👋 This guide describes how to configure Matomo in consent exemption mode for the CNIL program. To do this, disable certain features, allow visitors to opt-out of tracking, check Matomo's default settings and avoid the collection of personal data.

Introduction

Matomo is a free (Open Source) audience analysis software. This ensures that it is secure and that data remains confidential.

Cookies: solutions for audience measurement tools. When are cookies exempt from consent? In order to be limited to what is strictly necessary for the provision of the service, and thus exempted from consent in accordance with article 82 of the French Data Protection Act, cookies must.

Two types of accommodation

When you use Matomo, you can either host it yourself with Matomo self-hosting or host it on Matomo's cloud hosting servers. Both modes of hosting (self-hosted or cloud) give you 100% ownership of the data and protect your users' privacy by default.

Matomo self-hosted / On-Premise version

When you host Matomo on your servers, no one but you has access to your data to process it (the Matomo team has no possible access to your data). Matomo can be downloaded free of charge and installed on your servers or on any other web host.

Web analytics hosted on your servers | Matomo On-Premise

Retain ownership of your data, ensure the highest level of security and confidentiality, and have maximum flexibility to do whatever you want with Matomo Analytics On-Premise self-hosted.

Web analytics hosted on your servers | Matomo On-Premise
Matomo Dashboard

Matomo in the cloud: Matomo Cloud (Saas)

The company InnoCraft (which publishes Matomo and provides the Matomo Cloud service) undertakes to comply with applicable regulations, and to provide the service solely on behalf of the customer and not to use the data for their own account, and not to share the data with third parties.

The Matomo Cloud DPA and the Matomo Cloud Terms of Service guarantee the confidentiality of the personal data processed and ensure that InnoCraft does not pursue its own ends with the data, but processes it solely on behalf of the customer. Customers have all rights, title and interest in their users' data, and InnoCraft obtains no rights whatsoever in this data.

Procedure for consent-exempt mode

Follow the steps below to set up Matomo on your sites in exempt mode.

Disable data exports

It is necessary to deactivate export functions by following the steps below:

  1. Log on as a Super User in Matomo and go to Administration.
  1. In the left-hand menu, click on System, then on General Settings.
  1. In the Live section, click on Disable Visits log & Visitor Profile.
  1. Click on the Save button.

The following functions will be disabled:

  • 🚫 Visit log & Visitors in real time
  • 🚫 Visitor profile
  • 🚫 Real-time visitor map

Allow visitors to refuse to be tracked (Opt-out)

On your website, add a way for visitors to "opt-out" of being tracked by your Matomo server (Opt-out). By clicking on the link in the Opt-out, all such visitors will be ignored. To display this Opt-out, you can include a line of HTML code.

Configure Privacy Settings in Matomo - Analytics Platform - Matomo

Check that Matomo's default settings are still in place

For an existing Matomo installation, check that the following parameters are still in place.

a) ensure that IP addresses are anonymous

  1. Log on as a Super User in Matomo and go to Administration.
  1. In the left-hand menu, click on Privacy, then on Anonymize data.
  1. Check that the Make visitor IP addresses anonymous option is enabled.

By default, Matomo limits the collection of location information to the city level, and removes the last two octets from IPv4 addresses. (So, for example, for IPv4 addresses, an IPv4 would become 124.45.0.0 and an IPv6 would become 2001:db8:0:0:0:0:0:00). Although this is the default setting, it can be disabled by an administrator.

b) ensure that third-party cookies and cross-domain are not used

By default, Matomo uses only first-party cookies. Each visitor is tracked only on the domain of the website in question. Although this is the default configuration, there are advanced features that can be used when user consent is obtained.

In "consent-exempt" mode, it is important to check that :

  • Cross domain tracking is not used on domains.
  • Third-party cookies are not enabled.

c) ensure that the "User ID" measurement is not used

In "consent-exempt" mode, it is important that User ID measurement is not used on the site. (In order to measure a user ID, e.g. login, username, email, etc., the user's consent must be obtained).

By default, Matomo does not measure the User ID.

To check that the User ID is not being used on the site, simply click on "Visitors" in the Matomo menu, then click on "User ID". The report should read "There is no data for this report", indicating that User IDs are not being measured.

d) ensure that E-Commerce measurement is not used

In "consent-exempt" mode, it is important that e-commerce orders are not measured on the site. (To be able to use E-Commerce measurement for a visitor, it would be necessary to ask for the user's consent.)By default, Matomo does not measure E Commerce interactions, and so the "E-Commerce" menu is not available. To check that E-Commerce is deactivated, all you have to do in Matomo is check in the main menu whether there is an "E-Commerce" category. If it does, you can easily disable E-Commerce functionality by following these steps:

  1. Log on as a Super User in Matomo and go to Administration.
  1. In the left-hand menu, click on Measurable items and then on Manage.
  1. Click on the Modify icon for your website.
  1. Under E-Commerce, select Not an e-commerce site.

e) ensure that heat maps and session recordings are deactivated

By default, Matomo does not measure heat maps or session recordings. To ensure that heat maps and session recordings are completely disabled, add the following line of code to Matomo's JavaScript tracking code:

_paq.push([HeatmapSessionRecording::disable']);

Check that you are not collecting personal data

By default, Matomo does not automatically collect personal data. We advise you to check that you are not collecting any personal data:

  • If you use custom dimensions in Matomo, it's important to make sure that they don't collect any personal data. By default, Matomo does not collect any data from custom dimensions. To check that you are not collecting personal data in custom dimensions, follow these steps :
    • Log on as a Super User in Matomo and go to Administration.
    • In the left-hand menu, click on Measurable items, then on Custom dimensions.
    • For each dimension that might be listed, open the report and check that no personal data is displayed.
  • Page URLs, page titles and personalized events may contain personal data, depending on how your website(s) are designed (for example, when the page URL includes an e-mail address, zip code or name). When this is the case, it is advisable to remove such personal data from URLs, page titles and events:

JavaScript Tracking Client: Integrate - Matomo Analytics (formerly Piwik Analytics) - Developer Docs - v5

Generally speaking, when you collect personal data, you must ask your users for their consent.

A need, a question?

Write to us at hello@starfox-analytics.com.
Our team will get back to you as soon as possible.

Contents
Post Tab Link
Post Tab Link
Written by:
David Smilovitz

David started coding back when GTM variables were still called "macros". An expert in Web Analytics, he has worked with prestigious customers at Juno Analytics, Jellyfish and Uptilab, mastering technical solutions such as GTM server-side, GA4, Tag Commander, BigQuery, Firebase, Piano Analytics, Matomo, Python and Javascript.

Find David Smilovitz on LinkedIn

Follow Starfox Analytics on Linkedin so you don't miss a thing.