ePrivacy Directive, National Implementations and Website Analytics

Cloud On-Premise

The Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (“ePrivacy Directive”) focuses on the privacy of electronic communications. The Directive covers confidentiality, traffic data, location data, unsolicited communications, the storing or accessing data in terminal devices and security of services.

Scope Beyond Personal Data

Unlike the GDPR, which focuses on personal data, the ePrivacy Directive covers “gaining access to or storing information on users’ terminal devices.” ePrivacy law applies even to anonymous data sets: even if you don’t collect personal data using analytics, you may need to request consent under the ePrivacy implementing laws.

More Than Cookies

In October 2024, the European Data Protection Board (EDBP) released the final Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive | European Data Protection Board (europa.eu) for public consultation. EDBP clarified that Art. 5(3) applies to:

  • various forms of terminal equipment (i.e., any equipment directly or indirectly connected to network, whether owned or rented, used by an individual or multiple users, e.g., a connected car, smartphone, laptop, connected TV, IoT device, etc.);
  • various modes and means of storing information or gaining access to information; and
  • a broad range of technologies (e.g. storage of viruses on terminal equipment, fingerprinting, tracking of resource identifiers, URL and pixel tracking, local processing, tracking based on IP only (in most cases), intermittent and mediated IoT reporting, Unique Identifiers).

Article 5(3) of the directive is crucial for website owners as it requires that visitors must provide consent before any information is stored or accessed in the visitors’ terminal equipment, subject to two exceptions (see section below). Unless these exemptions apply, website owners must obtain consent before placing cookies or using similar tools to track visitor data. This includes:

  • Displaying a cookie banner to inform users about the use of cookies.
  • Detailing the purposes of the cookies.
  • Obtaining and recording user consent.
  • Providing mechanisms for users to withdraw consent at any time.

Across the EU, consent is not required for storing or accessing information where it is strictly necessary for providing an online service explicitly requested by the user or solely required for transmission of a communication. These are often referred to as “essential” and include cookies or tools used for the following purposes:

  • recording users’ cookie preferences;
  • personalising the user interface (language or UI settings) but only when the personalisation is an expected element of the service (does not apply to advertising);
  • remembering shopping cart contents;
  • allowing load balancing;
  • user authentication;
  • session security.

Differences in interpretation and what it means for website analytics users

Unlike the GDPR, the ePrivacy Directive must be implemented through national laws in each EU member state, leading to varying interpretations and enforced rules around cookie consent. This variability especially affects what is considered “strictly necessary” or “essential” cookies. This is particularly evident in the case of privacy-friendly analytics tools.

Supervisory authorities in some EU member states (e.g., France, Spain, Italy) decided that privacy-focused website analytics can be “essential,” exempting them from the consent requirement if configured in a specific way. However, a full set of analytics will not be available under this exemption.

The EDPB Draft Guidelines provide more detail around when Art. 5(3) applies, though they have not resolved the question of whether website analytics can be exempt from consent requirement. Some of the public feedback on the Draft suggested that EDPB address this omission in the final version of the Guidelines.

In the absence of an ePrivacy regulation offering a unified EU approach, website publishers must navigate the different national approaches to analytics compliance. The decision on compliance will depend on:

  • the website’s geographic reach;
  • the full set of cookie and tracking tools used on their website (not only analytics);
  • the preferred functionalities of the analytic tools; and
  • whether the consent management platform or tool used by the website owner can be configured to collect consents from some locations, while presenting consent-exempt analytics in the other.

For example:

  • For websites targeting visitors from France, Spain, Italy, or the Netherlands, the website owner may choose to configure the analytics tool using the consent-exempt configuration option permitted by the relevant national supervisory authorities, including the Opt-Out feature.

    • However, if the website owner intends to track data beyond what is considered consent-exempt (e.g., Heatmaps, UserIDs, Session Recordings; advertising conversion exports or eCommerce data), a consent banner must be implemented before enabling these plugins.

  • In countries where supervisory authorities have explicitly stated that website analytics always require consent, requesting user consent remains the safest and most compliant approach.

  • For websites directed at visitors from jurisdictions that do not have specific cookie laws and do not require cookie banners, Matomo analytics can be used without cookies consent. However, compliance with privacy laws is still required when collecting personal data, and anonymised analytics may be preferable in such cases.

  • Website owners may opt for anonymised, aggregated analytics with privacy-preserving configurations: Can I use Matomo Analytics without consent or cookie banner?. However, these configurations may reduce the accuracy of the analytics and may not be suitable for those looking to use the full range of analytics features.

  • Websites with a global audience can either implement a consent banner globally or use a consent management platform that allows geotargeting, such as showing a consent banner in the EU or selected jurisdictions while omitting it elsewhere.

  • When website analytics or tracking are used for advertising or marketing purposes, consent is always required in the EU countries.

