Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Matomo (formerly Piwik) is an open-source web analytics platform that is the leading GDPR-compliant alternative to Google Analytics. It can be self-hosted on your own infrastructure or used via Matomo Cloud (hosted in Germany). Self-hosted Matomo with cookieless mode and IP anonymisation is the only major analytics platform that can be deployed without consent banners under the CNIL exemption criteria. You own 100% of your data with no third-country transfers.
Matomo (originally Piwik) is the leading open source web analytics platform, used by more than one million sites worldwide. The application is published by InnoCraft Ltd under the GPLv3 license and can be deployed in two ways: self hosted on the publisher own infrastructure (PHP and MySQL), or on Matomo Cloud, the SaaS edition hosted in France by OVHcloud. Matomo measures page views, sessions, conversions, e commerce events and on page behaviour through a JavaScript tag (matomo.js) and an image tracker request (matomo.php).
Compared with Google Analytics, Matomo gives the publisher full control over the storage location, retention and reuse of the data, which is why it is the reference solution for organisations seeking to fit under the CNIL analytics exemption.
In its default configuration Matomo writes first party cookies on the publisher domain: _pk_id (visitor identifier, 13 months under the CNIL recommendation), _pk_ses (session counter, 30 minutes), _pk_ref (referrer, 6 months), _pk_cvar (custom variables, 30 minutes), _pk_hsr (heatmap session recording, 30 minutes, when the HSR plugin is enabled) and _pk_testcookie (browser test, a few seconds). Matomo can also operate in cookieless mode using a server side fingerprint based on the truncated IP, user agent and the day of visit, regenerated every 24 hours. Even cookieless tracking writes to the visitor terminal through configuration cookies, so ePrivacy art. 5(3) still applies unless the analytics exemption conditions are met.
The CNIL exemption (analytics guidance, March 2022) allows Matomo to run without consent provided the configuration is strictly anonymised: IP truncation by at least the last two bytes, no cross site or cross device tracking, no commercial reuse of the data, no transfer to third parties, retention capped at 13 months for visitor cookies and 25 months for aggregated reports, opt out mechanism still available. When these conditions are met the lawful basis is legitimate interest (GDPR art. 6(1)(f)) and the ePrivacy art. 5(3) consent requirement is waived. Outside the exemption (cross site tracking, integration with Matomo Tag Manager marketing tags, sharing with third parties, behavioural advertising), explicit consent is required and Matomo must be loaded only after the user accepts.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
On Matomo Cloud all processing servers are located in France at OVHcloud (Roubaix and Strasbourg). InnoCraft, the operator, is established in Wellington, New Zealand, a country covered by the European Commission adequacy decision of 19 December 2012, so the transfer to the operator administrative staff is permitted without additional safeguards. Self hosted Matomo never transfers data unless the publisher deploys it outside the EEA. The published Matomo data processing addendum aligns with GDPR art. 28 and includes the EU Standard Contractual Clauses for any onward sub processor.
Enable IP anonymisation by truncating at least two bytes (setIPv4Anonymize) and avoid storing the full IP in raw logs. Disable the User ID feature unless you have a clear contractual purpose. Limit retention to 13 months for raw visitor logs and 25 months for aggregated reports in the privacy settings panel. Document the configuration in your records of processing (GDPR art. 30) and in your privacy notice. If you also use Matomo Tag Manager to load marketing pixels, treat the whole stack as consent dependent. Verify the absence of fingerprinting plugins (Heatmaps and Session Recording, Form Analytics, Funnels) when relying on the exemption.
Comparable privacy first options include Plausible Analytics (cookieless, EU hosted in Germany), Fathom Analytics, Piano Analytics (formerly AT Internet, declared CNIL exempt by default), Umami and Open Web Analytics. Migrating away from Matomo is straightforward because the SQL schema is documented and the API allows bulk export. Keep your historical reports for the legal retention window before deleting the database to honour GDPR art. 5(1)(e) on storage limitation.
Websites using Matomo must obtain user consent under GDPR regulations.
