Legally secure measures and cookie consent
Matomo (formerly Piwik) is an open source project. As an alternative to Google Analytics, Matomo offers website analysis tools that are used to record the activities of your visitors. Matomo uses cookies of various types for this purpose. In order to make Matomo GDPR compliant, a Matomo Cookie Consent is essential. Corresponding information must also be provided in the Matomo data protection declaration. This raises the question of what you, as a website operator, generally have to pay attention to if you want to operate Matomo in accordance with the GDPR.
Matomo: the open source software at a glance
Matomo Analytics is considered a major competitor to the market leader Google Analytics. Like the latter software, Matomo is also used to record visitor activities on your website. Other functionalities include statistics and reference analysis.
Matomo is based on PHP and uses a MySQL database. The intuitive handling and the privacy-friendly setting options contribute to the popularity of the analysis tool. Matomo is used on over a million websites in more than 200 countries.
Matomo already advertises that, unlike Google Analytics, it does not require tracking consent from website visitors . Matomo promises to make this GDPR compliant and legally secure. Matomo states on its own website that the information aggregated in this way will not be passed on and thus remain entirely with the site operator. As the operator, you have the option of determining where (in which data and computer centers) the data used should be stored and stored. This is also where Matomo differs from Google Analytics, as the terms of use stipulate that the data is stored in an unspecified Google network. In practice, this means that Google Analytics can also store the data in countries such as the USA.
Make Matomo GDPR compliant: What you need to pay attention to
When it comes to operating Matomo GDPR fairly, it is important to always keep an eye on the current legal situation . Data protection requirements tend to be tightened from one judgment to the next. In online marketing and among website operators, there is therefore growing concern that fewer and fewer users will agree to the use of tracking and analysis cookies. However, these tools are important for performing analyzes and optimizations based on them. The performance of each page depends on the use of many cookies.
A special feature of Matomos Analytics is the full data control. You have the data-saving setting option to operate Matomo without cookies and thus without visitor analysis. This raises the question of whether and under what conditions Matomo, like Google Analytics, is dependent on user consent and what measures are required to ensure that the use of Matomo is GDPR-compliant.
Stay up to date!
Subscribe to NewsletterECJ ruling: How Matomo becomes GDPR compliant
In order to make Matomo GDPR fair, the ECJ judgment on cookies from 2019 must also be considered.
In the past, before the GDPR, tools such as Google Analytics or Matomo could also be used without consent, as long as site operators adhered to certain specifications (e.g. AV contract and anonymization of the IP). Even with the entry into force of the GDPR, many site operators referred to the so-called “legitimate interest” in accordance with Art. 6 para. 1 lit. f GDPR.
The ECJ ruling of 2019 (Az.: C-673/17) provides for a more explicit regulation on the handling of cookies: since then, the express consent of the user has been required before Matomo cookies, Google Analytics cookies or other data are created. The practical implementation must take place via a double opt-in. It is not legal to create cookies with Matomo before the user has consented to this. The only exceptions to this are technically mandatory cookies. Everything that goes beyond the essential operation of the website requires explicit consent.
You will find support in implementing this requirement in a Matomo cookie consent banner. This regulates the Matomo Cookie Consent by displaying a notification as soon as visitors reach your site. Even before the content of the page loads, users are asked for their consent via the consent banner.
Furthermore, the coordination body of the German data protection supervisory authorities (DSK) offers guidance for telemedia providers. It explains certain measures and settings that contribute to the legally compliant operation of the website.
Frameworks and standards for handling Matomo cookies
In order to make Matomo GDPR compliant, certain legal framework conditions must be observed, with compliance with which you will receive support from various frameworks. There is a standard or framework for dealing with cookie consent. The industry association IAB Europe (Interactive Advertising Bureau) has published the TCF (Transparency and Consent Framework) , which ensures legally compliant cookie management. The standard, which was first published in 2018, is now available in version 2.0. Modern CMPs (Consent Management Providers) such as Consentmanager use this framework as a basis and use it to obtain consent for cookie processing.
The publishers of this standard aim to make the information on the status of user consent to the processing of cookies transparent at all times. The information should be accessible to everyone involved in the delivery chain of the Matomo cookies (mostly advertisers and other service providers). They are informed about the status of the consent to the Matomo cookies.
A consent tool for Matomo cookies, which is based on the IAB framework, therefore first determines whether the user has consented to the processing of Matomo cookies at all. In the next step, the Matomo Cookie Consent Tool can identify which specific cookies users have consented to. This also includes information about the type and scope of consent to the use of cookies.
Ist Ihre Webseite konform? Finden Sie es heraus mit unserer Checkliste
Measures to use Matomo GDPR compliant
Various measures help to ensure that Matomo operates in accordance with the GDPR. The legal certainty of open source software can be maintained if certain principles are observed.
Matomo without cookies and without opt-in
In Matomo you will find the setting to deactivate all tracking cookies and thus use Matomo without cookies. In this way, Matomo is unproblematic for the GDPR. It is also possible to adapt the JavaScript code of the software accordingly. In both cases, the remaining Matomo cookies are deleted the next time the page is accessed.
If no Matomo cookies are collected, explicit consent via opt-in is no longer required to operate Matomo GDPR-compliant. Nevertheless, the requirement to inform your visitors about the use of the tool remains. You should at least do this in the privacy policy. When using our consent manager, you can also list Matomo in it. Since consent is no longer required if Matomo cookies are not used, classification in the “essential” category is sufficient, for which there is no opt-out option.