Variability Across European Countries

Strict Interpretation

Countries where the relevant supervisory authorities expressly stated that consent is required for all forms of website analytics that fall into the technical scope of the ePrivacy directive, regardless of their privacy impact include Austria1, Cyprus2, Germany (some land supervisory authorities3), Finland4, Ireland5, Latvia6, and Lithuania7.

Some of these supervisory authorities suggest that enforcement against first-party, aggregated, privacy-preserving website analytics may not be an enforcement priority (Ireland, UK).

a) Germany
The ePrivacy Directive implementing laws, TDDDG (and earlier TTDSG), require consent for website analytics. For compliance with the German laws, we recommend asking for consent before collecting analytics data using Matomo.

Note that some German supervisory authorities, e.g. the Baden-Württemberg SA9, have stated that it is possible to carry our “reach analysis” (audience measurement) that falls outside the TDDDG (formerly TTDSG) and can be done without consent. Such audience measurement must:

  • use local log file analysis only;
  • not access the terminal device;
  • involve no external third-party services (allowing third parties to analyse user behaviour or if personal data is passed on to third parties);
  • data-saving configuration;
  • involve no merging of usage data across provider or device boundary;
  • involve no use of information to recognise the user for any other purpose; and
  • the purpose of the processing is the creation of aggregated statistics that cannot be related to individuals.

Matomo Log Analytics uses only log files. Analytics based on log files will produce only a limited analytics set.

b) Ireland
The Irish Data Protection Commission expressly requires consent for analytics cookies11. However, in their Guidance, the DPC acknowledge that first party analytics cookies are not likely to create a privacy risk when they are:

  • strictly limited to first-party aggregated statistical purposes;
  • used by websites that already provide clear information about such cookies in their privacy policy;
  • provide adequate privacy safeguards; and
  • include a user-friendly mechanism to opt out of any data collection for analytics.

The guideline further states that it is unlikely that first-party analytics cookies would be considered a priority for enforcement action by the Data Protection Commission.

For compliance with the Irish laws, obtaining consent is recommended.

Lack of Specific Guidance

Countries where the relevant supervisory authorities have not provided any specific guidelines on analytics include Bulgaria, Croatia, Estonia, Malta, Norway, Poland, Portugal, Romania, and Sweden. For these countries, website owners may prefer to adopt a conservative approach and ask for consent to website analytics. An alternative approach, based on website’s owner assessment of the risks, may be to configure Matomo in a similar way to that described in the Exemptions section below.

Exemptions for Privacy-preserving Aggregated Analytics

Countries where the relevant supervisory authorities have exempt certain categories of privacy-focused analytics from consent, provided they meet certain criteria include France, Italy, the Netherlands, Spain, and Switzerland. Recently, the UK has also passed legislation permitting limited website analytics without consent.

a) France12a, 12b

The French Supervisory Authority, CNIL recognises that some audience measurement trackers are strictly necessary and exempt from consent.

Such audience measurement tools must be strictly limited to the following purposes:

  • Performance measurement
  • Detection of navigation issues
  • Optimisation of technical performance or ergonomics
  • Estimation of required server capacity
  • Analysis of viewed content

The solution may collect no more than three types of events:

  1. The simple presence of a person on a page, along with information related to that page (e.g. name, type, etc.);
  2. The use of a feature by that person (e.g. button click, link click), along with related information (e.g. destination, label, etc.), or
  3. Statistics on page load time, scrolling behaviour, or time spent on a page.

Whether for visualisation within the tool’s interface or during export, all reports generated by the solution must contain only anonymous statistics.

No tracking of the navigation of an individual user must be possible.

CNIL explicitly excludes any marketing-related measurement, including but not limited to:

  • Measurement of conversion channel performance, advertising campaign performance, acquisition channel performance, ad fraud prevention, etc.
  • Creation of user cohorts for presenting differentiated content, whether cohort membership is defined randomly or based on previously collected information.

The above is not a complete list of CNIL consent-exemption criteria. For a full set of these, refer to CNIL’s latest guidelines on consent-exempt trackers are available here.

Refer here to learn more about how to configure Matomo to rely on the CNIL exemption for audience measurement tools.

Both Matomo On-Premise and Matomo Cloud can be configured to comply with CNIL consent exemption. Matomo On-Premise is a self-hosted solution. Matomo Cloud is a hosted solution, but each Customer’s data is collected, processed and stored independently for each Customer, the trackers are completely independent of each other and any other tracker, and the data is not used for any other purpose that the purpose of processing data for the Customer.

Important note:

The CNIL exemption requirements are cumulative, meaning that if you don’t comply with all the requirements (because you add other cookies, or track the individual or share the data with third parties), you can no longer rely on the exemption.

