Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Matomo Tag Manager (MTM) is the open source tag management system bundled with Matomo Analytics. It loads from your own Matomo server or from Matomo Cloud (hosted in Germany) and lets you manage analytics, advertising and custom tags from a visual interface without touching the code base. Because the container itself does not transmit data to Google or any non European cloud, MTM is one of the few tag managers that can be deployed in Europe without third country transfers.
Matomo Tag Manager (MTM) is the tag management module bundled with the open source Matomo platform. It serves a single container script (container_xxxxxxxx.js) on the publisher pages and uses configurable triggers and variables to load downstream tags: Matomo analytics, Google Ads conversion, Meta Pixel, LinkedIn Insight, TikTok Pixel, custom HTML tags, etc. MTM positions itself as the privacy first alternative to Google Tag Manager because the container itself can be hosted in the EU on Matomo Cloud (France) or fully self hosted on the publisher infrastructure.
The MTM container itself does not write any persistent identifier. The only cookies that may appear on the publisher domain are mtm_consent (long lived, stores the visitor consent decision), mtm_consent_removed (counterpart for refusal), and mtm_cookie_consent (alternative naming used in older builds). These cookies fall under the strictly necessary category because their sole purpose is to remember the consent choice; the EDPB guidelines on cookie walls and the CNIL exemption confirm this. Every other cookie observed on the page comes from a vendor tag triggered by MTM.
MTM ships with a native consent management API (mtm.consent.set, mtm.consent.remove, mtm.consent.requireConsent) that lets the publisher gate individual tags by category. Tags marked Requires Consent will not fire until the visitor accepts the relevant purpose; tags marked Exempt fire immediately. Connect this API to your CMP (Klaro, Cookiebot, OneTrust, Didomi, CookieFirst, etc.) so that opt in, opt out and partial consent are honoured automatically. Document the mapping between CMP purposes and MTM categories in your privacy notice to meet GDPR art. 13 information duties.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
MTM itself does not cause any third country transfer when it is hosted on Matomo Cloud (France) or on the publisher EU server. However, almost every commercial vendor tag that the publisher chooses to load (Google, Meta, TikTok, LinkedIn, Microsoft, etc.) transfers personal data to the United States or other third countries. The publisher remains controller and must justify each transfer through the EU US Data Privacy Framework certification of the relevant vendor and through Standard Contractual Clauses for any onward transfer. Maintain an up to date inventory of tags and their data flows.
Host the MTM container on Matomo Cloud (France) or on your own EU server. Set requireConsent on every non exempt tag. Disable the Preview mode for end users in production. Document each loaded tag, its category and its retention in your records of processing (GDPR art. 30) and in the cookie banner. Run a DPIA when MTM loads behavioural advertising tags or cross site identifiers (GDPR art. 35). Refresh the consent every 6 months or when you add a new tag, in line with CNIL deliberation 2020 091.
The main alternatives are Google Tag Manager (free but US hosted with Schrems II implications), Tealium iQ (paid enterprise with EU hosting), Piano Tag Manager (formerly AT Internet, France) and Commanders Act (France). Server side Google Tag Manager and Stape.io are options when the publisher wants to minimise the data shared with US vendors, but they shift the legal responsibility to the publisher under GDPR art. 28.
Websites using Matomo Tag Manager must obtain user consent under GDPR regulations.
DPIA considerations
Matomo Tag Manager itself, as an orchestrator, does not require a DPIA. A DPIA is needed when the downstream tags triggered by the container meet the EDPB WP248 high risk criteria (large scale behavioural monitoring, profile enrichment, third country transfer with US risk, etc.). Document inside your Article 30 record both the container (low risk) and each downstream tag with its own configuration, retention and legal basis. The container changelog and version history available in MTM should be archived to evidence consent gating governance.
Sample consent text
We use Matomo Tag Manager (MTM), an open source tag management system, to load measurement and marketing scripts on this site only after we obtain the relevant consent. The MTM container itself runs from our European infrastructure (Matomo Cloud in France or our own server) and does not transfer your data outside the EEA. Each tag loaded through MTM (analytics, advertising, social) has its own purpose and is activated only if you accept the corresponding category in our cookie preferences. You can change or withdraw your consent at any time.
