Matomo creates cookies and similar tools (we’ll refer to them jointly as ‘cookies’) to track visitor interactions on your website. There are default and optional cookies that collect visitor statistics and ensure accurate data. Default cookies can be disabled and optional cookies are only created when using specific Matomo features.

The default Matomo Tracking code uses first-party cookies set on your website’s domain and then stored in your visitors’ browsers. The tracking data is linked directly to your site and not shared with any third parties.

It is important to comply with the data privacy regulations relevant to your jurisdiction and business model. If the GDPR and ePrivacy requirements in the EU apply to your website, your visitors must be informed and, where required, provide consent for use of website analytics. Certain configurations of Matomo may be used without consent for analytics purposes (refer to the ePrivacy and National Implementations guide). Additionally, you may consider cookieless tracking to help align with privacy requirements.

Default Cookies

To track users on your website or app, the default Matomo tracking JavaScript code creates first-party cookies with a default expiration.

You can adjust how long these cookies store visitor information by changing the expiration settings in the JavaScript tracking code, which is useful to customise the duration based on your privacy needs or data retention policies.

The following table details the purpose and default expiration of the first-party cookies created by Matomo. When the cookies expire, they are automatically removed from the visitors’ browsers. For further clarification, refer to the Usage details below for more information about each cookie.

Name Purpose Type Usage Default Expiry
_pk_id Stores a unique visitor ID. Cookie First-party website analytics 13 months
_pk_ses Session cookie temporarily stores data for the visit. Cookie First-party website analytics 30 minutes
_pk_ref Stores attribution information (the referrer that brought the visitor to the website). Cookie First-party website analytics 6 months
_pk_testcookie Temporary cookie to check if a visitor’s browser supports cookies (set in Internet Explorer only). Cookie First-party website analytics Temporary cookie that expires almost immediately after being set.

Optional Cookies

Setting Optional cookies only occurs when using a specific Matomo feature (e.g., Heatmaps, A/B testing, or consent management. For further clarification, refer to the Usage details below for more information about each cookie.

Name Purpose Type Usage Default Expiry
matomo_sessid A nonce to help prevent CSRF security issues when using the opt-out feature. Strictly necessary or essential cookie Security feature 14 days
mtm_consent_removed Indicates that a visitor opted out of Matomo tracking. Strictly necessary or essential cookie Opt-out management 30 years but may be removed earlier depending on browser rules (see Usage details).
mtm_cookie_consent Records the visitor’s consents to Matomo tracking. Strictly necessary or essential cookie Consent management 30 years but may be removed earlier depending on browser rules or may be configured with a shorter expiry period (see Usage details).
_pk_hsr Session cookie temporarily stores Heatmap session data when using the Matomo Heatmap feature. Cookie First-party website analytics (Heatmaps feature) 30 minutes
_pk_uid If enabled, this cookie assigns the same ID to a visitor navigating across all your domains and subdomains, so Matomo can recognise users across devices and sessions. It is only used when enabling third party cookies in Matomo’s config file. Cookie Optional third-party cookie (not enabled by default) 13 months
MatomoAbTesting Stores information for Matomo A/B Testing using local storage. Local storage object First party website analytics (A/B testing feature) No expiry (persists until it is explicitly deleted by the visitor or application).

Usage Details

_pk_id

Contains the unique visitor ID to recognise new and returning visitors to build up a Visitor Profile that includes a summary of their interactions on the site, number of visits, timestamp of first and last visit. It also includes interactions related to eCommerce orders, goals and conversions, and attribution across sessions.

_pk_ses

Used to link actions performed during the session (e.g., page views, downloads, events) to a unique visit, thereby allowing Matomo to accurately attribute these actions to a single session.

_pk_ref

The attribution data includes how a visitor initially arrived at the site, whether they came from a search engine, a social media link, an external website, or a campaign URL. Consequently, this information helps Matomo attribute visits to specific traffic sources.

_pk_cvar

Stores custom variables in key-value pairs to define additional metadata about the visitor or their actions during a session; it could be any custom data you want to track. Because this is a session-based cookie, it only applies to the current visit.

_pk_testcookie

This a temporary cookie, specifically set in Internet Explorer to check if a visitor’s browser supports cookies.

matomo_sessid

When using the opt-out feature, this nonce sets and prevents CSRF security issues. Moreover, it does not contain any data that identifies visitors and only maintains session information, which is often set if Matomo is configured to work with a specific session-based feature.

For consent management, this optional cookie is placed when a visitor opts out of being tracked. It is only applicable when you are using your own cookie consent implementation or a consent manager (CMP) tool, or if using a consent-exempt configuration of Matomo and you need to configure the opt-out feature on your website.

If Matomo is setup on a different domain than the website being tracked, the matomo_consent_removed cookie will be a first-party cookie. This cookie does not contain personal information or any ID and its value is the same for all visitors. Although the default expiry of this cookie is 30 years, some browsers delete this cookie if the visitor has not visited your website in 7 days (Safari), 45 days (Firefox) or 400 days (Chrome) (as of the date of this policy, 24 October 2024).

Note that these time frames may be subject to change. You may want to inform irregular visitors to your websites who wish to opt-out of analytics to check the setting when they visit. Otherwise, the opt-out might not be recognised by their browser.

When utilising a consent manager (CMP) to request consent, the cookie stores the visitor’s consent status for tracking purposes and recognises the user gave consent. The cookie’s expiry may be subject to the same earlier deletion as with mtm_consent_removed (refer above). You can define a shorter expiry period for your user consent by calling: _paq.push([‘rememberConsentGiven’, optionallyExpireConsentInHours]). Learn more in the Tracking and Cookie Consent developer guide.

_pk_hsr

This cookie is placed when using Matomo’s Heatmap and Session Recording features. It temporarily stores data to determine which areas of a webpage visitors interact with most. Furthermore, it captures the session recording process, including the start, continuation, and end of each session. This approach ensures that all data is accurately linked to a specific visit, providing a clear view of user interactions.

_pk_uid

By default, Matomo uses only first-party cookies, so when these visitors navigate between multiple domains, the domains will not share the same cookies, and each domain treats the visitor as new. If you enable this cookie to assign the same ID to a visitor navigating across all your domains and subdomains, Matomo will recognise users across devices and sessions, which can be particularly useful to understand the behaviour of logged-in users, such as for eCommerce websites or membership platforms.

MatomoAbTesting

Unlike cookies, MatomoAbTesting (previously MatomoAbTesting) stores data directly in the browser’s local storage. As a result, users consistently see the same version of a webpage (e.g., variation A or B) and they remain in the same testing group across different sessions, even if they close and reopen the browser.