Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Matomo (formerly Piwik) is an open source web analytics platform that gives you full data ownership. Available as self-hosted, cloud, or WordPress plugin, Matomo tracks visitor behaviour using first-party cookies and supports cookieless tracking. Approved by CNIL for consent exemption when properly configured.
Matomo (formerly Piwik) is an open source web analytics platform used by over one million websites worldwide, including the European Commission. Unlike Google Analytics, Matomo gives website operators full ownership of their data. It is available as a self-hosted solution (On-Premise), a managed cloud service with EU-based servers, or a WordPress plugin. Matomo provides features such as real-time analytics, heatmaps, session recordings, A/B testing, tag management, and conversion tracking.
By default, Matomo uses first-party cookies to track visitor interactions. The main cookies are: _pk_id (stores a unique visitor ID, valid for 13 months), _pk_ses (session cookie, valid for 30 minutes), _pk_ref (stores referrer attribution data, valid for 6 months), and _pk_cvar (stores custom variables for the session). Optional cookies include mtm_consent (records consent status), mtm_consent_removed (records opt-out), and _pk_hsr (used for Heatmaps and Session Recordings). Matomo can also be configured to run entirely without cookies, using a fingerprint-free approach that relies on daily-reset visitor hashes.
Under the ePrivacy Directive, most EU countries require prior consent before any analytics tracking, including first-party cookies and JavaScript-based tracking. However, some countries allow exemptions for privacy-friendly analytics. France (CNIL) has specifically approved Matomo as one of the few tools eligible for consent exemption, provided it is configured with IP anonymisation, cookieless mode, limited data retention, and no cross-site tracking. Similar exemptions apply in Spain, Italy, and the Netherlands under specific conditions. When processing personal data such as IP addresses, User IDs, or page URLs containing identifiable information, the GDPR applies, requiring a lawful basis (consent or legitimate interest with a documented assessment).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Matomo provides built-in consent management through its JavaScript API, supporting both tracking consent (no requests sent until consent is given) and cookie consent (tracking requests are sent but no cookies are set until consent is given). Matomo integrates with most popular CMPs including Cookiebot, OneTrust, Usercentrics, Complianz, and Klaro. For the CNIL consent exemption configuration, Matomo must be set up with specific privacy settings: disable cookies, anonymise IPs by at least 2 bytes, disable User ID tracking, and limit data retention. In strict ePrivacy jurisdictions (Germany, Austria, Ireland), consent is always required regardless of Matomo configuration.
One of Matomo''s strongest compliance advantages is complete data sovereignty. With On-Premise installations, all data remains on the website operator''s own servers, in any country of their choosing. Matomo Cloud stores data exclusively in EU data centres (Germany and France). No data is ever shared with third parties, and Matomo does not use the collected data for its own purposes. This stands in contrast to Google Analytics, which has faced multiple rulings from EU data protection authorities (Austria, France, Italy) for illegal data transfers to the United States.
To achieve GDPR compliance with Matomo: choose On-Premise or Matomo Cloud (EU servers) for full data control. Enable IP anonymisation (2 or 3 bytes). Configure data retention policies appropriate to your needs. Document Matomo in your Record of Processing Activities (ROPA). Update your privacy policy to disclose Matomo usage, the cookies set, and the legal basis for processing. If consent is required in your jurisdiction, integrate Matomo with a CMP or use its built-in consent API. For CNIL exemption, follow the official CNIL configuration guide to disable cookies, anonymise all personal data, and provide an opt-out mechanism. Offer users an opt-out iframe or a custom opt-out form on your privacy page.
Websites using Matomo Analytics must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard Matomo On-Premise or Cloud deployments with default privacy settings, as the tool is designed for privacy by default. However, a DPIA is recommended when: enabling Heatmaps and Session Recordings (which capture detailed user interactions), processing data of vulnerable groups (children, patients), combining Matomo data with other personal data sources, or using User ID tracking to link sessions to identified individuals. The self-hosted nature and absence of third-country transfers significantly reduce the risk profile.
Sample consent text
We use Matomo Analytics to analyse traffic on our website. Matomo uses first-party cookies (_pk_id, _pk_ses) to distinguish unique visitors and track sessions. All data is stored on our own servers [or in the EU] and is never shared with third parties. You can opt out of tracking at any time. Do you accept the use of Matomo Analytics cookies for statistical purposes?