Third-party domains contacted
matomo.cloudmatomo.cloudinnocraft.cloudinnocraft.cloudmatomo.orgmatomo.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mtm_consent | persistent | 30 years | Stores consent state for Matomo Tag Manager when the built in consent variable is enabled. |
| mtm_consent | First party (Matomo Tag Manager) | 30 years (configurable) | Stores the visitor's consent decision and the timestamp for tag firing. |
| mtm_cookie_consent | persistent | 30 years | Marks that the user has interacted with the consent prompt for tags managed by MTM. |
| mtm_consent_removed | First party (Matomo Tag Manager) | 30 years (configurable) | Recorded when the visitor refuses consent, prevents non essential tags from firing. |
| mtm_debug | session | Session | Set only when an authenticated administrator activates the MTM preview/debug mode. |
| mtm_cookie_consent | First party (Matomo Tag Manager) | Session | Legacy session cookie used by older MTM versions for consent tracking. |
Matomo Tag Manager collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The MTM container itself does not set tracking cookies. It can store a transient first party cookie when an admin uses preview/debug mode, and the consent variable can persist a small first party preference. Tracking cookies come from the tags fired through MTM (Matomo Analytics, Meta Pixel, etc.), not from the container loader.
Loading the empty MTM container can rely on legitimate interest under Article 6(1)(f) GDPR. However, every tag that MTM fires which sets cookies, reads identifiers or transfers data abroad requires prior consent under Article 5(3) ePrivacy. In practice you must gate those tags with the MTM consent variable connected to your CMP.
Two layers apply. The container loader: legitimate interest (Art. 6(1)(f) GDPR). Tags that store or read information on the device, profile users or transfer data: explicit, granular consent (Art. 6(1)(a) GDPR) plus Art. 5(3) ePrivacy. Document the distinction in your record of processing.
No. The MTM container is served from the customer Matomo instance (self hosted in the EU) or from Matomo Cloud in Germany. There is no transfer to the United States by default. Tags fired through MTM may still create their own transfers (a Meta Pixel will continue to send data to the US), so the assessment must be done tag by tag.
A DPIA is generally not required for the container itself, particularly when MTM is self hosted in the EU and used only to manage tags. A DPIA may be triggered by the underlying tags: session recording, advertising profiling, large scale tracking or transfers to the United States.
Self host MTM in the EU or use Matomo Cloud, enable the consent variable, integrate it with your CMP so that consent dependent tags only fire after opt in, prefer Matomo Analytics in cookieless mode, document MTM and every fired tag in the cookie policy and review the container regularly.
The main alternative is Google Tag Manager, but GTM creates third country transfers and does not solve the underlying compliance issues. Other options include Tealium iQ, Commanders Act TagCommander, Piano Manager, server side GTM hosted in the EU and Adobe Launch. None of them ship with Matomo Cloud in Germany out of the box.
List Matomo Tag Manager itself (publisher: InnoCraft, hosting: self hosted or Matomo Cloud Germany, legal basis: legitimate interest, no third country transfer for the container) and then list every individual tag fired through MTM with its own purpose, retention, cookies and legal basis. Update the policy each time a new tag is added in MTM.
Only one first party cookie, mtm_consent (or mtm_consent_removed when consent is refused), which stores the consent decision and the timestamp. All other cookies are set by the tags fired by the container, not by MTM itself.
Loading the empty container before consent is permissible because MTM by itself does not collect personal data. You must, however, ensure that no consent gated tag fires until the visitor accepts. Configure each tag with a consent type and wire the container to your CMP.
The container itself is based on legitimate interest (technical necessity to fire tags). Each tag inherits its own legal basis: legitimate interest for hardened analytics, consent for marketing or advertising tags.
The container script is served from your Matomo instance, so no US transfer occurs from MTM itself. Tags fired by the container may transfer data to their respective vendors and must be assessed individually.
Not for the container. Each tag must be assessed on its own merits. A DPIA is recommended when MTM is used to deploy large numbers of marketing tags, sensitive tracking or behavioural advertising.
Host Matomo in the EU, classify every tag, assign the matching consent type, connect MTM to your CMP, restrict admin access with the Matomo permission system and use container versioning to keep an audit trail.
Google Tag Manager (the market leader, with US transfer concerns), Tealium iQ (US), Adobe Experience Platform Launch (US), Piwik PRO Tag Manager (EU), Commanders Act TagCommander (FR) and the open source Tag Manager Plus.
List the mtm_consent cookie as strictly necessary (consent technology) and add a dedicated entry for each tag fired by the container. Re generate the policy after every container publish.