DPIA considerations
For the consent exempt configuration, a full DPIA is generally not required because the residual risk is low: data stays in the EU (Cloud) or on premises (self hosted), IP addresses are anonymised, no profile enrichment, no third party sharing. A DPIA becomes recommended when Matomo is used with profile enrichment plugins, behavioural targeting, A/B testing, advanced session replay or when tracking is extended to a logged in audience with persistent user IDs. Document the configuration in any case (anonymisation level, cookie lifetime, plugins activated, retention settings) so the DPA can demonstrate compliance with Article 5(2) accountability.
Sample consent text
We use Matomo, an open source web analytics platform, to count visits and understand which content is most useful. Depending on our configuration, Matomo runs either without cookies under the CNIL analytics exemption (anonymised IP, no cross site tracking, no commercial reuse) or with the consent cookies _pk_id, _pk_ses and _pk_ref retained for up to 13 months. When deployed on Matomo Cloud, your data is processed in the European Union (France) by InnoCraft Ltd in New Zealand, which benefits from a European Commission adequacy decision. You can refuse or withdraw your consent at any time from our cookie preferences panel, even when Matomo runs under the exemption.
Third-party domains contacted
matomo.cloudmatomo.cloudmatomo.orgmatomo.orgmatomo.orgcloud.matomo.orginnocraft.cloudinnocraft.cloudcdn.matomo.cloudplugins.matomo.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _pk_id | persistent | 13 months | Matomo visitor identifier cookie — not set in cookieless mode; identifies unique visitors for analytics |
| _pk_id | First party (Matomo) | 13 months | Visitor identifier used to recognise returning visitors. Stores a random anonymous ID. |
| _pk_id.{siteId}.{hash} | HTTP cookie (first party) | 13 months (configurable) | Stores the unique Matomo visitor identifier used to distinguish returning users from new users and to link multiple sessions to the same visitor profile. |
| _pk_ses | session | Session | Matomo session cookie for grouping page views within a single visit — not set in cookieless mode |
| _pk_ses | First party (Matomo) | 30 minutes | Short lived session cookie used to track if the current visit is ongoing. |
| _pk_ses.{siteId}.{hash} | HTTP cookie (first party) | 30 minutes | Marks the current visitor session as active. The cookie expires 30 minutes after the last tracked event, at which point any new event starts a new session. |
| _pk_ref.{siteId}.{hash} | HTTP cookie (first party) | 6 months | Stores the campaign, search engine or external referrer information that led the user to the site, so attribution reports can be built without re reading the Referer header on every page. |
| _pk_ref | First party (Matomo) | 6 months | Stores the original referrer or campaign attribution for the visitor. |
| _pk_cvar | First party (Matomo) | 30 minutes | Stores temporary custom variables for the current visit (legacy). |
| _pk_cvar.{siteId}.{hash} | HTTP cookie (first party) | 30 minutes | Temporarily stores custom variables set via the setCustomVariable API at session scope. Only present if the website uses custom variables. |
| _pk_testcookie | HTTP cookie (first party) | Session | Short lived test cookie used by Matomo to verify whether the browser accepts cookies. Deleted immediately after the test. |
| _pk_testcookie | First party (Matomo) | Session | Used by Matomo to test whether cookies are supported by the browser. |
| mtm_consent | First party (Matomo Tag Manager) | 30 years (configurable) | Stores the consent decision of the visitor for Matomo Tag Manager. |
Matomo collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Matomo in cookieless mode with IP anonymisation meets the CNIL exemption criteria for analytics without consent. Configure: disable all cookies, anonymise IP (at least 2 bytes), disable cross-site tracking, no third-party data sharing. This configuration requires no cookie banner.
The CNIL has defined criteria under which analytics tools can operate without consent: cookieless tracking, IP anonymisation, single-site data (no cross-site), data used solely for internal statistics, no data sharing with third parties. Matomo is one of the few tools capable of meeting all these criteria.
Self-hosted: no transfers — data stays on your server. Matomo Cloud: hosted in Germany, no transfers outside EU. Neither option requires SCCs. This is Matomo's primary advantage over Google Analytics for EU organisations.
