Three of the top ten challenges in KPMG’s 2025 Mid-Year Regulatory Report involved data privacy. With growing pressure and regulations, how can businesses balance respecting user privacy and compliance requirements with meeting their customers’ digital experience needs and preferences?
This guide is for product, marketing and compliance teams interested in or in the process of adopting a privacy-first analytics approach. Let’s get into it.
What is privacy analytics?
Privacy analytics is the practice of measuring digital behaviour while minimising the collection of personal data and avoiding user identification. Instead of building profiles on individuals, privacy analytics focuses on patterns, trends and behaviour at an aggregate level.
It favours techniques like anonymisation, pseudonymisation, data masking, short-lived session hashes, limited retention and aggregation.
The purpose is to understand how your website or app performs based on patterns that don’t connect back to identifiable profiles. In other words, you learn which pages convert or where a funnel leaks, without exposing who an individual is.
This approach contrasts with traditional toolsets, like Google Analytics, which rely heavily on third-party cookies, cross-site identifiers, granular profiling and broad data sharing. Traditional analytics tools grew up in an ecosystem where more data was always better. Today’s privacy-centric analytics platforms provide better outcomes for both users and businesses.
Platforms built for privacy take a different path. Matomo collects first-party data, does not share it with third parties and gives organisations full data ownership. When configured correctly with a lawful basis, retention rules and consent where required, it supports compliance with data subject rights in the EU/EEA while still providing clear, decision-ready reporting.
For more background, see Matomo’s overview of privacy-friendly analytics.
Before diving deeper into the topic, it’s worth pointing out that the term “privacy analytics” can carry one of two meanings:
- Privacy-conscious web analytics, as described above. This type of analytics goes by many names and may also be referred to with terms like privacy-friendly, privacy-first, privacy-focused, privacy-by-design or data-minimised web analytics.
- Privacy Analytics, as a proper noun, refers to a specific platform owned by IQVIA. As the name suggests, it’s privacy-oriented, but instead of being a web or app analytics tool like Matomo, it’s designed for deidentification of data sets primarily in healthcare and pharmaceutical contexts.
What you can still track in a privacy-friendly way
One of the biggest misconceptions in the industry is that privacy-first analytics provide less insight.
In reality, you can still measure the core signals that drive product and marketing decisions without personally intrusive tracking.
Start with page views. Record the URL, referrer, timestamp and anonymised device traits. This will show where people arrive, how they navigate between pages and which paths end in a key action.
Events work the same way. Define meaningful interactions, such as button clicks, video plays, outbound link clicks or downloads. Attach simple properties, like category, action, label and value. Because the focus is on behaviour rather than identity, you keep the context you need while masking who performed it.
From there, build funnels. A funnel is a series of steps, each defined by a page view or an event. For example, to purchase a product, the funnel might be:
- Add to cart
- Checkout cart
- Complete payment
You can see step-by-step fall-off, run content or UX experiments and compare cohorts over time.
To enforce privacy-friendly tracking, use first-party requests and avoid storing persistent identifiers. Techniques include short-lived session identifiers, IP masking and page- or campaign-level aggregation.
Matomo supports this approach and even provides controls to disable cookies while keeping page view, event and funnel reporting intact. You can also set rules to drop or transform fields before they are stored and follow Matomo’s guidance on enforcing tracking without cookies.
Privacy note:
Website analytics may be governed by both privacy laws (e.g., GDPR) and by ePrivacy rules that protect terminal devices.
In the EU/EEA, ePrivacy is technology‑neutral and can require prior consent for any access to or storage of information on a user’s device, even where no personal data is collected.
For an audit‑ready setup, log and manage consent states through a Consent Management Platform (CMP).
Outside the EU/EEA, cookieless modes with strong anonymisation and minimisation can help to reduce consent requirements, but you must document your legal basis and comply with local rules.
Pseudonymisation and anonymisation techniques
Pseudonymisation and anonymisation techniques play important roles in privacy-focused analytics. Both reduce risk and support compliance efforts, but it’s important to understand their differences.
Pseudonymised data has been stripped of direct identifiers. While this process means the data lacks directly identifying information, it’s still categorised as personal data under the GDPR because it could potentially be linked back to an individual when combined with other information.