If you are using other non-exempt Matomo tracking tools (e.g., User ID, Heatmaps, Session Recordings, eCommerce, Advertising Conversions, etc.) or non-exempt features of other tools, you will need to ask your visitors for prior consent. This means that you will need to implement a cookie banner/consent manager to record your visitors’ consent before you can start tracking their activity using Matomo.

(b) Italy
The Italian supervisory authority, Garante per la protezione dei dati personali considers that some types of analytics can be permitted without consent13 It, 13 Eng.

Such analytics must:

  • prevent direct identification or singling out of a data subject (no direct, unique identifiers);
  • only be used to produce aggregated statistics concerning a single site or a single mobile app;
  • not allow tracking an individual’s navigation across different applications or websites;
  • at least the fourth component of each IP address is masked out;
  • the third parties providing the analytics services must not match the analytics data with any other information (such as customer records or statistics concerning visits to other websites) and must not forward such data to other third parties. However, statistical analyses concerning several domains, websites or apps that can be traced back to the same publisher or group of undertakings are allowed.
  • where a controller produces, through its own resources, statistics on data relating to several domains, websites or apps that can be traced back to that controller, non-encrypted data may also be used providing purpose limitation constraints are complied with.

Tools used to profile or trace specific action or recurring behavioural patterns back to identified or identifiable person or to send advertising messages, are not exempt.

Website owners wishing to comply with the Italian exemption requirements, could consider configuring Matomo in line with CNIL configuration recommendations set out above.

(c) The Netherlands 14
Analytical cookies that help to improve a website may be placed without permission, as long as they have little impact on the privacy of the visitors. The website owner must inform the visitors such cookies are used. For privacy-sensitive analytical cookies consent is required. Specifically, cookies that allow to track a visitor’s internet behaviour over time, between websites, or making it possible to create visitor profiles always require prior consent. Tracking cookies used for marketing or advertising purposes also always require consent.

Website owners wishing to comply with this exemption requirements, could consider configuring Matomo in line with CNIL configuration recommendations set out above.

(d) Spain
In Jan 2024, the Spanish Data Protection Agency AEPD released the guidance on use of cookies for audience measurement. The AEPD considers that for the proper administration of a website, only the following measurements are strictly necessary (and consent-exempt):

  • audience measurement, page by page;
  • the list of pages from which a link has been followed to request the current page (sometimes called “referrer”), whether internal or external to the site, per page and aggregated daily;
  • determination of the type of device, browser, and screen size of visitors, per page and aggregated daily;
  • page load time statistics, per page and aggregated hourly;
  • statistics on the time spent on each page, bounce rate, scroll depth, per page and aggregated daily;
  • statistics on user actions (clicks, selections), per page and aggregated daily;
  • statistics on the geographical area of origin of requests, per page, and aggregated daily; and
  • the lifespan of trackers is limited to 13 months and retention to 25 months and both are subject to periodic review.

In addition:

  • visitors must be informed about the use of cookies that are considered exempt, e.g., via the privacy policy;
  • if any non-exempt cookies remain, consent is required;
  • if data is collected by a provider of audience measurement service, the data must be collected, processed and stored independently for each publisher and the trackers must be used independent of each other; and
  • other conditions also apply (concerning strictly necessary processing, entering into a processing agreement, data transfers and internal or external configuration compliance assessment).

Website owners wishing to comply with the Spanish exemption requirements could consider configuring Matomo in line with CNIL configuration recommendations set out above. In contrast with CNIL, AEPD does not require that the dataset be anonymised, however data processing must be limited to what is strictly necessary for the purpose of audience measurement.

e) Switzerland 15

Switzerland is not an EU member state and is not required to follow the ePrivacy Directive. The use of cookies must be in line with the Federal Act on Data Protection (FADP). The Swiss law does not explicitly require prior consent for cookies that do not involve processing sensitive data.

The Swiss law does not explicitly require prior consent for cookies that do not involve processing sensitive data. However, website operators must inform users about the use of cookies and the processing of personal data associated with them. This information should be clear, comprehensive, and easily accessible. In other words, web analytics can be used without consent, but data processing must comply with data protection laws if personal data is processed.

For advertising cookies and social media cookies, we recommend obtaining consent.

(f) The UK

The recent Data Use and Access Act 2025 (DUAA) has amended the Privacy and Electronic Communications Regulations (PECR) to permit consent-exempt storage or access to terminal equipment to collect information for statistical purposes about how an organisation’s online services or website are used with the aim of improving the service or the website. The exemption is subject to conditions concerning:

  • sharing (only for the purpose of enabling a personal to assist with making improvements to website or service);
  • Transparency of such information collection; and
  • Opt-out being provided.

We are awaiting the publication of the updated Direct marketing and privacy and electronic communications Guidance by the ICO UK.