Can I track a visitor without cookies when they have not given consent for tracking cookies?

Strict ePrivacy laws

If the applicable privacy law requires you to ask for consent before tracking your visitors (e.g., in countries with strict ePrivacy laws, such as Germany or the UK), the consent has to cover all cookies and similar tracking tools. From ePrivacy law perspective, JavaScript tracking is treated the same as cookie-based tracking and it does not matter if the data processed collects personal data or not.

If your visitor rejects cookies, they are also rejecting other forms of acting tracking covered by the ePrivacy directive. You will not be able to track those visitors without their consent to website analytics tracking. You can only track such visitors using tools that fall outside ePrivacy laws. Refer to the ePrivacy Guide.

As explained in the ePrivacy Guide, some privacy laws allow you to track visitors without consent, if no personal data or unique identifiers are processed. For example, refer to How do I configure Matomo without tracking consent for French visitors (CNIL exemption)? to find the conditions of the CNIL consent exemption for website analytics.

If you are allowed to track your visitors using Matomo Analytics without needing consent, it means you can track any visitor without prior consent, provided that you stick to the limits of the exemption. For example, you will not be able to rely on the exemption if you start processing personal data or using the data for other purposes (e.g., marketing or advertising).

In some cases, privacy laws will allow you to track your visitors without consent as long as you do not store any of their personal data (indirect or direct identifiers). Cookies can sometimes store personal data. For example, _pk_id.* stores a unique visitor ID to recognise repeat visits. To avoid collecting personal data, you will want to track your visitors using a cookieless configuration.

To do so, you need to add the following line to your tracking code:

_paq.push(['requireCookieConsent']);

Once you added the line above, then all visitors will be tracked with tracking cookies disabled.

If are running cookieless permitted tracking and you then also want to ask visitors for cookie consent (optional), simply follow these instructions on how to implement cookie consent in your website or app. In a nutshell, as soon as consent for using cookies is given, simply call this once:

_paq.push(['rememberCookieConsentGiven']);

Or call this on every subsequent page view. Then all visitors will be tracked, and tracking cookies will be set:

_paq.push(['setCookieConsentGiven']);

And once the cookie consent has been revoked, simply call this once:

_paq.push(['forgetCookieConsentGiven']);

Or no longer call this on every subsequent page view. Then all visitors will be tracked, but tracking cookies will be disabled:

_paq.push(['setCookieConsentGiven']);

Please note this requires Matomo 3.14.0.

Note that disabling cookies will impact the data accuracy of some reports. That’s why we have a feature that lets you segment these two different groups (visitors that were using cookies vs visitors that weren’t using cookies). It allows you to create a segment, Visitor gave consent and view the reports that impact the data accuracy only for these users that gave consent.

When you apply this segment, Visitor gave consent, you will get reliable numbers, compared to looking at All visits where visitors without consent would make these reports inaccurate.

Previous FAQ: Can I use Matomo Analytics without asking for consent or using a cookie banner?