Can I use Matomo Analytics without asking for consent or using a cookie banner?

Whether you can use Matomo without requiring consent depends on:

a) Compliance requirements:

  • Applicable Privacy Laws: What laws apply to your website’s or app’s data collection?
  • Consent for Personal Data: Does the law require consent only if personal data is collected?
  • ePrivacy Rules: Does the law require consent even if no personal data is collected but data is stored/accessed on a user’s device (e.g., laws implementing the ePrivacy Directive in the UK/EU)?
  • Analytics Exemptions: Do local laws exempt certain analytics from consent (e.g., CNIL in France)?

b) Features requirements (Matomo Analytics type and configuration):

  • Analytics Scope: Are you only collecting aggregated data from a single website, or do you require features like heatmaps, session recordings, conversions, or marketing analytics?
  • Data Sharing: Do you share analytics with third parties (e.g., advertising networks)?
  • Personal Data Collection: Will analytics data include personal information?
  • Which form of Matomo do you want to use?

Privacy laws generally fall into these categories when it comes to website analytics:

  1. Strict (ePrivacy-type): Consent is mandatory for client-side analytics tracking, even if no personal data is processed (e.g., GDPR, PECR, TDDDG).
  2. Allow Exemptions for Privacy-Friendly Analytics: No consent required for limited client-side analytics subject to conditions, e.g., anonymisation, no cross-site tracking, an opt-out mechanism (e.g., France, Spain, Italy, Netherlands).
  3. Personal Data Processing Triggered Consent: Consent required when personal data or sensitive personal data is processed or for certain types of processing of personal data (marketing or cross-site tracking) (e.g., Switzerland, Japan, the P.R.C.)
  4. Transparency and Opt-out: No prior consent required for general analytics, provided there is transparency; opt-out required for use of analytics data in marketing, targeting, profiling, cross-site tracking; consent required in (e.g., South Korea or US consumer privacy laws). In most cases, exception for sensitive or minors’ data which still requires explicit consent.
  5. No compliance requirements: The number of jurisdictions allowing completely unrestricted use of analytics is continually decreasing due to evolving privacy laws.

Certain Matomo features typically require consent under privacy laws:

  • Processing personal data (e.g., tracking individual visitors).
  • Tracking for marketing or advertising.
  • Sharing analytics with third parties.

Matomo offers different deployment options (Matomo Cloud, On-Premise, WordPress, Log Analytics, SDK). With the right setup, Matomo can:

  1. Comply with consent exemptions in specific countries where such exemptions exist.
  2. Avoid collecting personal data, which may reduce the need for consent depending on applicable laws.

Matomo’s privacy features include:

  • IP masking or anonymisation – Reducing stored IP addresses.
  • Daily Reset of session/visit hash – Prevents long-term visitor tracking.
  • Minimal Data Collection by Default – Reduces privacy risks.

Applicable Law Example Additional conditions are met
Permits use of analytics without prior consent, whether or not personal data is processed South Korea or US consumer privacy laws (with exceptions for minor’s data or sensitive data)
  • Opt-out for certain processing may be required.
  • Transparency about the data collection and processing.
Does not require consent for analytics when no personal data is processed. Switzerland, Japan, the P.R.C. Any or all of the following:
  • No personal data.
  • Transparency.
  • Opt-out.
  • First-party data.
  • Data is used only for analytics.
  • Data is not shared or combined with data from other websites.
Exempts some forms of website analytics from consent. France, Spain, Italy, the Netherlands. Strict compliance with the terms of the exemption, e.g.:
  • No personal data.
  • Transparency.
  • Opt-out.
  • First-party data.
  • Data is used only for analytics.
  • Data is not shared or combined with data from other websites.
Tracking without personal data and outside the scope of ePrivacy laws. TDDDG (Germany), PERC. Tracking does not store or access data on visitors’ terminal device. Only server-side tracking using:
  • Matomo Log Analytics.
  • Matomo SDK.
  • Matomo HTTP Tracking API.

