Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Matomo (formerly Piwik) is an open source web analytics platform that gives you full data ownership. Available as self-hosted, cloud, or WordPress plugin, Matomo tracks visitor behaviour using first-party cookies and supports cookieless tracking. Approved by CNIL for consent exemption when properly configured.
Matomo Analytics is the original measurement product of the open source Matomo platform (formerly Piwik). It measures page views, sessions, conversions, events, e commerce transactions and on page behaviour through a JavaScript tag (matomo.js) and an image tracker request (matomo.php). Matomo Analytics can be deployed self hosted on the publisher own PHP and MySQL infrastructure, or as a SaaS via Matomo Cloud, hosted in France by OVHcloud.
Default cookies written by Matomo Analytics are first party on the publisher domain: _pk_id (visitor identifier, 13 months under CNIL), _pk_ses (session counter, 30 minutes), _pk_ref (referrer, 6 months), _pk_cvar (custom variables, 30 minutes), and _pk_testcookie (browser test, a few seconds). When configured in cookieless mode, no persistent identifier is written; instead Matomo computes a daily server side hash from the truncated IP and user agent. The publisher must still respect the ePrivacy art. 5(3) consent requirement unless the strict CNIL exemption conditions are met.
To run Matomo Analytics without a consent banner, the publisher must follow the CNIL exemption (March 2022 guidance): truncate the IP by at least two bytes, disable cross site tracking, do not reuse the data for commercial purposes, do not share the data with third parties, cap retention at 13 months for visitor cookies and 25 months for aggregated reports, and provide an opt out mechanism. Inside this perimeter, the lawful basis is legitimate interest (GDPR art. 6(1)(f)). Outside it, explicit consent (GDPR art. 6(1)(a) and ePrivacy art. 5(3)) is required.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
On Matomo Cloud all servers are located in France with OVHcloud. The operator InnoCraft Ltd is established in Wellington, New Zealand, which is covered by the European Commission adequacy decision of 2012, so the administrative access from New Zealand does not require Standard Contractual Clauses. Self hosted Matomo Analytics generates no transfer unless the publisher chooses non EEA infrastructure.
Activate setIPv4Anonymize at least two bytes, disable the User ID feature unless contractually justified, cap retention to 13 months, document the configuration in your records of processing (GDPR art. 30) and in the privacy notice. Avoid enabling the Heatmap, Session Recording and Form Analytics plugins when relying on the exemption. Provide a one click opt out link based on the trackerUrl.
Comparable privacy first analytics are Plausible (cookieless, Germany), Fathom Analytics, Piano Analytics (France, declared CNIL exempt by default), Umami and Open Web Analytics. Migration to or from Matomo Analytics is straightforward thanks to the documented SQL schema and the export API.
Websites using Matomo Analytics must obtain user consent under GDPR regulations.
DPIA considerations
When Matomo Analytics is configured under the CNIL exemption (IP anonymisation, no cross site tracking, 13 month cookies, no third party sharing, opt out available), the residual risk is low and a full DPIA is generally not required. A DPIA becomes recommended if you activate session replay, heatmaps on logged in users, advanced funnel analysis with persistent user IDs, A/B testing or profile enrichment plugins. The risk assessment should compare with the previous Google Analytics deployment to evidence the improvement and document the configuration in the Article 30 record.
Sample consent text
We use Matomo Analytics, an open source web measurement tool, to count visits to this site. When Matomo Analytics is configured under the CNIL exemption (anonymised IP, no cross site tracking, no commercial reuse, retention capped at 13 months), no consent is required, but you remain free to opt out. Otherwise Matomo Analytics relies on the cookies _pk_id, _pk_ses and _pk_ref. Your data is processed in the European Union on Matomo Cloud (France) or on our own server. You can withdraw your consent at any time from our cookie preferences panel.
