Use Matomo GDPR compliant
Legally secure measures and cookie consent
Matomo: the open source software at a glance
Matomo Analytics is considered a major competitor to the market leader Google Analytics. Like the latter software, Matomo is also used to record visitor activities on your website. Other functionalities include statistics and reference analysis.
Matomo is based on PHP and uses a MySQL database. The intuitive handling and the privacy-friendly setting options contribute to the popularity of the analysis tool. Matomo is used on over a million websites in more than 200 countries.
Make Matomo GDPR compliant: What you need to pay attention to
When it comes to operating Matomo GDPR fairly, it is important to always keep an eye on the current legal situation . Data protection requirements tend to be tightened from one judgment to the next. In online marketing and among website operators, there is therefore growing concern that fewer and fewer users will agree to the use of tracking and analysis cookies. However, these tools are important for performing analyzes and optimizations based on them. The performance of each page depends on the use of many cookies.
A special feature of Matomos Analytics is the full data control. You have the data-saving setting option to operate Matomo without cookies and thus without visitor analysis. This raises the question of whether and under what conditions Matomo, like Google Analytics, is dependent on user consent and what measures are required to ensure that the use of Matomo is GDPR-compliant.
ECJ ruling: How Matomo becomes GDPR compliant
In order to make Matomo GDPR fair, the ECJ judgment on cookies from 2019 must also be considered.
In the past, before the GDPR, tools such as Google Analytics or Matomo could also be used without consent, as long as site operators adhered to certain specifications (e.g. AV contract and anonymization of the IP). Even with the entry into force of the GDPR, many site operators referred to the so-called “legitimate interest” in accordance with Art. 6 para. 1 lit. f GDPR.
The ECJ ruling of 2019 (Az.: C-673/17) provides for a more explicit regulation on the handling of cookies: since then, the express consent of the user has been required before Matomo cookies, Google Analytics cookies or other data are created. The practical implementation must take place via a double opt-in. It is not legal to create cookies with Matomo before the user has consented to this. The only exceptions to this are technically mandatory cookies. Everything that goes beyond the essential operation of the website requires explicit consent.
You will find support in implementing this requirement in a Matomo cookie consent banner. This regulates the Matomo Cookie Consent by displaying a notification as soon as visitors reach your site. Even before the content of the page loads, users are asked for their consent via the consent banner.
Furthermore, the coordination body of the German data protection supervisory authorities (DSK) offers guidance for telemedia providers. It explains certain measures and settings that contribute to the legally compliant operation of the website.
Frameworks and standards for handling Matomo cookies
In order to make Matomo GDPR compliant, certain legal framework conditions must be observed, with compliance with which you will receive support from various frameworks. There is a standard or framework for dealing with cookie consent. The industry association IAB Europe (Interactive Advertising Bureau) has published the TCF (Transparency and Consent Framework) , which ensures legally compliant cookie management. The standard, which was first published in 2018, is now available in version 2.0. Modern CMPs (Consent Management Providers) such as Consentmanager use this framework as a basis and use it to obtain consent for cookie processing.
The publishers of this standard aim to make the information on the status of user consent to the processing of cookies transparent at all times. The information should be accessible to everyone involved in the delivery chain of the Matomo cookies (mostly advertisers and other service providers). They are informed about the status of the consent to the Matomo cookies.
Measures to use Matomo GDPR compliant
Various measures help to ensure that Matomo operates in accordance with the GDPR. The legal certainty of open source software can be maintained if certain principles are observed.
Matomo without cookies and without opt-in
Each time you use Matomo, you must comply with the GDPR, including your data protection guidelines. The GDPR is generally applicable in all cases in which personal data is processed. This already includes such basic things as location, name or even the IP address of your visitors. This and other information serves to identify your visitors or is suitable for identifiability.
Whenever you collect personal data, Matomo is GDPR compliant. The processing of this data generally requires the consent and consent of your visitors. In order to operate Matomo GDPR fairly without consent, there is only one exception if the data processing is necessary to fulfill a contract with the user.
In the Matomo data protection declaration, you as the website operator have to inform your users comprehensively about the collection and processing of personal data. This transparency requirement is based on Art. 13 GDPR .
