Real-Time Analytics Compliance Guide

Real-Time Analytics Without Consent

How It Works, When It's Compliant, and When It's Not (CNIL & AEPD)

Real-time analytics is not illegal. But under CNIL (France) and AEPD (Spain), only aggregated, anonymous, audience-measurement data can be collected without consent — and the AEPD requires daily aggregation (hourly only for page load times).

This visual guide explains the data flow, the rules, and how to quickly test if a real-time use case is exempt or requires consent.

What is "Real-Time Tracking"?

Concept & Data Flow

Definition: "Real-time" means analytics are ingested and surfaced immediately, without batch delays.

Key distinction: How you present and store that data determines compliance — not the fact that it's instant.

Data Flow:

Event → Immediate collection
Anonymization (truncate IP, temporary session ID, first-party only)
Aggregation into "Today" bucket (00:00–23:59)
Real-time dashboard shows daily cumulative stats (and only hourly for page load)

Important Note

Individual event logs or sub-daily time windows shift the processing into non-exempt territory in Spain.

Compliance Core (CNIL & AEPD) — Rules at a Glance

Strict Purpose

Audience measurement and technical optimization only (no advertising, profiling, retargeting)

No Cross-site Tracking

First-party identifiers only; no shared IDs across domains; no third-party cookies

IP Anonymization

Truncate/anonymize to prevent re-identification

Cookie Lifetime

≤ 13 months; no auto-renew

Data Retention

≤ 25 months (purge/aggregate beyond this)

No Data Mixing

No mixing with CRM/profiles

Segregation

Providers must isolate each customer's data

User Information

Disclose exempt analytics in privacy/cookie policy

Opt-out (CNIL)

Working opt-out must exist in France

International Transfers

Require safeguards (SCCs/DPF) or proxy architecture

AEPD Specific

Audience metrics must be aggregated daily; only page load time may be aggregated hourly

Interactive Compliance Checklist + Completion Meter

Toggle what your setup does today. The meter estimates if you're within the exemption envelope.

Compliance Score 0%

Complete the checklist to see your compliance status

Scenarios: Compliant vs. Not Compliant (Playground)

Tool Patterns — What Typically Happens

Matomo (normal)

Uses cookies (_pk_id, _pk_ses)
Visitor logs, "last 30 minutes" real-time panels
Verdict: Needs consent

Matomo (cookieless)

disableCookies stops cookies
UI still has visit logs and often sub-daily windows
Verdict: Partial; AEPD daily aggregation rule often broken

Plausible

Cookieless by design
Often shows "last 30 minutes" windows
Verdict: At risk in Spain (AEPD) due to sub-daily windows

Sealmetrics

Real-time daily aggregation only, no logs, no sub-daily windows
First-party, IP anonymization, retention limits, CNIL opt-out ready
Verdict: Exempt by design (CNIL & AEPD aligned)

FAQs

Is real-time analytics legal without consent?

Yes—if it's aggregated, anonymous audience measurement. In Spain, it must be daily (hourly only for load time).

Can I show "current users online"?

Yes, if it's a snapshot and not stored as sub-daily history.

Why is "last 30 minutes" risky in Spain?

Because the AEPD requires daily aggregation for audience metrics; 30-minute windows are sub-daily.

Do visitor logs require consent?

Yes. Logs show individual journeys and are not exempt.

What about CNIL?

CNIL requires anonymized, aggregated stats and an opt-out; it doesn't mandate "daily," but the AEPD does.