CNIL Sheet 16, Decoded: Audience Measurement Without Consent in France

This is privacy research, not legal advice. See the footer for the full disclaimer.

TL;DR

France’s CNIL allows analytics without a banner under Sheet 16’s cumulative conditions — single-site, ≤3 event types, IP truncation, 13-month tracker, 25-month retention, host-only referrer, aggregation to nearest 10.
The 1 January 2026 deadline has now passed. The legacy evaluation programme is retired; the self-assessment regime is operative. Providers publish dated attestations; operators document their deployed configuration.
GA4 fails the exemption — cross-border US transfer, cross-customer pooling, persistent identifier, not-single-publisher. Routing through sGTM does not cure it.
Statnive Live ships the Sheet 16 architecture by default in consent-free mode with the FR jurisdiction preset; the event-audit endpoint surfaces the CNIL 3-event ceiling check in one click.
Wording matters — the correct legal posture is “configurable to qualify under the CNIL audience-measurement exemption when deployed per the LIA and the CNIL self-assessment”, never “CNIL-certified” or “CNIL-exempt outright.”

Why France is the friendliest EU regulator for cookieless analytics

The CNIL has spent more than a decade building Article 82 of Loi n° 78-17 — France’s ePrivacy transposition — into the EU’s most detailed audience-measurement consent exemption. Where Germany’s § 25 TDDDG offers no consent-free path for analytics at all, where Belgium’s APD explicitly refuses to recognise an exemption, and where the UK’s ICO grants only a “low enforcement priority” rather than a legal carve-out, the CNIL publishes operator-facing guidance, self-assessment tooling and a precise list of conditions that — if met — allow an operator to run analytics without a cookie banner in France.

The carve-out is real, narrow, and freshly updated. The current CNIL guidance was revised on 4 July 2025 with a compliance deadline of 1 January 2026. The legacy CNIL evaluation programme list — the pre-2026 way of qualifying a tool — is being retired: “Au 1er Janvier 2026, cette page sera supprimée. La période de soumission à ce programme est terminée.” From that date, operators rely on a documented self-assessment, not a CNIL pre-clearance.

This post is the operator’s reading of Sheet n°16. The conditions item by item, the self-assessment + deadline, where GA4 fails the test, the three-event ceiling and how to audit it, and how to configure Statnive Live for the Sheet 16 exemption.

Sheet 16, item by item

CNIL Sheet n°16 is the foundational seven-point exemption. The CNIL’s self-assessment PDF of July 2025 (outil_d_auto-evaluation_mesure_d_audience.pdf) operationalises each point into testable criteria. Every cumulative condition below must be met for the exemption to apply.

Authorised purposes. Verbatim from the self-assessment: “les mesures des performances ; la détection de problèmes de navigation ; l’optimisation des performances techniques ou de son ergonomie ; l’estimation de la puissance des serveurs nécessaires ; l’analyse des contenus consultés.” Performance measurement, navigation-issue detection, technical-performance and ergonomic optimisation, server-capacity estimation, and content-engagement analysis. Not advertising. Not retargeting. Not user-level profiling.

Maximum three event types. Verbatim: “La solution collecte au plus trois type d’évènements : • La simple présence d’une personne sur une page et les informations associée à cette page (nom, type, etc.) • L’utilisation par cette personne d’une fonctionnalité (clic bouton, clic lien) et les information associées (destination, label, etc.) • Les statistiques de temps de chargement, de défilement ou de temps passé sur une page.” — page presence, feature interaction (button/link clicks), and timing statistics (load, scroll, dwell). That is the ceiling. An ecommerce conversion event, a form-submission event, or a custom “downloaded the brochure” event each count as a fourth event type — and the deployment is no longer exempt.

IP truncation. Verbatim: “L’IP si elle est utilisée, permet la localisation à l’échelle de la ville puis est pseudonymisée en enlevant au moins le dernier octet.” If IP is used, geolocation must degrade to city scale and the IP must be pseudonymised by removing at least the last octet. Statnive Live performs this at ingest and discards the raw IP before any persistent write.

Header minimisation. Verbatim: “Si des données provenant des champs d’en-tête (« headers ») HTTP sont collectées (version de navigateur, système d’exploitation, matériel, taille d’écran), ces données sont minimisées (version majeure système d’exploitation/navigateur par exemple).” User-Agent reduced to major-browser-version + major-OS-version. “Chrome 126” — not “Chrome/126.0.6478.127 Mobile Safari/537.36”. Statnive Live parses User-Agents server-side at ingest and discards the raw string.