Third-party domains contacted
matomo.cloudmatomo.orgmatomo.cloudmatomo.org*.matomo.cloudmatomo.orgplugins.matomo.orginnocraft.cloudinnocraft.cloudCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _pk_id | first-party | 13 months | Stores a unique visitor ID to recognise new and returning visitors and build visitor profiles including visit count, timestamps, eCommerce orders, and goal conversions. |
| _pk_id | First party (Matomo) | 13 months | Visitor identifier used to recognise returning visitors. |
| _pk_id.{siteId}.{hash} | HTTP cookie (first party) | 13 months (configurable) | Stores the unique Matomo Analytics visitor identifier used to distinguish returning visitors from new visitors. |
| _pk_ses | First party (Matomo) | 30 minutes | Short lived session cookie used to track the current visit. |
| _pk_ses | first-party | 30 minutes | Used to link actions performed during a session (page views, downloads, events) to a unique visit, enabling accurate session attribution. |
| _pk_ses.{siteId}.{hash} | HTTP cookie (first party) | 30 minutes | Marks the current Matomo Analytics session as active. Expires 30 minutes after the last tracked event. |
| _pk_ref | First party (Matomo) | 6 months | Stores referrer or campaign attribution for the visitor. |
| _pk_ref.{siteId}.{hash} | HTTP cookie (first party) | 6 months | Stores the campaign and referrer information that brought the visitor to the site, used by attribution reports. |
| _pk_ref | first-party | 6 months | Stores referrer attribution data including the source (search engine, social media, external website, or campaign URL) that brought the visitor to the site. |
| _pk_testcookie | HTTP cookie (first party) | Session | Short lived test cookie used to verify whether the browser accepts cookies before any tracking starts. |
| _pk_cvar | first-party | 30 minutes (session) | Stores custom variables in key-value pairs to define additional metadata about the visitor or their actions during a session. |
| _pk_cvar | First party (Matomo) | 30 minutes | Stores temporary custom variables for the current visit (legacy). |
| _pk_testcookie | First party (Matomo) | Session | Tests whether cookies are supported by the browser. |
| mtm_consent | first-party | Until withdrawn (default: 30 years) | Records that the visitor has given consent to be tracked. Set when using Matomo's built-in consent management or a CMP integration. |
| mtm_consent_removed | first-party | Until withdrawn (default: 30 years) | Records that the visitor has opted out of being tracked. Used when the visitor withdraws previously given consent. |
| _pk_hsr | first-party | Session | Used by Heatmap and Session Recording features to track which areas of a webpage visitors interact with and to capture session recording data. |
Matomo Analytics collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Matomo sets four main first-party cookies: _pk_id (unique visitor ID, 13 months), _pk_ses (session tracking, 30 minutes), _pk_ref (referrer attribution, 6 months), and _pk_cvar (custom session variables, 30 minutes). Optional cookies include mtm_consent and mtm_consent_removed for consent management, and _pk_hsr for Heatmaps and Session Recordings. Matomo can also be configured to run entirely without cookies.
In most EU countries, consent is required under ePrivacy rules before any analytics tracking, including Matomo. However, in France (CNIL), Spain, Italy, and the Netherlands, Matomo can qualify for a consent exemption when configured with specific privacy settings: cookieless mode, IP anonymisation, no cross-site tracking, and limited data retention. In strict jurisdictions like Germany, Austria, and Ireland, consent is always required regardless of configuration.
Two legal bases apply to Matomo: consent or legitimate interest. Consent is the safest option and is required in most EU jurisdictions. Legitimate interest can be used if you complete a Legitimate Interest Assessment (LIA) documenting the purpose, necessity, and balancing test. When relying on the CNIL exemption, the legal basis for ePrivacy compliance is the strictly necessary exemption, but GDPR requirements still apply if personal data is processed.
No. With Matomo On-Premise, all data stays on your own servers in the location you choose. With Matomo Cloud, data is stored exclusively in EU data centres (Germany and France). Matomo never shares data with third parties or uses it for its own purposes. This is a major compliance advantage over tools like Google Analytics, which have been ruled illegal by several EU DPAs due to US data transfers.
A DPIA is generally not required for standard Matomo deployments with default privacy settings, as the tool is designed for privacy by default with no third-country transfers. However, a DPIA is recommended when enabling Heatmaps and Session Recordings, processing data of vulnerable groups, combining Matomo data with other personal data sources, or using User ID tracking to link sessions to identified individuals.
Key steps: choose On-Premise or Matomo Cloud for full data control. Enable IP anonymisation (2 or 3 bytes). Set appropriate data retention policies. Document Matomo in your ROPA. Update your privacy policy. Integrate with a CMP or use Matomo's built-in consent API (_paq.push(['requireConsent']) or _paq.push(['requireCookieConsent'])). For CNIL exemption, follow the official configuration guide. Provide an opt-out mechanism via Matomo's opt-out iframe or a custom form.
Privacy-focused analytics alternatives include Plausible Analytics (cookieless, lightweight, EU-hosted), Fathom Analytics (cookieless, simple, privacy-first), GoatCounter (open source, minimal tracking), and Umami (open source, self-hosted). For organisations needing full feature parity with Google Analytics, Matomo remains the most comprehensive privacy-friendly option with its self-hosted model and CNIL approval.
