Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Matomo (formerly Piwik) is an open-source web analytics platform that is the leading GDPR-compliant alternative to Google Analytics. It can be self-hosted on your own infrastructure or used via Matomo Cloud (hosted in Germany). Self-hosted Matomo with cookieless mode and IP anonymisation is the only major analytics platform that can be deployed without consent banners under the CNIL exemption criteria. You own 100% of your data with no third-country transfers.
Matomo is an open-source web analytics platform used by over 1 million websites worldwide. It provides page views, sessions, bounce rate, traffic sources, conversion funnels, heatmaps, session recordings, and custom event tracking — everything Google Analytics offers, but with complete data ownership. Matomo can be self-hosted on any server you control or used via Matomo Cloud hosted in Germany. It supports both cookied and cookieless tracking modes.
The French CNIL has published an exemption allowing analytics tools to operate without consent when they meet specific criteria: cookieless tracking (no persistent identifiers stored on the device), IP anonymisation (last octet removed before storage), no cross-site tracking, no data sharing with third parties, and data used solely for statistical purposes on a single site. Matomo configured to meet these criteria — using the built-in Privacy settings — qualifies for this exemption. This is the only major analytics platform that can achieve this.
Self-hosted Matomo on your own server gives you 100% data ownership, no third-party processing, and full control. Matomo Cloud (InnoCraft, New Zealand company, servers in Germany) provides EU data residency and no US transfers, but does involve InnoCraft as a data processor requiring a DPA. Both options provide strong GDPR compliance. Self-hosted provides maximum control.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In Matomo Admin: enable Anonymize Visitors'' IP addresses (at least 2 bytes), enable cookieless tracking (disable all cookies), disable fingerprinting, disable all data sharing. These settings activate the CNIL-exempt mode. Verify by checking that no cookies are set in browser developer tools when visiting the tracked website.
For consent-free deployment: enable cookieless mode, anonymise IPs, disable cross-site tracking, no third-party data sharing. For cookie-enabled mode: integrate with your CMP and load Matomo only after analytics consent. Either way, add Matomo to your privacy policy. For Matomo Cloud, sign the InnoCraft DPA.
Websites using Matomo must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for Matomo in cookieless mode. It may become relevant for Matomo deployments using session recording, heatmaps, or form analytics features that record individual user interactions.
Sample consent text
This website uses Matomo Analytics in privacy mode. No cookies are set and no personal data is collected or transferred outside the EU. Analytics data is aggregated and anonymised. No consent is required for this configuration.
Third-party domains contacted
matomo.orgcloud.matomo.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _pk_id | persistent | 13 months | Matomo visitor identifier cookie — not set in cookieless mode; identifies unique visitors for analytics |
| _pk_ses | session | Session | Matomo session cookie for grouping page views within a single visit — not set in cookieless mode |
Matomo collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Matomo in cookieless mode with IP anonymisation meets the CNIL exemption criteria for analytics without consent. Configure: disable all cookies, anonymise IP (at least 2 bytes), disable cross-site tracking, no third-party data sharing. This configuration requires no cookie banner.
The CNIL has defined criteria under which analytics tools can operate without consent: cookieless tracking, IP anonymisation, single-site data (no cross-site), data used solely for internal statistics, no data sharing with third parties. Matomo is one of the few tools capable of meeting all these criteria.
Self-hosted: no transfers — data stays on your server. Matomo Cloud: hosted in Germany, no transfers outside EU. Neither option requires SCCs. This is Matomo's primary advantage over Google Analytics for EU organisations.
Self-hosted: you install Matomo on your own server, 100% data control, free open-source software, requires technical setup. Matomo Cloud: hosted by InnoCraft in Germany, managed service, paid subscription, no technical setup, requires a DPA with InnoCraft.
Matomo sets cookies by default (_pk_id for visitor ID, _pk_ses for session, _pk_ref for referral) but these can be disabled in cookieless mode. Without cookies, Matomo uses a day-based hashing of IP and user agent for temporary session grouping that cannot persist across days.
In Matomo Admin, go to Privacy: enable IP anonymisation (anonymise first 2 bytes), enable cookieless tracking (disable all first-party cookies), disable fingerprinting. Verify in browser developer tools that no cookies are set when visiting the tracked site. Document this configuration for compliance records.
Yes, Matomo provides session recording and heatmap features (Matomo Tag Manager add-on or Matomo On-Premise). These features process individual user sessions and require consent, just like paid tools. The cookieless exemption does not apply to session recording features.
Matomo is significantly simpler for GDPR compliance: EU-hosted (no US transfers), can be consent-free in cookieless mode, you own all data, open-source and auditable. Google Analytics requires consent, US SCCs, a DPA with Google, and has been ruled non-compliant by multiple EU DPAs in standard configuration.