Self-hosted: you install Matomo on your own server, 100% data control, free open-source software, requires technical setup. Matomo Cloud: hosted by InnoCraft in Germany, managed service, paid subscription, no technical setup, requires a DPA with InnoCraft.
Matomo sets cookies by default (_pk_id for visitor ID, _pk_ses for session, _pk_ref for referral) but these can be disabled in cookieless mode. Without cookies, Matomo uses a day-based hashing of IP and user agent for temporary session grouping that cannot persist across days.
In Matomo Admin, go to Privacy: enable IP anonymisation (anonymise first 2 bytes), enable cookieless tracking (disable all first-party cookies), disable fingerprinting. Verify in browser developer tools that no cookies are set when visiting the tracked site. Document this configuration for compliance records.
Yes, Matomo provides session recording and heatmap features (Matomo Tag Manager add-on or Matomo On-Premise). These features process individual user sessions and require consent, just like paid tools. The cookieless exemption does not apply to session recording features.
Matomo is significantly simpler for GDPR compliance: EU-hosted (no US transfers), can be consent-free in cookieless mode, you own all data, open-source and auditable. Google Analytics requires consent, US SCCs, a DPA with Google, and has been ruled non-compliant by multiple EU DPAs in standard configuration.
By default Matomo sets four first party cookies: _pk_id (visitor identifier, 13 months), _pk_ses (session, 30 minutes), _pk_ref (referrer attribution, 6 months) and several short lived configuration cookies. Cookies can be disabled entirely with a single line of configuration, in which case Matomo falls back to a configless visitor detection valid only for the duration of the visit.
It depends on the configuration. In France the CNIL allows Matomo to be used without consent if you apply the privacy hardening profile (anonymous IP, no fingerprinting, 13 month cookie cap, opt out, no cross site tracking). In Germany the TDDDG generally requires consent for any non essential cookie, so a CMP is recommended unless Matomo runs in fully cookieless mode. In Spain the AEPD aligns with the CNIL position.
When the CNIL or AEPD exemption applies, the legal basis is legitimate interest (Art. 6(1)(f) GDPR), supported by a documented balancing test. Outside the exemption, or for any cross site tracking, the legal basis is consent (Art. 6(1)(a) GDPR combined with Art. 5(3) of the ePrivacy Directive).
No. Matomo Cloud is hosted entirely in the European Union (France and Germany) and self hosted Matomo runs on infrastructure you control. There is no transfer of personal data to the United States, which makes Matomo unaffected by the Schrems II decision and a strong choice for organisations sensitive to international data transfers.
A DPIA is usually not required for Matomo configured in privacy mode on EU infrastructure with anonymised IPs and no cross site tracking. A DPIA becomes recommended if you track sensitive categories of users (children, health), if you combine Matomo data with personal identifiers from your CRM, or if you process very large volumes that meet the EDPB high risk criteria.
Install Matomo on EU infrastructure or subscribe to Matomo Cloud (EU). In the admin enable IP anonymisation (mask 2 bytes), disable fingerprinting, set cookies to 13 months maximum, disable cross site tracking, honour Do Not Track, and publish the opt out. Update your privacy policy and Article 30 record. If consent is required, integrate Matomo with your CMP via the _paq.push API.
Privacy first analytics alternatives include Plausible Analytics (EU, cookieless), Fathom Analytics (EU/US), Piwik PRO (EU, enterprise), Pirsch (EU, cookieless) and the self hosted Umami. For broader feature parity you may compare against Google Analytics 4, Adobe Analytics or Mixpanel, although these typically require explicit consent and a thorough data transfer assessment.
Add a dedicated entry listing the four Matomo cookies (_pk_id, _pk_ses, _pk_ref, plus configuration cookies), their purpose (analytics), the retention period, the legal basis (legitimate interest with hardening, or consent), the hosting location (EU), and a clickable opt out link. Reflect these entries in your Consent Management Platform so visitors can withdraw consent at any time.