Single-site scope. Verbatim: “Aucun identifiant permettant un suivi à travers plusieurs domaines n’est utilisé … Si l’identifiant utilisé est un cookie, celui-ci est déposé en interne (ou « first-party ») afin d’empêcher un suivi global de la navigation.” No cross-domain identifier; first-party deployment only. And: “Le référent (« referrer »), s’il est collecté, se limite au domaine (« host »).” The referrer reduces to the host only. Statnive Live’s host-only referrer transform runs server-side at ingest.

Aggregation. Verbatim: “Agrégation et la présentation à la dizaine la plus proche. A défaut, une analyse est menée pour justifier du caractère anonyme des données (voir l’avis du G29 sur le sujet).” Aggregate to the nearest 10, or document an anonymity analysis citing the WP29/EDPB anonymisation Opinion.

Hard prohibitions. Verbatim: “Aucun suivi de la navigation d’un utilisateur unique n’est possible … Désactivation de toute fonctionnalités du type rejeu de session (« session replay ») … Toute fonctionnalité visant à croiser, dédoubler ou mesurer un taux de couverture (« reach ») unifié d’un contenu est exclue.” No tracking of a single user’s journey; session replay disabled; no functionality intended to cross-reference, deduplicate, or measure unified reach.

Lifespan and retention. From the CNIL main page: “durée de treize mois” for trackers, “durée maximale de vingt-cinq mois” for collected data, periodic review required. Tracker lifespan ≤ 13 months; raw-data retention ≤ 25 months. Statnive Live’s 750-day TTL on rollups (hourly_visitors, daily_pages, daily_sources) is 24.6 months — inside the ceiling with margin.

Service-provider role. The provider must operate “sous le régime de la sous-traitance” (GDPR Article 28 processor). Verbatim: “Aucune mise en commun par le prestataire de données brutes de mesure d’audience provenant de plusieurs de ses clients n’est mise en œuvre” … “Aucune réutilisation des données pour le propre compte du prestataire et quelle que soit la finalité (amélioration de son service, lutte contre la fraude, etc.) n’est mise en œuvre.” No pooling of raw data across the provider’s customers; no provider-side reuse for any purpose, including service improvement or fraud detection.

Right to object. Verbatim: “Opposition disponible sous la forme d’un bouton ou lien cliquable au sein de la politique de confidentialité du site ou application visité.” A clickable opt-out button or link within the site’s privacy policy. Statnive Live exposes this as POST /api/privacy/opt-out.

Recommended attestation language. Verbatim: “D’après notre auto-évaluation, la solution XXX est conforme aux critères établis par la CNIL [mettre un lien vers la page officielle], et peut-être mise en œuvre sans requérir le consentement des utilisateurs si elle est correctement configurée.” According to our self-assessment, the solution XXX complies with the criteria established by the CNIL and may be deployed without user consent if correctly configured. Providers must not describe their tool as “CNIL-certified” or use the CNIL logo.

The 1 January 2026 transition (now passed)

The CNIL evaluation programme — the pre-2026 mechanism for an analytics provider to submit its tool to CNIL evaluation and appear on a public list — has been retired. Verbatim from the July 2025 guidance: “Au 1er Janvier 2026, cette page sera supprimée. La période de soumission à ce programme est terminée.” On 1 January 2026 the page came down; submission ended in 2025. The transition is complete; the self-assessment regime is now operative.

What replaced it: a self-assessment posture. The provider runs the CNIL self-assessment, documents the result, and publishes an attestation using the CNIL’s recommended language pattern. There is no CNIL imprimatur to display, no logo to use, no formal pre-clearance. The operator deploying the tool retains primary responsibility for ensuring the configuration on their site meets the conditions.

On 16 January 2026 the CNIL published its Consolidated Cookie Recommendation (recommandation_cookies_consolidee.pdf), integrating the 2020-091 / 2020-092 deliberations, the 4 July 2025 audience-measurement update, and the broader cookie framework into a single document. The substantive Sheet 16 conditions are unchanged in the consolidation — the verbatim conditions on this page remain authoritative.

On 14 April 2026 the CNIL published a final recommendation on tracking pixels introducing a narrow “deliverability measurement” exemption — allowing pixels to identify inactive subscribers without consent, strictly for email-list-suppression purposes. The deliverability exemption sits outside the Sheet 16 audience-measurement carve-out scope and does not affect the conditions on this page.

