Fingerprinting refers to a method of combining information elements, such as unique identifiers for the purpose of identifying users over time or across websites. Fingerprinting is designed to persistently track internet behaviour of users.

Matomo does not use a fingerprint to track visitors.

Instead of a fingerprint, Matomo uses config_id, the most privacy-friendly industry-leading measure designed to protect users privacy. The config_id is a session/visit hash, used by Matomo to group different actions into Visits during a short window of up to 24-hours.

The visitor config_id is a randomly-seeded, privacy-enabled, time-limited hash of a limited set of the visitor’s settings and attributes. The config_id or config hash is a string calculated for a visitor based on their operating system, browser, browser plugins, IP address and browser language.

Unlike other tools that use fingerprinting, config_id is intentionally designed not to be permanent, not recognise returning visitors and not allow tracking across websites. By design, config_id is temporary and only valid for one particular website domain:

  • The config_id is only valid for a single session – with the maxiumum of 24 hours and is then rotated, meaning the same visitor will have a different config_id each day.
  • The config_id changes and is fully anonymised every 24 hours. The randomly-generated seed is discarded each day and cannot be recovered.
  • The website ID is used to process the config_id which means that on your Matomo instance, a given user/visitor will always have a different config_id when browsing your different websites and domains.
  • The IP address used to create the config_id will be the anonymised IP address when you have enabled IP anonymisation which is the default privacy setting in Matomo. When you select Also use anonymised IP when enriching visit: No, then the full IP address will be used in the hash calculation.

Matomo can be configured to disable config_id. Refer to the guide on how to disable browser feature detection completely?

Learn more how does Matomo detect unique and returning visitors with User ID, Visitor ID from cookie.

References:
Article 29 Working Party (hereinafter, ‘WP29’) Opinion 9/2014 on the application of ePrivacy Directive to device fingerprinting which has clarified that fingerprinting falls within the technical scope of Article 5(3) ePD3: wp224_en.pdf.

Replaced by Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive.

Previous FAQ: How do I ask for user consent before tracking visitors or measuring user analytics?