Third-party domains contacted
matomo.org*.matomo.cloudplugins.matomo.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _pk_id | first-party | 13 months | Stores a unique visitor ID to recognise new and returning visitors and build visitor profiles including visit count, timestamps, eCommerce orders, and goal conversions. |
| _pk_ses | first-party | 30 minutes | Used to link actions performed during a session (page views, downloads, events) to a unique visit, enabling accurate session attribution. |
| _pk_ref | first-party | 6 months | Stores referrer attribution data including the source (search engine, social media, external website, or campaign URL) that brought the visitor to the site. |
| _pk_cvar | first-party | 30 minutes (session) | Stores custom variables in key-value pairs to define additional metadata about the visitor or their actions during a session. |
| mtm_consent | first-party | Until withdrawn (default: 30 years) | Records that the visitor has given consent to be tracked. Set when using Matomo's built-in consent management or a CMP integration. |
| mtm_consent_removed | first-party | Until withdrawn (default: 30 years) | Records that the visitor has opted out of being tracked. Used when the visitor withdraws previously given consent. |
| _pk_hsr | first-party | Session | Used by Heatmap and Session Recording features to track which areas of a webpage visitors interact with and to capture session recording data. |
Matomo Analytics collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Matomo sets four main first-party cookies: _pk_id (unique visitor ID, 13 months), _pk_ses (session tracking, 30 minutes), _pk_ref (referrer attribution, 6 months), and _pk_cvar (custom session variables, 30 minutes). Optional cookies include mtm_consent and mtm_consent_removed for consent management, and _pk_hsr for Heatmaps and Session Recordings. Matomo can also be configured to run entirely without cookies.
In most EU countries, consent is required under ePrivacy rules before any analytics tracking, including Matomo. However, in France (CNIL), Spain, Italy, and the Netherlands, Matomo can qualify for a consent exemption when configured with specific privacy settings: cookieless mode, IP anonymisation, no cross-site tracking, and limited data retention. In strict jurisdictions like Germany, Austria, and Ireland, consent is always required regardless of configuration.
Two legal bases apply to Matomo: consent or legitimate interest. Consent is the safest option and is required in most EU jurisdictions. Legitimate interest can be used if you complete a Legitimate Interest Assessment (LIA) documenting the purpose, necessity, and balancing test. When relying on the CNIL exemption, the legal basis for ePrivacy compliance is the strictly necessary exemption, but GDPR requirements still apply if personal data is processed.
No. With Matomo On-Premise, all data stays on your own servers in the location you choose. With Matomo Cloud, data is stored exclusively in EU data centres (Germany and France). Matomo never shares data with third parties or uses it for its own purposes. This is a major compliance advantage over tools like Google Analytics, which have been ruled illegal by several EU DPAs due to US data transfers.
A DPIA is generally not required for standard Matomo deployments with default privacy settings, as the tool is designed for privacy by default with no third-country transfers. However, a DPIA is recommended when enabling Heatmaps and Session Recordings, processing data of vulnerable groups, combining Matomo data with other personal data sources, or using User ID tracking to link sessions to identified individuals.
Key steps: choose On-Premise or Matomo Cloud for full data control. Enable IP anonymisation (2 or 3 bytes). Set appropriate data retention policies. Document Matomo in your ROPA. Update your privacy policy. Integrate with a CMP or use Matomo's built-in consent API (_paq.push(['requireConsent']) or _paq.push(['requireCookieConsent'])). For CNIL exemption, follow the official configuration guide. Provide an opt-out mechanism via Matomo's opt-out iframe or a custom form.
Privacy-focused analytics alternatives include Plausible Analytics (cookieless, lightweight, EU-hosted), Fathom Analytics (cookieless, simple, privacy-first), GoatCounter (open source, minimal tracking), and Umami (open source, self-hosted). For organisations needing full feature parity with Google Analytics, Matomo remains the most comprehensive privacy-friendly option with its self-hosted model and CNIL approval.
Your cookie policy should list each Matomo cookie by name, type, purpose, and duration: _pk_id (persistent, visitor identification, 13 months), _pk_ses (session, session tracking, 30 minutes), _pk_ref (persistent, referrer attribution, 6 months), _pk_cvar (session, custom variables, 30 minutes). If using consent management, also list mtm_consent and mtm_consent_removed. State that Matomo uses first-party cookies only, that data is stored on your servers or in the EU, and that no data is shared with third parties. If configured for cookieless tracking, state that no cookies are used for analytics.