Is Matomo Analytics LOPDGDD and LSSI compliant?
You can configure Matomo to ensure compliance with Spain’s Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) law and LSSI.
What is LOPDGDD?
Spain’s Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) came into effect in December 2018 and replaces Spain’s LOPD 15/1999 data protection law. LOPDGDD implements the European Union’s GDPR and creates additional digital rights for individuals. It ensures that Spanish law conforms to EU-wide regulation on the collection, processing, and storage of personal information to preserve the privacy rights of its residents.
When should I care about LOPDGDD?
Any entity that processes personal data of individuals living in Spanish territory must be compliant with LOPDGDD. Certain web analytics, user IDs, custom dimensions storing user data, URLs, page titles, or session recordings may collect personal data and use of these tracking tools must comply with the LOPDGDD.
Like GDPR, LOPDGDD has extraterritorial application – if you are a controller based outside Spain, but you offer goods or services, or monitor behaviour, or Spanish data subjects, you must comply with LOPDGDD. When you use Matomo Cloud on your website to collect any personal data of data subjects in Spain, you are data controller bound by LOPDGDD. We are a data processor, and we process the analytics data on your behalf.
What are the differences between GDPR and LOPDGDD?
With the LOPDGDD, the data privacy law for Spanish residents not only aligns with the rights of other EU member states under the GDPR law but provides additional protection and specific digital rights tailored to Spain. The LOPDGDD enforces the data privacy law in Spain by implementing and complementing the provisions set out in the GDPR.
It also introduces and guarantees digital rights in the workplace, internet rights on the use of digital services, and a legal framework for AI and new technologies. Moreover, the LOPDGDD enforces stricter provisions for new technologies particularly in areas related to employee privacy, biometric data processing, and DPO requirements.
What is LSSI?
In addition to the LOPDGDD, which deals with processing of personal data, the use of cookies or similar technologies in Spain is covered by Law 34/2002 on Information Society Services and Electronic Commerce (LSSI). LSSI implements the ePrivacy directive into Spanish law. Note that LSSI applies as soon as you access or store data on your website visitor’s terminal device, even if no personal data is being processed.
When should I care about LSSI?
LSSI applies if your websites use cookies or similar technologies to access or store data on terminal equipment of the Spanish end users. AEPD enforces cookie laws in Spain and has imposed penalties for failure to provide cookie information or obtain valid consent.
Do all cookies and similar technologies require prior consent of the end user?
No, LSSI follows the ePrivacy directive. It recognises that cookies are necessary for the transmission of a communication over an electronic communications network or those strictly necessary for the provision of an information society service explicitly requested by the recipient. Additionally, certain extent web analytics can be exempt from consent.
What analytics cookies and similar technologies are exempt from consent in Spain?
In January 2024, the Spanish national supervisory authority, the Agencia Española de Protección de Datos (AEPD”), published a guide in Spanish on Use of cookies for audience measurement tools.
In the Guidance, AEPD stated that it considers only the following measurements are strictly necessary for the proper administration of a website: Audience measurement, page by page;
- The list of pages from which a link has been followed to request the current page (sometimes called “referrer”), whether internal or external to the site, per page and aggregated daily.
- Determination of the type of device, browser, and screen size of visitors, per page and aggregated daily.
- Page load time statistics, per page and aggregated hourly.
- Statistics on the time spent on each page, bounce rate, scroll depth, per page and aggregated daily.
- Statistics on user actions (clicks, selections), per page and aggregated daily.
- Statistics on the geographical area of origin of requests, per page, and aggregated daily.
- Any other analytics will require consent of the end user.
The Guidance states the following conditions must be met for web analytics to be exempt. The relevant cookies or similar technologies:
- must have a strictly limited purpose solely for the exclusive measurement of the site or application audience.
- must be processed on behalf of the publisher exclusively and used to produce anonymous statistical data only.
- must not lead to data being cross-referenced with other processing operations or data being transmitted to third parties.
- must not allow aggregated tracking of the person using different applications or browsing different websites. Any solution using the same identifier across various sites (e.g. through cookies placed on a third-party domain loaded by various sites) for cross-referencing, duplication, or measuring a unified reach rate of content will not be exempt from consent.
- must not lead to publishers or services providers reusing data for other purposes.
If I configure Matomo to only collect the data set out above, is that all?
Not quite, there are some additional conditions you must meet to use the exempt analytics. When you use audience measurement analytics exempt from the obligation to obtain consent, you must implement the following minimum steps:
- Inform the users that you use analytics considered exempt for audience measurement purposes (e.g. in your privacy policy).
- Limit the lifespan of cookies or similar to a period that allows for a meaningful audience comparison over time. For example, 13 months. However, do not automatically extend on new visits.
- Retain the information collected through Matomo analytics for a maximum period of 25 months. Carry out periodic reviews of the retention period to limit it to what is strictly necessary.
Are there any other AEPD requirements applicable to Matomo as our service provider?
Yes. AEPD has some additional requirements that relate to your relationship with us, your service provider, but we make it easy for you to comply:
- When you enter into a Cloud TOS, you automatically enter the DPA.
- We process your Matomo Cloud Analytics data only as instructed by you, we do not cross reference or reuse your data outside the DPA.
- You are in control of your Matomo Cloud Analytics data.
- Our DPA restricts the processing to what is strictly necessary.
- Matomo is a service provider providing audience measurement services to multiple publishers. But as required by AEPD, your Matomo Analytics data is stored independently of other publishers and tracking tools used are completely independent of each other.
- Your Matomo Cloud Analytics data is stored in compliance with the GDPR/LOPDGDD data transfer rules.
How to configure Matomo Analytics to be LOPDGDD compliant
To the extent you process personal data, ensure you comply with LOPD:
- Review and understand the collected data, and internally document all the personal information tracked about your users (as part of the wider requirement to maintain records of data processing activities).
- Identify your legal basis and purpose for processing personal data.
- Allow Spanish residents to exercise their right to access their personal data or delete their data on their request. Learn more about these existing Matomo features.
- Consider limiting the amount of information you collect in the first place by enabling cookie-less tracking.
- Decide if you want to configure Matomo not to process any personal data.
- Update your privacy policy to explain how you track data with Matomo, how you use this data, and list the companies or people you share it with.
- If your website or app targets children and you use Matomo, additional precautions are necessary since the minimum age for consent in Spain is 14 years.
Implement and maintain reasonable security procedures and practices to protect consumer data. The most important ones regarding data collected in Matomo include:
- Setup SSL certificates for all your websites and apps.
- Setup an SSL certificate for your Matomo server.
- Ensure that data in the Matomo interface and API is only accessible by authorised individuals.
- Use the Activity Log to keep track of changes done to Matomo entities.
- Refer to the 12-steps to GDPR compliance and the GDPR compliance checklist for further reading.
How to configure Matomo Analytics in a LSSI-compliant way
- Decide if you want to collect only exempt analytics or if you want to collect more and ask for consent.
- If you want to collect only exempt analytics, follow the requirements set out above (include the use, function, duration, and other additional requirements, such as providing information about your use of the exempt analytics in your privacy policy).
- While the Guidance from AEPD does not require this feature, you may prefer to give users the option to opt-out of website tracking in your privacy policy page.
If you want to use non-exempt cookies, inform the users:
- about the cookies and similar technologies that you use (definition, function, type, purpose, parties that will use data collected, type of data collected).
- how to accept, deny or revoke consent.
- about data transfers, any automated decision-making (if applicable) and data retention period.
- use clear simple language.
- make the information easily accessible (e.g. via a clearly visible Cookie or Cookie Policy link).
- use a layered approach (essential info in first layer, more details in the second layer)
- Group cookies at least by their purpose, cookie-by-cookie selection should be avoided as it makes decision making difficult.
- Make sure you collect valid consent (clear affirmative action).
- Offer the option to reject cookies in the same layer and level as acceptance.
- Consent management platform may be used, but it must comply with the AEPD cookie guidelines.
- If your website or app is directed to minors under 14 years of age, you will need to show that you made reasonable efforts to verify that consent was given by the parent or a guardian. The lower the risk associated with the data collected, the simpler the verification system can be. The guide provides examples on who to ask for consent in relation to minors.
- Periodically update consent to ensure it is up to date and covers how data is processed or any significant changes to the processing.
- Withdrawal must be as easy as giving consent.
Refer to the AEPD Guide on the Use of Cookies updated in May 2024 – only available in Spanish.
Disclaimer: The information provided above is for general informational purposes only and should not be considered legal advice. Please consult your legal team for specific advice and guidance tailored to your needs. If you are interested in our Matomo Cloud, learn more by reading our Matomo Cloud Data Processing Agreement (DPA).