Examples of pseudonymisation techniques include:
- Masking parts of an IP address
- Using randomised visitor IDs
- Setting short-lived session identifiers
By reducing the amount of directly identifying information, pseudonymised data helps to mitigate business risks.
Anonymised data cannot reasonably be linked to an identifiable person. Examples include: aggregated page-level reporting, funnel statistics without user-level tracking, country-level or region-level geolocation and interaction heatmaps following privacy guidelines.
Properly anonymised data is generally outside the GDPR’s scope, but pseudonymised data remains personal data and must be treated accordingly; document your anonymisation methods and the rationale for your assessment.
Examples of privacy-preserving analytics include:
- Aggregated reporting: Page-level reports and funnel statistics without tracking individual users.
- Geolocation: Tracking down to the country or region level only.
- Interaction heatmaps: These are used with strict masking rules, and no personal identifiers are stored.
Matomo uses pseudonymisation by default and generates anonymised data sets at the reporting level through aggregation.
Data minimisation considerations
When configuring privacy-first analytics, consider all identifiers the system may collect.
IP addresses are a common focus point, but they’re just part of the picture. Let’s use the IP address as an example to consider what data minimisation options can be applied here.
Ask a simple question first: Do I need to collect IP addresses?
In most marketing and product use cases, the answer is no.
Using IP anonymisation tools, you can mask part of the address to varying degrees.
- Mask the IP address entirely.
- Mask everything except the high-level location details (e.g., country and region).
This approach still provides enough location detail to identify market demand and compare markets, without the unnecessary risk of individual identification.
If your use case involves fraud prevention or security, document the legal basis, obtain consent where required and limit retention. These scenarios are typically separate from analytics and handled by security or infrastructure teams, not marketing.
Privacy-by-design across all data collected
Regardless of the identifiers involved (IP, device traits, session data):
- Keep compliance requirements in mind.
- Be clear whether you must ask for consent before tracking website analytics.
Remember that ePrivacy laws in the EU are triggered by data access or storage on a terminal device. It doesn’t matter if personal data is involved or not. In strict ePrivacy regions, you cannot track at all without prior valid consent.
To take a minimalistic approach to data collection:
- Log only what you need
- Drop or transform unnecessary fields
- Use short-lived or randomised identifiers
- Avoid storing query strings that include personal data
- Aggregate and anonymise where possible.
Matomo offers various tools to support this approach by:
- Masking IP addresses
- Integrating with Consent Manager Platforms
- Letting visitors opt out of tracking
- Randomising visitor IDs
- Configuring data retention policies
Ethical heatmaps and session recordings
Heatmaps and session recordings have a reputation for being invasive. This is because many tools record everything on a page, including typed fields, user data and internal screens. But heatmaps and session recordings can be privacy-conscious when configured correctly. With Matomo, you can:
- Mask sensitive fields, so the tool never captures what is typed or displayed inside them. Common candidates include search boxes, sign-in forms, checkout fields, support widgets and any component that may reveal names, emails or payment details.
- Use CSS selectors to target elements and set rules that apply site-wide or per page.
- Use automatic masking for form inputs to exclude keystrokes and values from recordings and heatmaps. The result is a visual record of clicks, scrolls and movement that never exposes personal data. For setup details, see Matomo’s guide on data masking in heatmaps and session recordings.
- Respect consent. Because of their nature, session recordings and heatmaps do not fall within consent exemptions under EU ePrivacy laws. Consent is required before you can enable them. Matomo’s step-by-step guide on enabling heatmaps after consent shows how to do this.
- Sample instead of recording every session. Round out your setup with the least collection. Exclude back-office paths, account pages and any route that could expose private content. Combine masking, consent and sampling to study user experience while protecting trust.
Server-side tracking: More accuracy, less risk
Server-side tracking routes analytics hits through your own servers before they reach the analytics platform. Because the requests come from your domain rather than a third party, common ad blockers and tracking protection lists are less likely to stop them. The result is steadier page views and event counts, fewer funnel gaps and more reliable attribution.
Accuracy is only part of the story. With a server in the middle, you decide what leaves your environment. You can:
- Drop fields that may include personal data, mask IP addresses, shorten retention and enforce naming rules before anything is stored.
- Validate events, de-duplicate repeat submissions and queue retries when a user’s device is offline, ensuring that key conversions are not lost.