The adaptation of Matomo to the GDPR-compliant data protection declaration must contain at least the following information: on the one hand, you must clearly express the scope of the data collection and also address the legal basis on which the data collection is based. Furthermore, the Matomo data protection declaration must provide information on the storage period. Equally, the data protection declaration should give an indication of the criteria on which the storage period is based. Also and in particular the right of withdrawal and the possibilities of its implementation must be the subject of the data protection declaration.
Anonymization of the IP
In the case of anonymization of personal data, the applicability of the GDPR does not apply. So if you anonymize the IP address , this is an important data protection contribution. Data is considered anonymous if it is no longer possible to identify the visitor due to the removal of the personal reference. An important prerequisite in this context is that the anonymization can no longer be reversed (alternatively, there is also pseudonymization). In the case of IP addresses, the question arises as to which byte is to be anonymized to ensure that visitors can no longer be identified. In this regard, the developers recommend anonymizing the IP of 2 or 3 bytes in Matomo in order to meet the GDPR requirements.
remove legacy data
In order to use Matomo DSGVO fairly, it is also advantageous to remove old data. Some privacy advocates and regulators believe that older analytics profiles were often created without a legal basis . With that they are to be deleted. The deletion of the old data or the existing analysis profiles is relatively easy in Matomo. In the “Settings” section, under the “Privacy” tab, you will find the “Anonymize data” option. Here you can also anonymize old and already collected tracking data. You can also remove or delete older visitor logs here.
The Matomo cookie banner and its importance
Your visitors must also be informed about the use of Matomo Analytics. A Matomo cookie consent banner supports you in this. As soon as visitor data is to be recorded and stored in the form of cookies on the end devices, it becomes essential to obtain consent. The information or the notice as well as the consent are given via such a cookie banner. It is important in this context that, according to the ECJ, no distinction should be made between personal and non-personal data. When it comes to protecting the privacy of your users, this is fundamentally affected by the storage and recall of cookies. This also applies to non-personal data. The only exception are technically essential cookies, without which it is not possible to operate the website. These are so-called consent-free cookies.
It is advantageous and common practice on many websites to group the cookies used. These cookie groups are then given a brief description and each have their own consent option. A good Matomo Cookie Consent Provider offers these options integrated in the consent banner.
Consent Manager: Solutions for legally compliant Matomo Cookie Consent Management
Furthermore, this technical implementation of Matomo Cookie Management has the advantage of contributing to a positive user experience . Users are immediately informed about the use of Matomo cookies when they visit the site and are asked for their consent. The user’s demand for data protection is taken seriously. The decision on the type and scope of the permitted cookies is entirely up to the visitor.
The essential factors of the positive user experience are a long stay , a high acceptance rate and a lower bounce rate . A good consent management tool contributes to ensuring a high acceptance rate and keeping the bounce rate correspondingly low. The overarching goals of customer acquisition and customer loyalty thus benefit from the use of the consent manager.
With the Consent Manager you have a real-time overview of the current acceptance rates and the length of stay. This enables conclusions to be drawn about the current performance of your website and at the same time reveals the optimization potential.
Thanks to responsive customization , the consent manager is suitable for almost all devices and operating systems. This is particularly important because customers generally access websites using different end devices. Operating Matomo GDPR compliant is important beyond the borders of Germany if you have international visitors . Thanks to the international orientation and the support of more than 30 languages , the consent manager is suitable for visitors from the entire DSVGO area and beyond. The Matomo Cookie Consent Banner is automatically displayed in the language of the user accessing the site.
FAQ about Matomo and GDPR
Since the ECJ ruling at the latest, cookies that are not technically required may only be set with express consent. These cookies contain valuable tracking and analytics data that many websites rely on to perform well. With the Consentmanager you give your customers a legally secure way to consent to the processing of these cookies.
The GDPR applies to all personal data . You often process personal data with Matomo. The GDPR provides for the data protection declaration to indicate this. Name, location and IP address are already personal data as they enable identification.
When using Matomo, the GDPR must be observed as well as the ECJ ruling on cookies. It is important whether they are only technically essential (“consent-free”) or other cookies. This also depends on the Matomo settings. Cookies that are not technically required require active consent to use them . Users must also be informed about the function, functional duration and access by third parties.