Privacy regulations are changing in 2026: what analytics teams need to know

Privacy regulations across Europe are evolving. 2026 is shaping up to be a pivotal year in the privacy world.

For analytics teams, compliance leaders, and digital decision-makers, the next 12–18 months will bring concrete changes to how audience measurement can be configured, justified, and audited.

If your organisation relies on web analytics without consent, or is actively trying to reduce consent friction while staying compliant, these updates matter.

From France’s new CNIL self-assessment framework to the EU’s Digital Omnibus initiative and the UK’s updated PECR rules, significant changes are on the horizon. Some of these could make privacy-first analytics easier to use without consent. Others raise important questions about the future of data protection.

Here’s what you need to know, what is changing, and how Matomo is preparing ahead of time. 

France: CNIL moves to a self-assessment framework for consent exemption

The CNIL (France’s data protection authority) is introducing a new self-assessment framework for analytics tools seeking to rely on consent exemption.

Previously, the CNIL provided a list of pre-approved analytics solutions. Under the updated approach, all analytics providers must now evaluate their own compliance against standardised criteria outlined in the CNIL’s revised guide: “Cookies : solutions pour les outils de mesure d’audience”. Self-assessment is not a CNIL certification and does not prevent the CNIL from reaching a different conclusion in an investigation or audit.

Instead of informal interpretations, analytics providers will be expected to demonstrate compliance against clearly defined criteria.

What this means in practice:

• Compliance will be evaluated against explicit, published criteria
• Responsibility shifts more clearly to the analytics controller and the analytics solution provider
• Documentation, transparency, and configuration clarity become critical

What this means for Matomo users in France

Matomo has long been recognised by the CNIL as a privacy-compliant analytics solution. Under the new framework, we’re preparing detailed self-assessment documentation for early 2026 to help you demonstrate compliance.

The goal is simple: make compliance verifiable, auditable, and understandable, not interpretive.

EU: the Digital Omnibus initiative could reshape analytics rules

At the European Union (EU) level, the European Commission adopted the Digital Omnibus initiative last month.

If passed into law, it would bring substantial amendments to the GDPR, the ePrivacy Directive, and other data privacy regulations across Europe, potentially taking effect in 2026.

Proposed changes worth watching

Some amendments include:

• A narrower definition of “personal data” in the GDPR
• Allowing certain uses of personal data, including AI training, without explicit consent

But one proposed amendment stands out and is particularly relevant for analytics teams.

It would exempt consent for accessing or storing data on terminal equipment when it is strictly necessary for creating aggregated audience measurement, provided that:

• The website controller carries out the analytics for itself: you, as the site owner, collect the data to understand your audience, not a third party.
• The data is used solely for your own purposes.
• The data isn’t combined with other datasets.
• The analytics provider does not reuse the data for its own purposes: your analytics tool doesn’t siphon off your data for its own commercial interests.

This distinction is critical. It would explicitly favour first-party, privacy-focused analytics models like Matomo Analytics, and exclude solutions like Google Analytics that monetise, enrich, or repurpose analytics data across multiple clients.

Where the analytics line is drawn

The exemption would not apply to solutions where:

• Analytics data is combined with other datasets
• The analytics provider reuses the data for its own commercial or secondary purposes

In other words, platforms that monetise, enrich, or repurpose analytics data across multiple clients, like Google Analytics, would fall outside the scope of this exemption.

This would effectively favour privacy-focused analytics tools and exclude surveillance-based platforms that monetise user data.

Why this matters for Matomo users

If adopted, this amendment would be a significant win for privacy-first analytics. Matomo is designed precisely for this use case.

Matomo On-Premise gives you full control: your data stays on your own infrastructure, with no third-party involvement whatsoever. Your tracking remains uninterrupted and fully under your control.

Matomo Cloud, while hosted on Matomo’s infrastructure, preserves controller ownership and full control:

• Data is collected, processed, and stored independently for each customer
• Tracking is completely isolated, no data is shared or combined across clients
• Analytics data is never reused by Matomo for its own purposes

This means Matomo Cloud aligns with the core requirement of the proposal: analytics data remains under the exclusive control of the website owner (you) and is used only to measure their own audience.

We’ll continue monitoring the legislative process and provide updated guidance as the final text is clarified.

Timeline: The Digital Omnibus is currently under review with the European Parliament. If passed, changes could take effect in 2026.

United Kingdom: PECR updates to simplify consent-free analytics

In the UK, the Data (Use and Access) Act 2025 introduces updates to the Privacy and Electronic Communications Regulations (PECR). These changes are expected to make it easier to use privacy-friendly analytics without requiring consent, as long as certain safeguards are met.

When consent-free analytics will be allowed under the updated PECR

In practical terms, analytics may be used without consent where:

1. The use is strictly statistical, to improve the website or service
2. Data is not shared or reused for any other purpose
3. Users receive clear and comprehensive information about the tracking
4. Users have a simple way to opt out, and have not done so

Current status

These PECR-related changes aren’t yet in force. They’re expected to apply as part of a later rollout of Part 5 of the Act, likely in early 2026.

The ICO (UK’s data protection regulator) is also expected to publish updated Direct Marketing and Privacy and Electronic Communications Guidance, which will clarify the limits of this exemption. Initial publication is anticipated in winter 2025/2026.

What we’ll do: Once the ICO guidance is released, we’ll confirm the best ways to configure Matomo to comply with the new UK consent-exemption criteria, ensuring teams can confidently align with UK-specific requirements.

What this means for your analytics strategy

Across France, the EU, and the UK, one trend is consistent. These regulatory shifts share a common thread: privacy-first analytics is becoming the standard, not the exception.

If you’re using an analytics tool that:

• Shares data with third parties
• Combines analytics with advertising profiles
• Operates outside your control

You may face increasing compliance challenges, and lose access to valuable insights when users decline consent.

How Matomo is preparing for those privacy changes

As a privacy-first platform, regulatory change is not something Matomo reacts to after the fact. Our teams are already analysing and preparing for what’s coming.

With Matomo, you’re already positioned for any upcoming privacy changes:

• 100% data ownership: Your data stays yours, whether self-hosted or on our EU cloud
• No third-party data sharing: We never access, sell, or monetise your analytics
• Configurable for consent exemption: Matomo can be set up to meet CNIL, GDPR, and PECR requirements for cookieless, consent-free tracking
• Transparent compliance documentation: We provide clear guidance for every regulatory framework

The objective isn’t only to keep Matomo compliant, but to help your team stay compliant with confidence. You shouldn’t have to guess whether your analytics setup will stand up to scrutiny.

Our team is actively monitoring these developments and working through every requirement. Here’s what’s in progress:

Regulation	Matomo action	Expected timeline
CNIL self-assessment (France)	Preparing detailed compliance documentation	Early 2026
Digital Omnibus (EU)	Monitoring legislative progress; ready to update guidance	TBC (depends on adoption)
PECR updates (UK)	Awaiting ICO guidance; will provide configuration recommendations	Early 2026

Staying compliant without compromising insight

The next wave of regulation reinforces a principle Matomo has held from the beginning.

We will continue to:

• share regulatory updates
• publish clear, actionable configuration guidance
• support you through upcoming changes

Privacy regulation will keep evolving. Your analytics should be built to evolve with it. As a privacy-first platform, helping you navigate these changes is part of what we do.

We’ll continue to share updates, provide clear configuration guidance, and support you through whatever comes next.

You’re in good hands. And that is where compliance becomes a strategic advantage.

Start your 21-day free trial to take control of your data. No credit card required.