users across different websites or applications.

AspectCompliance
First-party only✅ No third-party cookies
Domain-isolated identifiers✅ Session IDs unique per domain
No unified IDs✅ No cross-domain identification

Technical Implementation:

Session ID scope: Single domain only
Cookie scope: First-party, same-site
Cross-domain tracking: Not possible by design

Criterion 4: No Data Cross-Referencing

Requirement: Cannot cross-reference analytics data with other processing activities.

AspectCompliance
Isolated data processing✅ Analytics data stays in Sealmetrics
No CRM integration for profiling✅ No user-level data merge
No external enrichment✅ No third-party data added

Configuration: Platform architecture prevents data cross-referencing. API exports only aggregated statistics.

Criterion 5: No Third-Party Data Transmission

Requirement: Cannot transmit non-anonymized data to third parties.

AspectCompliance
No data sales✅ Sealmetrics never sells data
No third-party sharing✅ No data shared with external parties
Client owns their data✅ Data belongs exclusively to client

Legal Basis: Sealmetrics Privacy Policy and DPA guarantee no third-party data sharing.

Criterion 6: Cookie Lifetime ≤ 13 Months

Requirement: Cookie validity must not exceed 13 months, without automatic renewal.

AspectCompliance
Cookie durationNo persistent cookies used
Session-based identification✅ Session IDs expire with browser session
No automatic renewal✅ N/A - no persistent storage

Technical Implementation:

Storage method: Session-based (no cookies in default mode)
Maximum theoretical lifetime: Browser session only

Note: Sealmetrics exceeds this requirement by not using persistent cookies at all in standard configuration.

Criterion 7: Data Retention ≤ 25 Months

Requirement: Collected data must not be retained beyond 24 months.

AspectCompliance
Analytics data retention✅ 24 months maximum
Automatic deletion✅ Data purged after retention period
Raw logs retention✅ 14 days only

Data Retention Schedule:

Data TypeRetention Period
Raw request logs14 days
Aggregated analytics24 months
Account configurationUntil account deletion

Criterion 8: IP Address Anonymization

Requirement: IP addresses must be anonymized (last octet removed minimum).

AspectCompliance
IP processingIP addresses not collected
Geolocation method✅ Derived from timezone, not IP
No IP storage✅ IP never stored or logged

Technical Implementation:

// Sealmetrics does NOT collect IP addresses
// Country detection uses browser timezone API:
Intl.DateTimeFormat().resolvedOptions().timeZone

Note: Sealmetrics exceeds this requirement by not processing IP addresses at all.

Criterion 9: Geolocation Precision Limit

Requirement: Geolocation must not be more precise than postal code level.

AspectCompliance
Location precision✅ Country level only
No precise geolocation✅ No city/region/postal code
Privacy-preserving method✅ Timezone-based detection

Geolocation Data Collected:

  • Country (derived from timezone)
  • No region, city, or postal code
  • No GPS or IP-based location

Criterion 10: Independent Data Collection Per Publisher

Requirement: For services serving multiple publishers, data collection must be independent for each.

AspectCompliance
Client data isolation✅ Complete separation
No shared identifiers✅ Each account has unique tracking
Independent databases✅ Logical separation per account

Architecture:

Account A ──► Isolated dataset A ──► Reports A only
Account B ──► Isolated dataset B ──► Reports B only

         No cross-account access possible

Criterion 11: Totally Independent Trackers

Requirement: Trackers must be completely independent with no interdependencies.

AspectCompliance
Unique tracking IDs✅ Each account has unique ID
No shared infrastructure impact✅ Client A cannot affect Client B
Independent configuration✅ Each account configured separately

Implementation:

<!-- Each client gets unique, independent tracker -->
<script src="https://t.sealmetrics.com/t.js?id=UNIQUE_ACCOUNT_ID" defer></script>

Criterion 12: User Information Requirement

Requirement: Users must be informed about analytics via privacy policy.

AspectCompliance
Documentation provided✅ Privacy policy template available
Clear information✅ Plain language explanation
Purpose explanation✅ Audience measurement stated

Recommended Privacy Policy Text:

This website uses Sealmetrics for audience measurement. This tool
is configured to comply with CNIL guidelines for consent exemption.
It collects anonymous statistical data only, does not use cookies,
and does not track you across websites. You can block analytics
using your browser's privacy settings or an ad blocker.

