Matomo and cookies: do you still need a consent banner?

TL;DR

Matomo can be used without a cookie banner and without prior consent, but only if the tool is configured in "exempt" mode according to CNIL criteria. This exemption imposes strict conditions: purpose limited to audience measurement for the exclusive benefit of the publisher, no data cross-referencing, no sharing with third parties, IP anonymization, maximum cookie lifespan of 13 months, and maximum data retention of 25 months. If any single condition is not met, consent becomes mandatory again.

Is Matomo exempt from consent according to the CNIL?

The CNIL has confirmed that Matomo can be used to collect audience measurement data without prior user consent. Matomo is the only analytics tool explicitly cited by the CNIL in its documentation on consent exemption.

This exemption is not automatic. It only applies if Matomo is configured in a very specific way. By default, Matomo uses first-party cookies and does not share data with third parties, which is a good starting point. But several features must be disabled to remain within the scope of the exemption.

The consent exemption for audience measurement is provided by Article 82 of the French Data Protection Act. It covers trackers whose purpose is strictly limited to audience measurement, for the exclusive benefit of the site publisher, without data cross-referencing and without transmission to third parties.

What are the CNIL exemption conditions?

The CNIL defines precise criteria for an audience measurement tool to be exempt from consent. Here are the conditions to meet for Matomo.

Purpose strictly limited to audience measurement

The tool must only serve to produce anonymous, aggregated statistics: page views, time spent, traffic sources, bounce rate. No use for advertising targeting, profiling, or content personalization is allowed.

No cross-referencing with other processing

Data collected by Matomo must not be cross-referenced with other databases (CRM, emailing, advertising). Each site must have its own independent data.

No sharing with third parties

Data must not be transmitted to third parties, including other subsidiaries of the same group. This is one of the reasons why Google Analytics does not qualify for this exemption: data is transmitted to Google, which uses it for its own purposes.

IP address anonymization

The user's IP address must be anonymized. In Matomo, you need to enable anonymization of at least the last two octets of the IPv4 address (e.g., 192.168.xxx.xxx).

Cookie lifespan limited to 13 months

Audience measurement cookies must not have a lifespan exceeding 13 months. This duration must not be automatically extended during new visits.

Data retention limited to 25 months

Data collected through trackers must be retained for a maximum period of 25 months.

User information

Even in exempt mode, the user must be informed of the existence of trackers and their purpose, for example in the site's cookie policy. The exemption covers consent, not information.

How to configure Matomo in exempt mode

The CNIL has published a detailed configuration guide for Matomo. Here are the main steps.

Disable the "Visits log" and "Visitor profile" reports (in Administration, System, General settings, Live section). These features allow individual visitor identification, which falls outside the exemption scope.

Enable IP anonymization (in Administration, Privacy, Anonymize data). Anonymize at least the last two octets of the IPv4 address.

Verify that cross-domain tracking is not enabled. In exempt mode, each site must be measured independently, without cross-site tracking.

Verify that third-party cookies are not enabled. By default, Matomo uses first-party cookies, which is correct.

Verify that User ID is not used. In exempt mode, no personal identifier (login, email, etc.) should be associated with visits.

Verify that e-commerce features are not enabled. Order and cart tracking requires consent.

Set the visit cookie lifespan to a maximum of 13 months and data retention to a maximum of 25 months.

Do you still need a cookie banner with Matomo?

If Matomo is your only tracking tool and it is configured in CNIL exempt mode, you do not need to collect consent for Matomo specifically. This does not mean you need no banner at all.

If your site uses other trackers that require consent (Google Ads, Facebook Pixel, YouTube embeds, social sharing buttons, etc.), you still need a compliant cookie banner for those trackers. Matomo will simply be excluded from the consent request.

If your site only uses Matomo in exempt mode and no other tracker, a cookie banner is not required. However, you must still inform the user about the tracker in your privacy or cookie policy. You must also provide an opt-out mechanism, for example through the Matomo opt-out widget or by respecting the browser's Do Not Track signal.

A scan of your site can verify that Matomo is the only tracker present and that no non-exempt cookies are being placed.

Matomo vs Google Analytics: why the CNIL treats them differently

Google Analytics does not qualify for the CNIL audience measurement exemption. The main reason is that data collected by Google Analytics is transmitted to Google, which potentially uses it for its own purposes (advertising, service improvement). This sharing with a third party disqualifies Google Analytics from the exemption.

Matomo, in its self-hosted (on-premise) version or its cloud version (hosted in Europe by InnoCraft), keeps data exclusively for the site publisher. InnoCraft contractually commits not to use the data for its own purposes and not to share it with third parties.

This fundamental difference explains why Matomo can operate without consent in France (under conditions), while Google Analytics always requires prior consent.

Common mistakes (and how to avoid them)

Believing Matomo is automatically exempt. The exemption only applies if Matomo is configured according to CNIL criteria. A default installation is not necessarily compliant. Fix: follow the CNIL configuration guide point by point and document your configuration in your processing register.

Enabling features outside the scope. User ID, e-commerce tracking, heatmaps, session recordings, and cross-domain tracking require consent. If you enable any of these features, the exemption no longer applies to your entire Matomo installation. Fix: disable all features incompatible with the exemption.

Forgetting to inform users. The exemption covers consent, not information. You must inform visitors about Matomo in your privacy policy. Fix: add a clear mention in your cookie policy.

Not providing an opt-out mechanism. Even in exempt mode, the CNIL recommends allowing users to opt out of tracking. Fix: integrate the Matomo opt-out widget or respect the Do Not Track signal.

Using Matomo and Google Analytics in parallel. If you use GA alongside Matomo, the cookie banner is mandatory for GA. And if Matomo data is cross-referenced with GA or another tool, the Matomo exemption no longer applies. Fix: if switching to Matomo in exempt mode, remove GA or subject it to consent independently.

Checklist: Matomo in CNIL exempt mode

1. Matomo is self-hosted (on-premise) in the EU or on Matomo Cloud (EU servers).
2. IP anonymization is enabled (at least the last two octets).
3. Visits log and Visitor profile are disabled.
4. User ID is not used.
5. Cross-domain tracking is not enabled.
6. Third-party cookies are not enabled.
7. E-commerce tracking is not enabled.
8. Visit cookie lifespan is set to a maximum of 13 months.
9. Data retention is set to a maximum of 25 months.
10. The user is informed about Matomo usage (privacy policy).
11. An opt-out mechanism (opt-out widget or Do Not Track) is available.
12. A cookie audit confirms no other non-exempt tracker is present.

Conclusion

Matomo is the only analytics tool cited by the CNIL as eligible for the audience measurement consent exemption. But this exemption is not a free pass: it requires strict configuration, a limited purpose, and transparency toward users.

If your site uses other trackers (advertising, social media, embedded videos), you will still need a cookie banner for those trackers. Matomo only exempts you from consent for audience measurement, and only if all CNIL conditions are met.

To check the trackers present on your site and identify which ones require consent, run a free scan with FlowConsent.