This post was originally published on January 11, 2017 and updated in May 2020 and June 2025
At Matomo, privacy matters. From the very beginning, we’ve built Matomo with a strong focus on protecting user and analytics data.
Matomo is designed with privacy regulations at its core. It fully supports the GDPR and ePrivacy Directive implementing laws, which apply across the EU. Matomo can be configured to collect website analytics under consent exemption (e.g., exemption by CNIL (France)). Matomo can also be configured to comply with other major standards, including APPI (Japan), BDSG (German Bundesdatenschutzgesetz), CCPA (California), LGPD (Brazil), and PIPL (the P.R.C).
Here’s how you can use Matomo and Matomo Tag Manager to safeguard user data and privacy while gaining the insights that matter.
1. Own our data to protect user privacy
Whether you use Matomo Cloud or host it yourself (Matomo On-Premise), you retain full control over your analytics data. No one else has access or ownership. We do not repurpose, combine your data set with any other data set, or share it with third parties. By knowing exactly where your data is stored and what happens to it in Matomo Cloud, you have the power to protect your visitors’ privacy.
2. Minimise or Avoid Personal Data Processing
Matomo is highly configurable to meet both your analytics needs and privacy requirements.
Matomo provides a range of data privacy options in Matomo settings > Privacy > Anonymize Data that include:
- Masking the IP address of your visitors, partially or fully.
- Disabling cookies avoids assigning persistent identifiers to visitors. However, it is important to note that in some regions like the EU, law still requires visitors to give consent prior to activating cookieless tracking technologies.
Matomo can be also configured to avoid using custom User IDs and strip URL parameters that could contain personal data.
Additionally, you can update your Matomo configuration in Matomo settings > System > General settings to manage the following:
- Disabling live features such as the Real-Time, Visitor Log and Visitor Profile contributes to protecting the privacy of your visitors by only showing aggregated reports in your Matomo.
- Deleting old visitor logs, which contain collected raw data about every visitor and every action. For privacy reasons, we highly recommend that you keep the detailed Matomo logs for only 3 to 6 months and delete older log data.
3. Integrate Consent Manager or Add Opt-Out to our Website or App
Matomo can be integrated with a wide range of Consent Management Platforms (CMPs) using either the tracking code or Matomo Tag Manager (MTM). This includes popular CMPs such as Cookiebot, CookieYes, OneTrust, and more. Integrating a CMP with Matomo will help to comply with regulations like the GDPR and ePrivacy laws.
If you do not have to ask your visitors for tracking consent first, you can offer your visitors a manual opt-out option by embedding the Matomo opt-out feature directly on your website. In the Privacy settings, you will find an HTML iframe code you can paste into your privacy or legal page. This lets users opt out of tracking at any time.
You can also customise the opt-out experience using plugins available in the Matomo Marketplace, such as AjaxOptOut.
4. Consent Exempt Analytics
If you are eligible to rely on ePrivacy consent exemption from a specific supervisory authority (e.g., CNIL (France), Garante (Italy), AEPD (Spain)), Matomo can be configured to fall under these exemptions.
If you want to avoid client-side tracking, Matomo Log Analytics enables the analysis of server logs without JavaScript tracking, making it ideal for privacy-conscious organisations that want insights without relying on cookies or similar trackers or client-side tracking.
5. Privacy Tools
Matomo provides a range of built-in privacy tools to help you comply with data protection regulations like the GDPR, while developing transparency and trust with your users.
Be transparent with a clear privacy notice
Transparency builds trust. When using Matomo to track visitor behaviour, it is important to update your Privacy Policy to clearly explain what data Matomo collects, how you collect and process the data and how users can opt-out of tracking. To get started, follow our step-by-step guide on How to write a GDPR-compliant Privacy Notice.
Respond to data subject requests
Matomo includes GDPR tools in Matomo settings > Privacy to help you safeguard individual rights under the GDPR and similar privacy laws:
- Right of access: Export a user’s data using the Visitor ID or User ID.
- Right to erasure: Delete individual visits or all data associated with a specific user.
- Right to object or opt-out: Use the built-in opt-out mechanism or integrate a consent manager.
Automate data retention and deletion
To minimise privacy risks, you can configure Matomo to automatically:
- Delete old raw visit logs after a set number of days (e.g. 90 or 180)
- Delete associated report data if needed
- Anonymise older data instead of deleting it completely
This supports the principle of data minimisation and helps keep your analytics database efficient and compliant.
Matomo supports privacy-conscious analytics, but compliance depends on how you configure and use it within your wider data governance approach.
By applying these five practices, you take meaningful steps toward more responsible analytics and show respect for your users’ privacy.
Learn more about managing privacy in Matomo.
Continuous privacy improvements
We are always interested in improving the privacy. If you miss any feature or have an idea on how to improve the privacy, please let us know.
More information about all the Matomo features
If you want to learn more about all the features in Matomo, have a look at our User Guides and Developer Resources.
