As part of privacy legislation worldwide including GDPR, CCPA, PECR, and ePrivacy, it is often required to display a cookie banner informing users about cookies, or consent must be obtained before tracking visitors’ data. However, with the right configuration, it is possible to use Matomo in a way that does not collect any personal data and is therefore exempt from many countries’ privacy regulations and user consent requirements. 

In addition to minimising the collection of personal data, Matomo automatically takes privacy-preserving steps, such as updating user fingerprints daily so user profiles cannot be built over time. This means you can safely use Matomo without a consent mechanism as long as:

  • The collected analytics data contains no personal data.
  • The collected data is only used for analysis and no other purpose.
  • The data is not shared or connected with data from other websites.
  • You provide accurate information about your data collection in a privacy policy.

Note: this applies if you use Matomo 3.13.6 or newer.

You can avoid the requirement for cookie banners by following the steps below:

  1. Enable cookie-less tracking: how do I track a visitor without cookies when they have not given consent for tracking cookies?. (alternatively, if you are not planning to ask for cookie consent in the future, you can also disable all analytics cookies for all visitors). Learn more about how disabling cookies impacts data accuracy.
  2. Easily let users opt-out
  3. Mention Matomo in your Privacy Policy (see below).

No cookie consent is needed because:

  • Tracking cookies are not used
  • The data is not used for any other purpose than analytics (compared to GA which uses it for other purposes and therefore always requires consent)
  • Visitors aren’t tracked across websites (compared to GA which does track visitors across many websites)
  • A user cannot be tracked across days within the same website (no user profiles can be generated when cookies are disabled)

Consentless tracking configuration considerations

There are a few downsides which you should consider first. The most important is a reduced accuracy of unique visitor counts. As it will not be possible to tell users apart from each other in the same way, you will only be able to tell how many visits your site gets, not how many people make those visits.

There are a few other metrics that rely on unique visitor data, so you can generally expect inaccuracy for the following reports when using this enhanced privacy mode:

  • Unique Visits
  • Days since last visit
  • Visits by visit count
  • Visits to Conversion
  • Days to Conversion

While this is a positive privacy preserving step, cookies are only one tracking method. If users log in to your site or if you collect form event data in your analytics, it is still possible that you are collecting personal data in other ways. In these cases, you will still need to gain user consent for analytics under the laws of many countries. Therefore, if you truly want a consentless approach, there are several more steps that we recommend to remove all potential personal data collection from Matomo for full compliance in the section below.

How to configure Matomo for consentless privacy

The following steps offer a comprehensive process for minimising the collection of personal data within Matomo. If you follow all of these steps, it is likely that you won’t need to gain user consent for your use of analytics.

  1. Disable Cookies – This is the same process as mentioned in the section above. Follow this guide to ensure that cookies do not store personal data about the visitor on the device and that sessions cannot be linked.

  2. Anonymise IP Address – Under European law IP addresses are considered personal data so you must take steps to anonymise them. Make sure that IP addresses are anonymised by at least 2 or 3 bytes. You can find instructions on how to do this in the official Matomo Privacy Documentation.

  3. Anonymise referrer – Often tracking parameters containing personal data are added to links on other sites. Or people might visit your site from a link on a friend’s personal page. This means you may accidentally collect personal data when people click through to your website if you do not anonymise referrer data (requires Matomo 4 or above).

  4. Exclude personal data from URLs and Page Titles – If users have accounts on your website and their name is shown in a page URL or Page title, for example, this counts as personal data so it cannot be tracked. You will need to configure your site to avoid this from happening. The steps for doing this will vary depending on how your website is built.

  5. Exclude personal data from Custom variables, Dimensions and Events – As Variables, Dimensions, and Events have to be created and configured by site owners, no personal data is tracked by default. Therefore, it is up to you to ensure your custom configuration does not include any personal data, or data that could be linked to an individual. For example, if you create an Event to track when users click on email links, you must not include the email address within the event data.

  6. Mask Personal Data in Heatmaps and Screen Recordings – This step is only applicable if you are using the screen recordings feature. The Matomo developer hub has instructions on how to mask private data in your recordings.

  7. Exclude Ecommerce Order IDs – Ecommerce orders typically collect personal data for delivery of the product. As order IDs can be linked to the full order details, they are considered personal data. You will need to exclude order IDs from your analytics. Instructions for this are available here.

  8. Do not enable User ID FeaturesUser IDs inherently single out a specific user and as such are classed as personal data, even if they are anonymised. For this reason, when using Matomo analytics without user consent, ensure that you do not enable any of the Matomo User ID features.

  9. Only use collected data for analytics – You cannot link your analytics data with anything else such as an advertising network or data warehouse where it may be used for purposes other than analysis.

  10. Only track users on a single site/application – Make sure you are only tracking users on a single site and not tracking the same user across different websites.

  11. Offer Opt-Out Mechanism – We recommend you include the Matomo Opt-out form within your Privacy Policy page. It can be customised to match the style of your website and provides a simple way for users to stop Matomo from tracking their actions.

  12. Publish an updated Privacy Policy – While a lot of the above are features that you can simply turn on, it is also essential to mention Matomo within your privacy policy and consider any other data collection tools that you may be using on your website.

If you need further guidance for configuring any of your Matomo privacy settings, check out the full Matomo Privacy documentation.