Criterion 13: Opt-Out Mechanism

Requirement: Users must have ability to refuse audience measurement.

AspectCompliance
Opt-out available✅ Yes - via browser settings or site implementation
Easy to access✅ Standard browser controls
No individual tracking✅ Nothing personal to opt out of

Important Context:

Sealmetrics does not use localStorage, cookies, or any persistent storage by default. This means:

  • There is no individual user tracking to opt out of
  • Data is collected as aggregate statistics only
  • Each pageview is independent with no user identification

Opt-Out Methods:

  1. Browser-level blocking - Users can block the tracking script using browser privacy settings or ad blockers
  2. Publisher-implemented opt-out - Site owners can implement conditional script loading based on user preference
<!-- Example: Publisher-implemented opt-out -->
<script>
  if (!localStorage.getItem('analytics_optout')) {
    var s = document.createElement('script');
    s.src = 'https://pixel.sealmetrics.com/t.js?id=YOUR_ID';
    s.defer = true;
    document.head.appendChild(s);
  }
</script>

Note: Since Sealmetrics collects only aggregate statistics without individual identification, the opt-out requirement is satisfied by standard browser controls.

Criterion 14: No Reuse by Provider

Requirement: Analytics provider cannot reuse data for their own commercial purposes.

AspectCompliance
No data monetization✅ Sealmetrics never sells data
No model training✅ Client data not used for AI/ML
No benchmarking without consent✅ No cross-client analysis

Legal Guarantee: Our Terms of Service and DPA legally prohibit any reuse of client data.

Part 3: Data Processing Details

Data Collected

Data PointCollectedPurposeAnonymization
Page URLContent analysisAggregated
ReferrerTraffic sourceAggregated
User agentDevice analysisAggregated
Screen sizeUX optimizationAggregated
TimezoneCountry detectionCountry only
Session IDVisit countingTemporary, hashed
IP addressNot collectedN/A
Email/nameNot collectedN/A
Precise locationNot collectedN/A

Data NOT Collected

Sealmetrics explicitly does not collect:

  • IP addresses
  • Email addresses or personal identifiers
  • Precise geolocation (GPS, city, postal code)
  • Device fingerprints
  • Cross-site identifiers
  • Advertising IDs
  • Social media profiles

Part 4: Infrastructure & Security

Data Location

AspectDetail
Processing locationDublin, Ireland (EU)
Data storageEU only
SubprocessorsEU-based only
International transfersNone required

Security Measures

  • TLS 1.3 encryption in transit
  • AES-256 encryption at rest
  • SOC 2 Type II compliant infrastructure
  • Regular security audits
  • GDPR Article 32 technical measures

Part 5: Configuration Checklist

To ensure CNIL compliance, verify your Sealmetrics configuration:

Required Settings ✅

  • Standard tracking mode enabled (not debug mode)
  • No custom user ID implementation
  • No PII in custom properties
  • Privacy policy updated with Sealmetrics mention
  • Opt-out mechanism available to users
  • Content grouping for aggregated analysis
  • Conversion tracking without PII

Prohibited Configurations ❌

  • Do NOT pass email addresses as properties
  • Do NOT use custom user IDs for cross-session tracking
  • Do NOT combine with advertising/remarketing tools
  • Do NOT export individual-level data for profiling

Part 6: Compliance Statement

Official Declaration

Sealmetrics declares that:

  1. Our solution meets the CNIL criteria for consent-exempt audience measurement
  2. When properly configured, Sealmetrics can be implemented without requiring user consent under Article 82 of French Data Protection Law
  3. We provide documentation and configuration guidance to ensure compliant implementation
  4. We do not reuse client data for any commercial purpose

What This Means

Publishers using Sealmetrics in France can:

  • ✅ Measure website traffic without consent banners
  • ✅ Track conversions for their own business analysis
  • ✅ Analyze content performance
  • ✅ Monitor technical performance

Publishers cannot:

  • ❌ Claim Sealmetrics is "CNIL certified" or "CNIL validated"
  • ❌ Use Sealmetrics data for advertising purposes
  • ❌ Combine Sealmetrics with profiling tools and claim exemption

Part 7: Version History

VersionDateChanges
1.0February 2026Initial self-assessment based on CNIL July 2025 framework

References

Contact

For compliance questions or DPO inquiries: