GDPR-Compliant Analytics with Matomo

The General Data Protection Regulation (GDPR) has fundamentally changed how organizations collect and process user data. For website analytics, this creates significant challenges. Many popular analytics tools, particularly Google Analytics, have faced legal scrutiny and been declared non-compliant by multiple European data protection authorities—though the legal landscape continues to evolve.

Matomo offers a privacy-first alternative that can be configured for full GDPR compliance. This guide explains how to set up Matomo to meet regulatory requirements while still gathering meaningful analytics data.

Understanding GDPR Requirements for Analytics

GDPR establishes strict rules for processing personal data. For analytics, the key requirements include:

Core GDPR Principles

• Lawful basis: You need a legal basis to process personal data (consent, legitimate interest, etc.)
• Data minimization: Collect only what you need
• Purpose limitation: Use data only for stated purposes
• Storage limitation: Don't keep data longer than necessary
• Data subject rights: Users can access, correct, and delete their data
• Data transfers: Restrictions on transferring data outside the EU/EEA

What Counts as Personal Data?

Under GDPR, personal data includes any information that can identify an individual, directly or indirectly:

• IP addresses (even partial/anonymized in some interpretations)
• Device fingerprints and unique identifiers
• Cookies that can identify users across sessions
• User IDs linked to other personal information
• Behavioral data that could identify individuals

Maximum Penalties

Non-compliance with GDPR can result in fines of up to €20 million or 4% of annual global turnover, whichever is higher. The largest GDPR fine to date was €1.2 billion, imposed on Meta in May 2023 for unlawful EU-US data transfers.

Google Analytics and GDPR: Current Legal Status

The relationship between Google Analytics and GDPR compliance has been contentious and continues to evolve.

Historical DPA Rulings Against Google Analytics

Following the Schrems II ruling in July 2020, which invalidated the EU-US Privacy Shield, multiple European data protection authorities ruled against Google Analytics:

• Austria (DSB), January 2022: Ruled GA violates GDPR due to US data transfers
• France (CNIL), February 2022: Issued formal notices to websites using GA; found violations of Article 44 GDPR
• Italy (GPDP), June 2022: Declared GA use unlawful without adequate safeguards
• Denmark (Datatilsynet), September 2022: Warned that GA use without additional safeguards violates GDPR
• Sweden (IMY), June 2023: Issued fines and orders to stop using GA
• Norway (Datatilsynet), January 2025: Published enforcement case against GA4

EU-US Data Privacy Framework (2023)

On July 10, 2023, the European Commission adopted the EU-US Data Privacy Framework (DPF), providing a new legal basis for data transfers to US companies that self-certify compliance. Google has joined the DPF program. In September 2025, the European General Court dismissed a challenge to the framework, confirming (for now) that the US provides adequate data protection.

Important caveat: The DPF's stability is uncertain. In January 2025, the Trump administration dismissed Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), leaving it without a quorum. The PCLOB is a key oversight mechanism referenced 31 times in the Commission's adequacy decision. Norway's Datatilsynet has recommended businesses prepare contingency plans should the DPF be invalidated.

Key Ongoing Issues with Google Analytics

1. Consent always required: GA4 sets cookies and collects personal data (cookie identifiers, IP addresses, device identifiers), requiring explicit consent under both GDPR and the ePrivacy Directive
2. Google Consent Mode v2: Since March 2024, Google requires implementation of Consent Mode v2 for sites receiving EEA traffic
3. Incomplete anonymization: Even with IP anonymization enabled, Google can potentially identify users through other signals
4. Third-party processing: Data may be processed by Google for its own purposes

Why Matomo Is Different

Matomo was designed with privacy as a fundamental principle, offering several advantages:

Data Ownership and Location

• Self-hosted option: Keep all data on your own servers within the EU
• Matomo Cloud: Data stored in Frankfurt, Germany; company based in New Zealand (which has EU adequacy status)
• No third-party access: Your data is never shared with or processed by third parties
• Full data control: Export, delete, or modify data as needed for compliance

Privacy Features

• Cookie-less tracking: Track visitors without setting any cookies
• IP anonymization: Multiple levels of IP address masking
• Privacy signal support: Optionally honor Do Not Track (DNT) and Global Privacy Control (GPC) signals
• Built-in opt-out: Easy-to-implement user opt-out mechanism
• Data retention controls: Automatic deletion of old data
• CNIL exemption: Can be configured for consent-exempt tracking under French (CNIL) guidelines

Configuring Matomo for GDPR Compliance

Follow these steps to configure Matomo for maximum privacy compliance.

1. Enable Cookie-less Tracking

Cookie-less tracking allows you to collect analytics without setting any cookies, potentially exempting you from consent requirements under the ePrivacy Directive in certain jurisdictions (notably France, Spain, Italy, and the Netherlands, subject to specific conditions).

// JavaScript tracking code configuration
var _paq = window._paq = window._paq || [];

// Disable cookies entirely
_paq.push(['disableCookies']);

// Standard tracking setup
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);

(function() {
  var u="//your-matomo-instance.com/";
  _paq.push(['setTrackerUrl', u+'matomo.php']);
  _paq.push(['setSiteId', '1']);
  var d=document, g=d.createElement('script');
  g.async=true; g.src=u+'matomo.js';
  d.head.appendChild(g);
})();

Important considerations for cookie-less tracking:

• Matomo uses a config_id—a privacy-friendly hash based on visitor attributes (OS, browser, plugins, anonymized IP, language)—that resets daily. This is not fingerprinting.
• Returning visitor metrics will be less accurate (visitors cannot be recognized across days)
• Session tracking within a single day remains accurate
• This approach is recognized by France's CNIL for potential consent exemption (when all other conditions are met)

2. Configure IP Anonymization

Matomo supports multiple levels of IP anonymization. For maximum privacy, anonymize IP addresses before they're stored.

In Matomo Admin, navigate to: Administration › Privacy › Anonymize data

Recommended settings:

• Anonymize visitors' IP addresses: Enable
• Mask bytes: At least 2 bytes (last two octets, e.g., 192.168.xxx.xxx); for stricter compliance, use 3 bytes
• Use anonymized IP for visits enrichment: Enable for geolocation before anonymization

3. Set Up Data Retention Policies

GDPR requires that you don't keep data longer than necessary. Configure automatic data deletion:

Navigate to: Administration › Privacy › Data retention

Recommended retention periods:

• For CNIL exemption (France): Maximum 25 months for raw data; cookie lifetime limited to 13 months
• General GDPR compliance: Raw data (visits, actions): 90–180 days, depending on your analysis needs
• Aggregated reports: Can be kept longer as they don't contain personal data
• Delete old logs: Enable automatic deletion of tracking logs

# CLI command for manual data deletion
./console core:delete-logs-data --dates="2024-01-01,2024-03-31"

# Schedule regular purging (crontab)
0 3 * * 0 /path/to/matomo/console core:purge-old-archive-data

4. Privacy Signals: Do Not Track (DNT) and Global Privacy Control (GPC)

Important update: Do Not Track (DNT) is now deprecated. Firefox removed DNT support in February 2025; Safari removed it in 2019. The DNT standard was abandoned by the W3C due to widespread non-compliance by websites.

Global Privacy Control (GPC) is the modern replacement. GPC has legal backing under CCPA (California), CPA (Colorado), CTDPA (Connecticut), and potentially under GDPR. Unlike DNT, websites in covered jurisdictions may be legally required to honor GPC signals. GPC is supported by Firefox, Brave, DuckDuckGo, and browser extensions.

Matomo still supports DNT for legacy purposes:

// Enable Do Not Track support (legacy)
_paq.push(['setDoNotTrack', true]);

// Check for GPC signal (modern approach)
if (navigator.globalPrivacyControl) {
  // User has requested not to be tracked/have data shared
  // Consider not tracking or applying privacy-preserving settings
  _paq.push(['disableCookies']);
}

In Matomo Admin: Administration › Privacy › Users opt-out

• Enable "Support Do Not Track preference" (for legacy browser support)

Note: Matomo does not yet have native GPC support built into the admin panel, but you can implement GPC detection via JavaScript as shown above, or through consent management platform (CMP) integrations.

5. Implement User Opt-Out

Provide users with a clear way to opt out of tracking. Matomo provides an embeddable opt-out iframe:

<!-- Matomo opt-out iframe -->
<iframe
  style="border: 0; height: 200px; width: 600px;"
  src="https://your-matomo-instance.com/index.php?module=CoreAdminHome&action=optOut&language=en"
></iframe>

For a custom opt-out implementation:

// Custom opt-out button
function optOutMatomo() {
  _paq.push(['optUserOut']);
  document.getElementById('optout-status').textContent =
    'You have been opted out of analytics tracking.';
}

function optInMatomo() {
  _paq.push(['forgetUserOptOut']);
  document.getElementById('optout-status').textContent =
    'You have been opted back in to analytics tracking.';
}

// Check current status
function checkOptOutStatus() {
  _paq.push([function() {
    if (this.isUserOptedOut()) {
      document.getElementById('optout-status').textContent =
        'You are currently opted out.';
    }
  }]);
}

6. Configure Consent Management

If you need to track with cookies or cannot use cookie-less tracking, implement proper consent. Matomo offers two approaches:

Option A: Full tracking consent (no data sent until consent given):

// Require consent before any tracking
_paq.push(['requireConsent']);

// When user gives consent (e.g., via cookie banner)
function giveAnalyticsConsent() {
  _paq.push(['setConsentGiven']);
}

// Track consent withdrawal
function withdrawAnalyticsConsent() {
  _paq.push(['forgetConsentGiven']);
}

// Remember consent for future visits (expires after given hours)
_paq.push(['rememberConsentGiven', 8760]); // 8760 hours = 1 year

Option B: Cookie consent only (tracking continues but no cookies until consent):

// Require consent before using cookies (tracking still works)
_paq.push(['requireCookieConsent']);

// When user consents to cookies
function giveCookieConsent() {
  _paq.push(['setCookieConsentGiven']);
}

// Remember cookie consent
_paq.push(['rememberCookieConsentGiven', 8760]);

Consent Management Platforms (CMPs): Matomo integrates with popular CMPs including Cookiebot, OneTrust, Osano, CookieYes, Complianz, and others. See Matomo's Integrations page for implementation guides.

7. Disable Browser Feature Detection (Optional)

For stricter privacy, disable collection of browser capabilities:

// Disable browser feature detection
_paq.push(['disableBrowserFeatureDetection']);

This prevents Matomo from accessing browser resolution and supported plugins information.

Complete Privacy-First Configuration

Here's a complete tracking code configuration for maximum GDPR compliance:

var _paq = window._paq = window._paq || [];

// Privacy settings
_paq.push(['disableCookies']);
_paq.push(['setDoNotTrack', true]);

// Disable features that may raise privacy concerns
_paq.push(['disableBrowserFeatureDetection']);

// Don't track users across multiple domains
_paq.push(['disableCrossDomainLinking']);

// Optional: Check for Global Privacy Control
if (navigator.globalPrivacyControl) {
  console.log('GPC signal detected - applying enhanced privacy settings');
}

// Standard tracking
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);

(function() {
  var u="//your-matomo-instance.com/";
  _paq.push(['setTrackerUrl', u+'matomo.php']);
  _paq.push(['setSiteId', '1']);
  var d=document, g=d.createElement('script');
  g.async=true; g.src=u+'matomo.js';
  d.head.appendChild(g);
})();

CNIL Exemption Configuration (France)

The French data protection authority (CNIL) recognizes that Matomo can be configured for consent-exempt audience measurement. To qualify for this exemption, you must meet all of the following conditions:

Required Configuration for CNIL Exemption

1. Disable Visits Log & Visitor Profile: Navigate to Administration › System › General settings and disable these features
2. Do not use User ID tracking: Verify in Visitors › User IDs that no data is collected
3. Do not use E-commerce tracking: E-commerce data links purchases to individuals
4. Do not use cross-domain tracking: Each domain must be tracked separately
5. Do not use third-party cookies: Only first-party cookies (if any) are allowed
6. Anonymize IP addresses: Minimum 2 bytes
7. Limit data retention: Cookie lifetime max 13 months; collected data max 25 months
8. Provide opt-out mechanism: Clear and accessible on your privacy policy page
9. Do not share data with third parties: Data must be used solely for audience measurement
10. Do not use UTM campaign parameters: Recent CNIL guidance indicates UTM tracking may cancel the exemption

Important: The CNIL exemption is specific to France. Other EU countries may have different interpretations. Countries like Spain, Italy, and the Netherlands also permit exemptions for privacy-friendly analytics under specific conditions. Always verify requirements with local guidance.

GDPR Compliance Checklist

Use this checklist to verify your Matomo installation is GDPR compliant:

Data Collection

• Cookie-less tracking enabled (or consent obtained for cookies)
• IP anonymization configured (minimum 2 bytes, preferably 3)
• Privacy signals considered (DNT legacy support; GPC implementation if applicable)
• User opt-out mechanism implemented and accessible
• No unnecessary personal data collected
• Browser feature detection disabled (if stricter privacy required)

Data Storage

• Data stored within EU/EEA (self-hosted) or using Matomo Cloud (Frankfurt, Germany)
• Data retention periods configured appropriately
• Old data automatically purged
• Database access properly secured
• Backups encrypted and within compliant jurisdictions

Documentation

• Privacy policy updated to mention Matomo and explain data collection
• Legal basis for processing documented (consent, legitimate interest, or exemption)
• Data Processing Agreement (DPA) in place (if using Matomo Cloud)
• Records of processing activities (ROPA) updated

User Rights

• Process for handling data access requests (SARs)
• Ability to delete individual user data
• Opt-out honored across all tracking
• Cookie consent mechanism (if using cookies) meets GDPR standard

Privacy Policy Template

Include language similar to this in your privacy policy:

Analytics

We use Matomo, a privacy-friendly analytics platform, to understand how visitors interact with our website. [Choose one of the following based on your setup:]

For self-hosted: Matomo is self-hosted on our servers within the European Union, meaning your data never leaves our infrastructure or is shared with third parties.

For Matomo Cloud: We use Matomo Cloud, which stores all data in Frankfurt, Germany. The service is operated by InnoCraft Ltd (New Zealand), which has EU adequacy status, and data is never shared with third parties.

We have configured Matomo to:

• Not use cookies for tracking [or: Use cookies only with your consent]
• Anonymize your IP address
• Respect privacy signals (Do Not Track / Global Privacy Control)
• Automatically delete raw data after [X] days/months

Legal basis: [Choose: We process this data based on our legitimate interest in understanding website usage / We collect this data only after obtaining your consent / This analytics configuration qualifies for consent exemption under [applicable regulation]].

You can opt out of analytics tracking at any time using the control below:

[Opt-out iframe or button]

Additional Compliance Considerations

ePrivacy Directive

The ePrivacy Directive (implemented through national laws) governs cookies and tracking technologies separately from GDPR. Key points:

• Consent is required before placing non-essential cookies on user devices
• Cookie-less analytics may be exempt in some jurisdictions (France, Spain, Italy, Netherlands) under specific conditions
• Countries like Germany (TDDDG/TTDSG) may require consent for any client-side tracking
• Always check your specific national implementation

Cross-Border Considerations

If your website serves visitors from multiple jurisdictions:

• Consider implementing geo-based consent rules via your CMP
• Apply the strictest standard as your baseline
• Document your approach for each jurisdiction

Going Beyond Compliance

GDPR compliance is the minimum requirement. Consider these additional privacy measures:

• Regular privacy audits: Review your tracking implementation quarterly
• Privacy by default: Start with minimal tracking and add only what you need
• Transparency: Be clear with users about what you track and why
• Training: Ensure your team understands privacy requirements
• Stay updated: GDPR interpretation evolves; monitor DPA guidance, court rulings, and regulatory updates
• Contingency planning: Given EU-US Data Privacy Framework uncertainty, consider how your analytics strategy would adapt if the framework were invalidated

With proper configuration, Matomo allows you to gather valuable analytics insights while fully respecting user privacy and meeting GDPR requirements. The initial setup investment pays off in reduced legal risk and increased user trust.

---

Last updated: January 2026. Privacy regulations evolve continuously. This guide reflects current understanding but should not be considered legal advice. Consult with a qualified legal professional for guidance specific to your situation.