How do I configure Matomo without tracking consent for French visitors (CNIL exemption)?
The Commission nationale de l’informatique et des libertés (CNIL), has confirmed that Matomo can now be used to collect data without tracking consent.
There are specific conditions and measures that are necessary to ensure you can benefit from this exemption.
This is an option for both Matomo Cloud and On-Premise versions.
You can use Matomo with tracking cookies for visitors located in France based on the following conditions:
- Anonymise IP
- Disable Live features (visits log and visitor profiles) in General settings
- Do not use the features User ID, Ecommerce, and Heatmaps/Session recordings
- Let people opt-out from being tracked on a page of your website
- Don’t track personal data
- The trackers must be used to produce anonymous, aggregated reports.
CNIL consent exemption recommendations
To put in place solutions that respect people’s rights, the CNIL recommends that:
- Users are informed of the implementation of these tracers, for example via the privacy policy of the site or the mobile application
- The lifespan of the tracers is limited to a period allowing a relevant comparison of the audiences over time, as is the case with a period of thirteen (13) months, and that it is not automatically extended during new visits
- The information collected through these tracers is kept for a maximum period of twenty-five (25) months
- The above lifespan and retention periods must be subject to periodic review and limited to what is strictly necessary.
The CNIL states that the following trackers or tracking activities are not exempt from consent:
- Trackers that track a person across different applications or websites, whether for profiling, personalised content, or targeted advertising.
- Advertising trackers, whether for personalised or non-personalised ads.
- Trackers for social media sharing features.
Tracking activities that are also not exempt from consent:
- Cross-checking data with other processing activities.
- Sharing tracking data with third parties (other than your data processors).
- Using trackers for multiple purposes, where at least one purpose requires consent. For example, a strictly necessary cookie used for user authentication in a logged-in environment does not require consent as it is essential for providing the service.
- However, the same cookie cannot be used for advertising unless the visitor explicitly consents.
More information:
Matomo exempt from tracking consent in France (blog article)
Read the full list of CNIL recommendations and guidelines
Next FAQ: CNIL Compliance for Ecommerce Tracking
Previous FAQ: ePrivacy Directive, National Implementations and Website Analytics