Privacy-Focused Configuration of Matomo

With the right configuration, it is possible to use Matomo in a way that does not collect any personal data or set cookies and is therefore exempt from many countries’ privacy regulations and user consent requirements. 

In addition to minimising the collection of personal data, Matomo automatically takes privacy-preserving steps, such as changing the config_ID (session/visit hash), so user profiles cannot be built over time. Matomo also includes the opt-out feature.

Privacy-focused Configuration Considerations

There are a few downsides which you should consider first. The most important is a reduced accuracy of unique visitor counts. As it will not be possible to tell users apart from each other in the same way, you will only be able to tell how many visits your site gets, not how many people make those visits.

There are a few other metrics that rely on unique visitor data, so you can generally expect inaccuracy for the following reports when using this enhanced privacy mode:

  • Unique Visits
  • Days since last visit
  • Visits by visit count
  • Visits to Conversion
  • Days to Conversion

While this is a positive privacy preserving step, cookies are only one tracking method. If users log in to your site or if you collect form event data in your analytics, it is still possible that you are collecting personal data in other ways. In these cases, you will still need to gain user consent for analytics under the laws of many countries. There are several more steps that we recommend to remove all potential personal data collection from Matomo for full compliance in the section below.

Privacy-focused Configuration Steps

  1. Disable Cookies – This is the same process as mentioned in the section above. Follow this guide to ensure that cookies do not store personal data about the visitor on the device and that sessions cannot be linked.

  2. Anonymise IP Address – Under European law IP addresses are considered personal data so you must take steps to anonymise them. Make sure that IP addresses are anonymised by at least 2 or 3 bytes. You also have the option of masking the entire address. You can find instructions on how to do this in the official Matomo Privacy Documentation and in How does IP Address Anonymisation work in Matomo?.

  3. Anonymise referrer – Often tracking parameters containing personal data are added to links on other sites. Or people might visit your site from a link on a friend’s personal page. This means you may accidentally collect personal data when people click through to your website if you do not anonymise referrer data (requires Matomo 4 or above).

  4. Exclude personal data from URLs and Page Titles – If users have accounts on your website and their name is shown in a page URL or Page title, for example, this counts as personal data so it cannot be tracked. You will need to configure your site to avoid this from happening. The steps for doing this will vary depending on how your website is built.

  5. Exclude personal data from Custom variables, Dimensions and Events – As Variables, Dimensions, and Events have to be created and configured by site owners, no personal data is tracked by default. Therefore, it is up to you to ensure your custom configuration does not include any personal data, or data that could be linked to an individual. For example, if you create an Event to track when users click on email links, you must not include the email address within the event data.

  6. Mask Personal Data in Heatmaps and Screen Recordings – This step is only applicable if you are using the screen recordings feature. The Matomo developer hub has instructions on how to mask private data in your recordings.

  7. Exclude Ecommerce Order IDs – Ecommerce orders typically collect personal data for delivery of the product. As order IDs can be linked to the full order details, they are considered personal data. You will need to exclude order IDs from your analytics. Instructions for this are available here.

  8. Do not enable User ID FeaturesUser IDs inherently single out a specific user and as such are classed as personal data, even if they are anonymised. For this reason, when using Matomo analytics without user consent, ensure that you do not enable any of the Matomo User ID features.

  9. Only use collected data for analytics – You cannot link your analytics data with anything else such as an advertising network or data warehouse where it may be used for purposes other than analysis.

  10. Only track users on a single site/application – Make sure you are only tracking users on a single site and not tracking the same user across different websites.

  11. Offer Opt-Out Mechanism – We recommend you include the Matomo Opt-out form within your Privacy Policy page. It can be customised to match the style of your website and provides a simple way for users to stop Matomo from tracking their actions.

  12. Publish an updated Privacy Policy – While a lot of the above are features that you can simply turn on, it is also essential to mention Matomo within your privacy policy and consider any other data collection tools that you may be using on your website.

If you need further guidance for configuring any of your Matomo privacy settings, check out the full Matomo Privacy documentation.