Practically, for an operator deploying analytics in France in 2026:

The provider should publish a dated self-assessment attestation. Matomo’s published self-assessment is the canonical reference: “the Matomo Cloud and Matomo On-Premise solutions comply with the criteria established by the CNIL … and may be implemented without requiring user consent if properly configured.”
The operator should document its own configuration against the Sheet 16 conditions and retain the documentation. The CNIL audits on the basis of the deployed configuration, not the marketing material.
A Legitimate Interest Assessment under EDPB Guidelines 1/2024 is required regardless. The Sheet 16 exemption applies to ePrivacy Article 5(3) consent for terminal-equipment access; the GDPR Article 6 basis for the subsequent personal-data processing is a separate question, and Article 6(1)(f) legitimate interest is the realistic answer.

Where GA4 fails the test

The CNIL has been unusually direct on this. From Sheet 16, verbatim: “Most large audience measurement offerings do not fall within the scope of the exemption, regardless of their configuration. In order to benefit from this exemption, please contact your solution provider or use open source software such as Matomo that you can configure yourself.”

GA4 specifically fails at multiple Sheet 16 conditions:

Cross-border transfer to US infrastructure. The CNIL’s 10 February 2022 formal notice found GA EU→US transfer unlawful under Chapter V of the GDPR. The 2023 EU-US Data Privacy Framework provides interim cover but is the subject of pending CJEU challenges — Latombe appeal of 31 October 2025, plus a parallel noyb challenge.
Cross-customer data pooling. Google’s analytics infrastructure pools data across its customer base and ties it into Google’s advertising ecosystem. The Sheet 16 condition — “Aucune mise en commun par le prestataire de données brutes de mesure d’audience provenant de plusieurs de ses clients” — does not allow this.
Persistent client identifier. GA4’s client ID is a persistent identifier read from and written to the browser’s storage. ePrivacy Article 5(3) triggers; the audience-measurement carve-out does not apply because the implementation reads beyond Sheet 16’s three-event taxonomy.
Not a “single publisher” tool by design. The cross-property reach, demographic enrichment, and ad-platform integration that GA4 is built for are exactly the functions Sheet 16 excludes.

Routing GA4 through a server-side endpoint (sGTM) does not cure this. The CNIL has stated that a server-side proxy is at best a partial mitigation if the same persistent identifier is used, the data ultimately flows to Google US, or Google retains controller-equivalent rights.

The properly-configured first-party alternatives — Matomo (Cloud or On-Premise) in CNIL exemption mode, Plausible, Fathom, Simple Analytics, and Statnive Live — all sit inside the Sheet 16 conditions and qualify with operator self-assessment. The CNIL’s enforcement record against properly-configured first-party EU-hosted privacy analytics is, as of May 2026, empty.

The three-event ceiling and how to audit it

The Sheet 16 cap of three event types — page presence, feature interaction (clicks), and timing — is the single most-violated condition in real deployments. Operators add an ecommerce conversion event, a form-submission tracker, a “downloaded the brochure” event, or a “watched the video” event, and the deployment quietly stops qualifying for the exemption.

Statnive Live exposes a per-site event-taxonomy audit endpoint specifically for this:

GET /api/admin/event-audit?site_id=N

The response returns:

event_names — the distinct event names observed on the site over the audit window
distinct_count — the cardinality
cnil_cap — fixed at 3 (the Sheet 16 ceiling)
cap_status — ok if distinct_count ≤ 3; over otherwise
window_from / window_to — the audit window timestamps

cap_status: ok means the deployment is, as configured, within the Sheet 16 three-event ceiling — one of the harder Sheet 16 conditions to satisfy in long-lived deployments where event types accumulate. cap_status: over means the deployment has drifted outside the exemption and requires either trimming the event taxonomy or adopting a consent banner. The audit is operator-facing; the response is a JSON object designed to be screenshotted into a CNIL inspection response.

The recommended cadence is monthly. A site that ships features will accumulate event types organically; the audit endpoint is the cheap mechanism to catch drift.