Your cookie policy should list each Matomo cookie by name, type, purpose, and duration: _pk_id (persistent, visitor identification, 13 months), _pk_ses (session, session tracking, 30 minutes), _pk_ref (persistent, referrer attribution, 6 months), _pk_cvar (session, custom variables, 30 minutes). If using consent management, also list mtm_consent and mtm_consent_removed. State that Matomo uses first-party cookies only, that data is stored on your servers or in the EU, and that no data is shared with third parties. If configured for cookieless tracking, state that no cookies are used for analytics.
Matomo Analytics sets three first party cookies: _pk_id (unique visitor identifier, default 13 months), _pk_ses (active session, 30 minutes) and _pk_ref (referrer information, 6 months). A cookieless mode is available where the visitor is identified server side from a truncated IP and the user agent. Matomo never sets any third party cookie.
Four first party cookies: _pk_id (visitor ID, 13 months), _pk_ses (session, 30 minutes), _pk_ref (referrer, 6 months) and short lived configuration cookies. The cookieless mode disables all persistent cookies.
Not necessarily. When configured under the CNIL exemption (IP anonymisation, 13 month cookies, no cross site tracking, no third party sharing, opt out, Do Not Track honoured), Matomo Analytics is treated as strictly necessary measurement and does not require prior consent. For any other configuration, prior opt in consent under Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive is required.
Not in France or Spain if you apply the CNIL/AEPD privacy hardening profile (anonymous IP, 13 month cap, no fingerprinting, opt out). In Germany consent is required under § 25 TDDDG unless the cookieless mode is used.
In the consent exempt configuration, the legal basis is legitimate interest (Article 6(1)(f) GDPR) because the processing is strictly necessary for a measurement service the publisher expects, and the risk to the data subject is low. Outside that configuration, the legal basis is consent. The DPA with InnoCraft (Cloud) is signed under Article 28; for self hosted Matomo, no processor relationship exists.
Legitimate interest (Art. 6(1)(f) GDPR) when the CNIL/AEPD exemption applies. Otherwise consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy Directive).
No. Matomo Cloud is hosted in France and Germany and self hosted Matomo runs on your own EU infrastructure. There is no US transfer.
No. Matomo Cloud data is stored exclusively in Germany (Hetzner Online, Falkenstein and Nuremberg). Self hosted Matomo runs on infrastructure chosen by the operator. InnoCraft, the publisher, sits in New Zealand, which has an EU adequacy decision since 2012, so support access is not a third country transfer that requires SCCs.
Usually not when running with the privacy profile on EU infrastructure. A DPIA is recommended for large scale tracking, sensitive categories or CRM cross referencing.
A full DPIA is generally not required in the consent exempt, IP anonymised configuration because the residual risk is low. It becomes recommended when you activate session replay, heatmaps on identified users, advanced funnel analysis with persistent user IDs, A/B testing or profile enrichment plugins. Always document the configuration in the Article 30 record.
Enable IP anonymisation, disable fingerprinting, cap cookies at 13 months, respect Do Not Track, expose the opt out. Document the configuration in your Article 30 record and privacy policy.
Provision a Matomo Cloud account or install on premises, replicate goals and ecommerce tracking, run the official Google Analytics importer for the last 24 months, deploy matomo.js in parallel with GA in shadow mode for 30 to 60 days, then remove the GA tag, update the cookie policy and notify the DPO. Verify in raw logs that IP anonymisation is active before going live.
Plausible Analytics, Fathom Analytics, Piwik PRO, Pirsch and self hosted Umami for privacy first analytics. Google Analytics 4 and Adobe Analytics for full enterprise feature parity (with consent).
For consent exempt analytics: Plausible (Germany), Pirsch (Germany), Fathom Lite (self hosted), Cabin (self hosted), umami (open source). For consent based analytics with more features: PostHog (US/EU), Mixpanel (US), Amplitude (US), Heap (US). For server side log analytics: Piano Analytics (France, formerly AT Internet), eulerian (France), Wide Angle Analytics (Poland).
List the four Matomo cookies with purpose, retention and legal basis. Reflect the configuration (anonymous IP, no fingerprinting, EU hosting). Re generate the policy whenever the configuration changes.
List the entry as either consent exempt analytics (when CNIL conditions are met) or as analytics requiring consent. Name the processor (InnoCraft Ltd. for Matomo Cloud, or specify self hosted), the purpose (audience measurement), the legal basis, the cookies and their lifetimes (13 months, 30 minutes, 6 months), the retention (25 months max), the absence of third party transfers and a link to the opt out page.