Consent still matters. In strict ePrivacy regions, do not track without valid consent. A server endpoint helps you apply consent centrally and log the state for audits, but it does not replace the need for a lawful basis.
Matomo supports both client- and server-side approaches, so you can pick the right tool for each job:
- Use the JavaScript tracker on the client for experience features like heatmaps, session recordings and on-page events.
- Use Matomo’s Tracking API from your server to record purchases, subscription starts or other backend events that should never depend on a browser.
Many teams opt for a hybrid model, using client-side development for UX details and server-side tracking for critical conversions and data governance.
To implement privacy-first, server-side tracking in Matomo:
- Stand up a first-party endpoint.
- Forward validated events to Matomo.
- Apply transformations (e.g., IP masking, anonymisation, etc.).
- Add accepted event names to the allow list.
- Strip query strings that carry sensitive codes.
- Test parity between client and server counts.
This setup reduces blocking, improves data quality and gives you tighter control over what you collect.
Comparing privacy-focused analytics platforms
The four platforms below reflect the range of privacy‑first analytics options available, from full‑featured analytics suites to lightweight, simplified dashboards.
Plausible, Fathom and Simple Analytics sit to varying degrees on the simpler side of the privacy-focused web analytics scale.
They’re all cookieless-by-default platforms that are compliant with GDPR, CCPA and PECR. Plausible is open-source, and Simple Analytics has open-source scripts, but Fathom is proprietary in its current version.
Plausible and Fathom both have self-hosted options, but they’re limited compared to their cloud counterparts; Simple Analytics is fully cloud-based.
Matomo, in contrast, has a fuller feature set with equal compliance. It’s just as capable of serving enterprise-level organisations as it is small ones.
While cookieless tracking requires a little configuration, Matomo offers functions the others lack, including heatmaps, session recordings, custom reporting, log analytics and a built-in tag manager. The differences between Matomo Cloud and On-Premise are minor compared to those of Fathom and Plausible, and they largely revolve around tradeoffs in more granular control over self-hosted deployments with greater maintenance and updating responsibilities.
Matomo aligns with privacy-first strategies
Matomo’s approach centres analytics on:
- First-party data, so developers keep control and reduce reliance on third-party scripts that can expose user activity
- Tracking and in-depth UX analysis without unnecessary personal data collection, to minimise privacy impacts on the individuals, without affecting analytic insights
- Configurable settings for collection (e.g., IP masking) and retention periods
- Consent manager integrations to record visitor preferences
- Server-side tracking to enhance accuracy across devices
The result is a workflow that collects only what you need, protects sensitive data and builds lasting user trust.
Side-by-side comparison
| Feature | Matomo | Plausible | Fathom | Simple Analytics |
|---|---|---|---|---|
| Open source | ✅ | ✅ | ❌ Only legacy version is open-source | ❌ Only open-source for scripts |
| Self-hosted | ✅ Full-featured | ✅ Limited compared to cloud version | ✅ Only for the lite version | ❌ |
| Cookieless | ✅ Configurable | ✅ By default | ✅ By default | ✅ By default |
| EU data hosting | ✅ Cloud or self-hosted | ✅ EU-only | ✅ EU-option | ✅ EU-only |
| GDPR/CCPA/PECR Compliance | ✅ | ✅ | ✅ | ✅ |
| Heatmaps and session recording | ✅ | ❌ | ❌ | ❌ |
| Custom reports | ✅ | ❌ | ❌ | ❌ |
| Built-in tag manager | ✅ | ❌ | ❌ | ❌ |
| Log analytics | ✅ | ❌ | ❌ | ❌ |
Privacy note: Regardless of the platform chosen, users are still responsible for configuring their legal basis and consent model, especially in regions with strict privacy regulations.
Building trust with privacy-first analytics
Protecting user privacy doesn’t mean giving up insights into how people use your website. A privacy-first analytics platform can still tell you where people hesitate on checkout pages, which blog posts are most engaging and where site speed may be affecting conversions, all while keeping personal data secure and aligned with GDPR and similar requirements.
If your current analytics tool relies on third-party cookies or shares data with external vendors, it may be time to rethink your setup. Teams need a solution that collects only the data they need and keeps it within their control.
Matomo gives you that control.
Try Matomo free for 21 days to see how privacy-first analytics fits your workflow.