Configuring Statnive Live for Sheet 16

Statnive Live ships a configuration that satisfies the Sheet 16 conditions out of the box. The operator steps:

Select the FR jurisdiction. Statnive Live’s site-policy panel exposes an 11-jurisdiction enum. Selecting FR aligns the site policy with French expectations. The hard-rule validator does not forbid permissive for FR (only DE has that hard-rule), but defaults to consent-free so the Sheet 16 architecture applies on day one.
Confirm consent-free mode. This turns off cookies, localStorage and fingerprinting in the tracker; activates the server-side daily-rotating BLAKE3-HMAC visitor signature; activates the host-only referrer transform; activates IP truncation; activates User-Agent minimisation. The configuration matches the Sheet 16 do’s listed earlier in this post.
Constrain the event taxonomy. Run the event-audit endpoint monthly. Aim for cap_status: ok. If a fourth event type is required for a specific marketing purpose, that purpose moves out of the Sheet 16 exemption and into a consented-mode workflow.
Publish the self-assessment attestation. A short paragraph on the site’s privacy policy: “D’après notre auto-évaluation, la solution Statnive Live, configurée en mode consent-free, est conforme aux critères établis par la CNIL [link to https://www.cnil.fr/fr/cookies-solutions-pour-les-outils-de-mesure-daudience], et peut-être mise en œuvre sans requérir le consentement des utilisateurs si elle est correctement configurée.” No “CNIL-certified” claim; no CNIL logo.
Publish the Article 21 opt-out link. Statnive Live exposes POST /api/privacy/opt-out and serves a default opt-out page at /privacy. The site’s privacy policy links to it. The opt-out persistence is implemented as a strictly-necessary cookie expressing the user’s choice — which is permitted under Article 5(3) ePrivacy because it implements the user’s explicit rejection.
Document the Legitimate Interest Assessment. Statnive Live’s /legal/lia route serves a template aligned with EDPB Guidelines 1/2024 — interest identification → necessity → balancing. Customise the template to the operator’s specific processing context, retain the documented version, refresh annually.
Sign the Article 28 DPA. If the operator uses Statnive Live’s hosted (SaaS) flavour, Statnive is a processor under GDPR Article 28. The DPA is exposed at /legal/dpa and downloadable without a sales call. If the operator self-hosts, Statnive is not a processor at all — the operator is the sole controller and there is no Statnive ↔ operator DPA to sign.

The result is a configuration that satisfies Sheet 16 conditions cumulatively and is also forward-compatible with the Digital Omnibus Article 88a(3)(c) proposal. The operator who deploys this today does not have to re-architect if and when the Commission’s text becomes law.

FAQ — does Sheet 16 cover ecommerce conversion events?

No. A conversion event is a fourth event type beyond Sheet 16’s three-event ceiling. Treating a purchase as a “feature interaction” (i.e. a click on the “place order” button) does not save the exemption because the operator also wants the value of the purchase, the product list, and often the first-vs-returning-customer attribution — and each of those expands the event taxonomy past the Sheet 16 boundary.

The robust deployment is split-mode. Audience measurement runs in consent-free mode under Sheet 16. Ecommerce attribution runs as a separate, consent-gated workflow — either as a consented-mode addition to the same Statnive Live deployment, or through a separate, fully consented analytics path. The audience-measurement metrics (visitors, sessions, pages) remain consent-free; the ecommerce metrics (revenue, orders, lifetime value) require a banner.

This is the same split CNIL describes in Sheet 16 for advertising-purpose cookies. Sheet 16 is narrow on purpose; an operator who wants ecommerce attribution is in a different regulatory frame.

What this gives an operator

The practical operator outcome from a Sheet 16-configured deployment:

No cookie banner required for the audience-measurement workflow under the conditions cumulatively met. The CNIL has been clear that the carve-out is real and that properly-configured tools qualify.
A documented basis to point at if the CNIL inspects. The self-assessment attestation + LIA + per-site event-audit log are the operator’s response pack.
A configuration that survives EU-wide because the strict Sheet 16 architecture also satisfies Italy’s Garante, Spain’s AEPD and the Netherlands AP carve-outs by construction. The country-by-country map walks through the deltas.
A measurement stack that is not 55.6% smaller than reality. Plausible’s cookie-banner study is the canonical reference for the share of visitors who decline or close a banner and drop out of analytics. A consent-free architecture sees those visitors.

What it does not give: ecommerce attribution, behavioural advertising, retargeting, cross-device deduplication, session replay, heatmaps, or A/B test variant attribution by user identity. Each of those requires a separate consent flow. The CNIL is explicit that Sheet 16 is the audience-measurement carve-out, not a general-purpose marketing-analytics carve-out.

The trade is straightforward: the operator gets unblocked visibility into the metrics that drive day-to-day product decisions, in exchange for not building marketing-attribution flows on the same code path. For most operators that is the right trade — and it is the one Sheet 16 was designed to make available.