The Matomo privacy policy
Each time you use Matomo, you must comply with the GDPR, including your data protection guidelines. The GDPR is generally applicable in all cases in which personal data is processed. This already includes such basic things as location, name or even the IP address of your visitors. This and other information serves to identify your visitors or is suitable for identifiability.
Whenever you collect personal data, Matomo is GDPR compliant. The processing of this data generally requires the consent and consent of your visitors. In order to operate Matomo GDPR fairly without consent, there is only one exception if the data processing is necessary to fulfill a contract with the user.
In the Matomo data protection declaration, you as the website operator have to inform your users comprehensively about the collection and processing of personal data. This transparency requirement is based on Art. 13 GDPR .
The adaptation of Matomo to the GDPR-compliant data protection declaration must contain at least the following information: on the one hand, you must clearly express the scope of the data collection and also address the legal basis on which the data collection is based. Furthermore, the Matomo data protection declaration must provide information on the storage period. Equally, the data protection declaration should give an indication of the criteria on which the storage period is based. Also and in particular the right of withdrawal and the possibilities of its implementation must be the subject of the data protection declaration.
Anonymization of the IP
In the case of anonymization of personal data, the applicability of the GDPR does not apply. So if you anonymize the IP address , this is an important data protection contribution. Data is considered anonymous if it is no longer possible to identify the visitor due to the removal of the personal reference. An important prerequisite in this context is that the anonymization can no longer be reversed (alternatively, there is also pseudonymization). In the case of IP addresses, the question arises as to which byte is to be anonymized to ensure that visitors can no longer be identified. In this regard, the developers recommend anonymizing the IP of 2 or 3 bytes in Matomo in order to meet the GDPR requirements.
remove legacy data
In order to use Matomo DSGVO fairly, it is also advantageous to remove old data. Some privacy advocates and regulators believe that older analytics profiles were often created without a legal basis . With that they are to be deleted. The deletion of the old data or the existing analysis profiles is relatively easy in Matomo. In the “Settings” section, under the “Privacy” tab, you will find the “Anonymize data” option. Here you can also anonymize old and already collected tracking data. You can also remove or delete older visitor logs here.
The Matomo cookie banner and its importance
Your visitors must also be informed about the use of Matomo Analytics. A Matomo cookie consent banner supports you in this. As soon as visitor data is to be recorded and stored in the form of cookies on the end devices, it becomes essential to obtain consent. The information or the notice as well as the consent are given via such a cookie banner. It is important in this context that, according to the ECJ, no distinction should be made between personal and non-personal data. When it comes to protecting the privacy of your users, this is fundamentally affected by the storage and recall of cookies. This also applies to non-personal data. The only exception are technically essential cookies, without which it is not possible to operate the website. These are so-called consent-free cookies.
If you use Matomo as the operator of the website, the question arises whether you only use technically essential cookies or also those that are not absolutely necessary. In the latter case, you are dependent on obtaining the active consent of the user and explicitly informing your visitors about the use of cookies. This also includes comprehensive information on the function of the cookies, the duration of their function and information on whether third parties also have access to the cookies.
It is advantageous and common practice on many websites to group the cookies used. These cookie groups are then given a brief description and each have their own consent option. A good Matomo Cookie Consent Provider offers these options integrated in the consent banner.
Consent Manager: Solutions for legally compliant Matomo Cookie Consent Management
As a website operator, it is very important for you to make the use of Matomo GDPR compliant. This also includes taking measures for the legally secure Matomo Cookie Consent. With a consent management solution like Consentmanager, you can inform your visitors comprehensively about the use of Matomo cookies. Furthermore, in the same step you can ask for your consent and consent to the use of cookies. At Matomo, a consent management tool takes into account GDPR conformity and the requirements of the ECJ ruling.
Furthermore, this technical implementation of Matomo Cookie Management has the advantage of contributing to a positive user experience . Users are immediately informed about the use of Matomo cookies when they visit the site and are asked for their consent. The user’s demand for data protection is taken seriously. The decision on the type and scope of the permitted cookies is entirely up to the visitor.
The essential factors of the positive user experience are a long stay , a high acceptance rate and a lower bounce rate . A good consent management tool contributes to ensuring a high acceptance rate and keeping the bounce rate correspondingly low. The overarching goals of customer acquisition and customer loyalty thus benefit from the use of the consent manager.
With the Consent Manager you have a real-time overview of the current acceptance rates and the length of stay. This enables conclusions to be drawn about the current performance of your website and at the same time reveals the optimization potential.
Thanks to responsive customization , the consent manager is suitable for almost all devices and operating systems. This is particularly important because customers generally access websites using different end devices. Operating Matomo GDPR compliant is important beyond the borders of Germany if you have international visitors . Thanks to the international orientation and the support of more than 30 languages , the consent manager is suitable for visitors from the entire DSVGO area and beyond. The Matomo Cookie Consent Banner is automatically displayed in the language of the user accessing the site.
FAQ about Matomo and GDPR
Since the ECJ ruling at the latest, cookies that are not technically required may only be set with express consent. These cookies contain valuable tracking and analytics data that many websites rely on to perform well. With the Consentmanager you give your customers a legally secure way to consent to the processing of these cookies.
The GDPR applies to all personal data . You often process personal data with Matomo. The GDPR provides for the data protection declaration to indicate this. Name, location and IP address are already personal data as they enable identification.
When using Matomo, the GDPR must be observed as well as the ECJ ruling on cookies. It is important whether they are only technically essential (“consent-free”) or other cookies. This also depends on the Matomo settings. Cookies that are not technically required require active consent to use them . Users must also be informed about the function, functional duration and access by third parties.