Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Open Web Analytics (OWA) is a free open source web analytics platform written in PHP and MySQL. Maintained by Peter Adams, it is self hosted and offers pageview tracking, sessions, click maps, heatmaps and DOM event recording, comparable to Matomo on premises.
Open Web Analytics, often called OWA, is a free open source web analytics platform written in PHP with a MySQL database. It is maintained by Peter Adams under a GPL licence and is installed on the operator''s own server, typically alongside the website it measures. OWA tracks pageviews, sessions, referrers, clicks, mouse movements, scroll depth, DOM events and supports a Matomo style dashboard. It is a popular alternative for organisations that want full control over their analytics stack.
By default the JavaScript tracker writes two first party cookies on the website''s own domain: owa_v, a persistent visitor identifier, and owa_s, a short lived session cookie. The tracker can also collect IP addresses, screen size, user agent, referrer, mouse coordinates for heatmaps and DOM events. All of this is stored in the operator''s MySQL database, never sent to a third party by OWA itself.
Even when the data stays on the controller''s servers, writing or reading the owa_v cookie still triggers Art 5(3) of the ePrivacy Directive. The cookie is first party, but it is not strictly necessary to deliver the requested service. Under Art 4 GDPR the IP address and visitor identifiers are personal data. Operators must therefore choose a lawful basis under Art 6 and decide whether the cookies need consent or fall under a national exemption.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In the default configuration with heatmaps, persistent cookies and full IPs, OWA needs prior consent under Art 6(1)(a) GDPR. A simpler setup, with IP anonymisation, no cross site tracking, short retention and no fingerprinting, can qualify for the CNIL measurement exemption that mirrors the EDPB analytics guidance. Operators must document which configuration they run and why.
Because OWA is self hosted, there is no built in transfer to a third country. Data location simply follows the hosting provider. EU hosted OWA stays in the EU and avoids Chapter V GDPR. If the operator runs OWA on a US cloud provider that qualifies as an importer, Standard Contractual Clauses and a Transfer Impact Assessment become necessary.
Pick an EU host, enable IP anonymisation, set a short retention window for raw logs, disable heatmaps when not strictly needed, and gate the JavaScript tracker behind your consent banner unless your configuration matches the local analytics exemption. Document OWA in the records of processing under Art 30 and mention it in the privacy notice as a first party measurement tool.
Websites using Open Web Analytics must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA under Art 35 GDPR is usually not mandatory when OWA is self hosted in the EU with IP anonymisation, short retention and no heatmaps. It becomes recommended if the operator activates session replay style features, mouse heatmaps, cross site tracking or stores raw IP addresses for long periods, since these patterns approach systematic monitoring.
Sample consent text
We use Open Web Analytics, a self hosted open source tool, to understand how visitors use this site. With your consent, we store first party cookies owa_v and owa_s on this domain to measure visits, clicks and sessions. Data stays on our own servers. You can refuse or withdraw at any time.
Third-party domains contacted
openwebanalytics.comgithub.com/Open-Web-AnalyticsCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| owa_v | first party analytics | around 2 years | Persistent visitor identifier written by the OWA JavaScript tracker on the operator's own domain. Allows OWA to recognise returning visitors, link sessions to a single profile and compute audience metrics like new vs returning users. |
| owa_s | first party analytics | session | Short lived session cookie set by the OWA tracker on the operator's own domain. Groups individual events and pageviews into a single visit so OWA can compute session level metrics such as duration, bounce and entry pages. |
Open Web Analytics collects user analytics data — you legally need a consent banner. Try FlowConsent free.
OWA writes two first party cookies on the website's own domain: owa_v, a persistent visitor identifier valid for about two years, and owa_s, a session cookie. Both are stored under the operator's domain rather than a third party domain, which keeps the data inside the controller's perimeter but still triggers cookie law.
In the default behavioural configuration, yes. The owa_v cookie is not strictly necessary for the service, so Art 5(3) ePrivacy applies. A stripped down setup with IP anonymisation, no cross site tracking, short retention and no fingerprinting may qualify for the analytics exemption recognised by the CNIL, the German DSK and the EDPB.
Default configuration: consent under Art 6(1)(a) GDPR. Cookieless or exemption compliant configuration: legitimate interest under Art 6(1)(f), provided you can demonstrate balancing in a documented LIA. Either way, the legal basis must be reflected in the privacy notice and in the records of processing activities.
Not by the software itself. OWA is self hosted, so data location follows the operator's servers. If you self host on EU infrastructure, no transfer takes place. If you run OWA on a US cloud provider, Standard Contractual Clauses and a Transfer Impact Assessment under Schrems II become necessary.
Not systematically. A DPIA under Art 35 GDPR is recommended when OWA is configured for heatmaps, session replay style features, mouse heatmaps, long retention of raw IPs or cross site identifiers. With a basic, anonymised configuration on EU infrastructure, the Art 30 register usually suffices.
Host in the EU, anonymise IPs, shorten retention, disable heatmaps unless strictly required, gate the tracker behind your consent banner unless the configuration matches the exemption, document the configuration, sign appropriate processor agreements with any hosting partner and mention OWA in the privacy notice as a first party analytics tool.
Matomo is the closest alternative, with a stronger product, an EU based company (InnoCraft, New Zealand and France), and a similar self hosted model. Plausible (Estonia) and Piwik PRO (Poland) are EU friendly options with built in consent free modes. For pure event tracking, PostHog Cloud EU or Umami are common choices.
List owa_v and owa_s as first party analytics cookies with their purpose and retention. State who hosts OWA, where the data lives, what retention applies, the legal basis chosen, and how to refuse or withdraw consent. Update the policy whenever you change the OWA configuration, retention or hosting location.