What to do, and what to skip

Do	Don’t
Limit the tracker to ≤3 event types (page presence + feature interaction + timing) and audit monthly via `GET /api/admin/event-audit`.	Add a fourth event type for ecommerce conversions inside the consent-free deployment — that disqualifies the Sheet 16 exemption.
Publish a dated self-assessment attestation using the verbatim CNIL wording (“D’après notre auto-évaluation … peut-être mise en œuvre sans requérir le consentement des utilisateurs si elle est correctement configurée”).	Claim “CNIL-certified” or use the CNIL logo. The CNIL retired its evaluation programme on 1 January 2026 — operators self-assess.
Set the FR jurisdiction in Statnive Live, default to `consent-free` mode, and verify host-only referrer + IP truncation are active at ingest.	Run Google Analytics 4 (or any sGTM-fronted GA4) and call it Sheet-16-compatible. CNIL has been explicit: GA4 fails the test.
Run a parallel consented-mode flow for ecommerce attribution; keep the audience-measurement layer consent-free.	Conflate audience measurement with ecommerce attribution. Sheet 16 is the audience-measurement carve-out, not a general marketing-analytics carve-out.
Maintain a Legitimate Interest Assessment per EDPB Guidelines 1/2024 covering the Article 6 basis for the post-Sheet-16 personal-data processing.	Treat Sheet 16 compliance as the whole GDPR analysis. The exemption covers ePrivacy Article 5(3) consent only; Article 6 lawful basis is separate.

The bottom line

France’s CNIL has built the EU’s most detailed, most operator-facing audience-measurement consent exemption. The cumulative conditions are narrow, the deadline is 1 January 2026, the self-assessment posture has replaced the legacy evaluation programme, and the configuration that qualifies in France also qualifies in Italy, Spain and the Netherlands by construction. Germany remains the outlier — see the § 25 TDDDG deep-dive — and the operator who configures for Germany is configured for France too.

Statnive Live ships the Sheet 16 architecture by default in its consent-free mode. The eleven-jurisdiction enum, the four consent modes, the daily-rotating salt, the hashed cookie ID at rest, the host-only referrer, the 25-month rollup retention and the event-audit endpoint are all in the box. The CNIL self-assessment attestation, the LIA template, the privacy-policy clauses and the Article 28 DPA are served from the binary at /legal/*. The deployment work is the operator’s; the architecture is done.

For the broader playbook, see the 2026 EU Consent-Free Analytics Playbook. For the news angle and the proposed EU-wide harmonisation, see the Digital Omnibus post. For why Germany is different, see the TDDDG post. And for how the same architecture handles right-of-access and erasure requests, see the DSAR post.

This is privacy research, not legal advice. Statnive Live, configured in consent-free mode for the FR jurisdiction, is configurable to qualify under the CNIL audience-measurement exemption when deployed per a documented Legitimate Interest Assessment and the CNIL self-assessment. This is not a CNIL certification. Every Statnive customer remains the data controller and bears responsibility for its own configuration and DPIA. Cross-reference with qualified counsel in France before publication.

Status of regulatory references as of 13 May 2026: CNIL Sheet n°16; CNIL “Cookies: solutions for audience measurement tools” of 4 July 2025 (compliance deadline of 1 January 2026 has now passed; legacy evaluation programme retired on that date; self-assessment regime operative since); CNIL Consolidated Cookie Recommendation of 16 January 2026 (substantive Sheet 16 conditions unchanged in consolidation); CNIL Final Recommendation on Tracking Pixels of 14 April 2026 (deliverability-measurement exemption; outside Sheet 16 scope); CNIL self-assessment PDF (July 2025); CNIL deliberation SAN-2020-013 (Amazon, 7 December 2020); CNIL Google decision of 7 December 2020 (€100m); CNIL decisions of 6 January 2022 (Google €150m, Facebook €60m); CNIL formal notice of 10 February 2022 (Google Analytics, Chapter V); CNIL deliberation SAN-2025-005 of 1 September 2025 (€150m against INFINITE STYLES SERVICES CO. LIMITED — Shein); CNIL deliberation SAN-2025-006 of 1 September 2025 (€325m total against Google LLC and Google Ireland Ltd); CNIL €3.5M cookie/transmission-to-social-network fine published 22 January 2026 (decision 30 December 2025, adopted in cooperation with 16 European DPA counterparts); EDPB Guidelines 2/2023 v2.0 of 7 October 2024; EDPB Guidelines 1/2024 of 8 October 2024. CNIL 2026 enforcement priorities (Jan 2026 announcement): recruitment, single electoral register (REU), sports federations — cookies are not a stated priority focus, though enforcement continues.