Matomo: GDPR Compliance Setup — Guide

By Alex Thornton analytics Updated:

The Problem

You’re self-hosting Matomo and need to comply with GDPR (or similar privacy regulations like CCPA or ePrivacy). Out of the box, Matomo collects IP addresses, sets cookies, and stores personal data — all of which require consent under GDPR unless you configure it for cookieless, anonymized tracking.

The Cause

GDPR requires explicit consent before collecting personal data. Matomo’s default configuration uses first-party cookies and stores full IP addresses, both of which count as personal data. Self-hosting Matomo gives you more control than Google Analytics, but you still need to configure it properly.

The Fix

The simplest GDPR approach — disable cookies entirely so no consent banner is needed:

Add this to your Matomo tracking code:

var _paq = window._paq = window._paq || [];
_paq.push(['disableCookies']);
_paq.push(['trackPageview']);

(function() {
  var u="//your-matomo-url/";
  _paq.push(['setTrackerUrl', u+'matomo.php']);
  _paq.push(['setSiteId', '1']);
  var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
  g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();

The key line is _paq.push(['disableCookies']). This tells Matomo to track without setting any cookies. Visitors are identified using a daily-rotating fingerprint (IP + User-Agent hash), not a persistent cookie. Returning visitors within the same day are recognized; across days, they count as new.

Method 2: Full Anonymization

Combine cookieless tracking with IP anonymization in the Matomo admin panel:

  1. Go to Administration → Privacy → Anonymize data
  2. Set Anonymize Visitors’ IP addresses: Anonymize 2 bytes (e.g., 192.168.x.x → 192.168.0.0)
  3. Enable Anonymize Referrer: Replace full referrer URL with domain only
  4. Enable Anonymize User ID: Hash the user ID before storage
  5. Set Anonymize Order ID: If using e-commerce tracking

Or configure via the config file (config/config.ini.php):

[Tracker]
trust_visitors_cookies = 0

[PrivacyManager]
ipAnonymizerMaskedBytes = 2
useAnonymizedIpForVisitEnrichment = 1

Method 3: Data Retention Policies

Configure automatic data deletion:

  1. Go to Administration → Privacy → Data retention
  2. Set retention periods:
Data TypeRecommended Setting
Raw visitor logsDelete after 6 months
Aggregated reportsKeep (no personal data)
Converted goalsDelete after 6 months

This ensures personal data doesn’t accumulate indefinitely.

Method 4: Opt-Out Mechanism

GDPR requires giving users the ability to opt out. Matomo provides an embeddable opt-out form:

  1. Go to Administration → Privacy → Users opt-out
  2. Copy the iframe code and add it to your privacy policy page:
<iframe
  style="border: 0; height: 200px; width: 600px;"
  src="https://your-matomo-url/index.php?module=CoreAdminHome&action=optOut&language=en"
></iframe>

For a cookie-free opt-out (if using cookieless tracking), use Matomo’s JavaScript opt-out instead:

_paq.push(['optUserOut']);

Method 5: Do Not Track Respect

Tell Matomo to honor the browser’s Do Not Track setting:

In tracking code:

_paq.push(['setDoNotTrack', true]);

Or in config file:

[Tracker]
enable_do_not_track = 1

Complete GDPR Configuration Checklist

SettingLocationRecommended Value
Disable cookiesTracking codedisableCookies()
IP anonymization (2 bytes)Admin → Privacy → AnonymizeEnabled
Referrer anonymizationAdmin → Privacy → AnonymizeEnabled
User ID anonymizationAdmin → Privacy → AnonymizeEnabled
Data retention (raw data)Admin → Privacy → Retention6 months
Opt-out iframePrivacy policy pageEmbedded
Do Not Track respectTracking code or configEnabled
GDPR tools activatedAdmin → Privacy → GDPR toolsYes

Matomo’s Built-In GDPR Tools

Matomo includes dedicated GDPR management:

  1. Admin → Privacy → GDPR tools
  2. Data subject requests: Search for and export/delete a specific user’s data
  3. Data portability: Export user data in machine-readable format (Article 20)
  4. Right to erasure: Delete all data for a specific visitor (Article 17)

These tools let you respond to GDPR data subject access requests (DSARs) directly from the Matomo admin panel.

Prevention

  • Set up cookieless tracking and anonymization from day one — retrofitting is harder
  • Document your Matomo privacy configuration in your privacy policy
  • If using consent mode (cookies enabled with consent), integrate a proper CMP (Consent Management Platform) like Klaro or CookieYes
  • Self-hosting Matomo is already a GDPR advantage — no data leaves your server, no third-party processors involved
  • Review Matomo’s official GDPR guide at https://matomo.org/gdpr-analytics/ for updates

Related Articles

apps

How to Self-Host Matomo with Docker

Deploy Matomo analytics with Docker Compose — a full-featured, privacy-focused Google Analytics alternative you fully co...

compare

Matomo vs GoatCounter: Full Analytics or Just Enough?

Matomo replicates Google Analytics with e-commerce tracking and heatmaps. GoatCounter gives you pageviews in 25 MB of RA...

compare

Matomo vs PostHog: Which Analytics to Self-Host?

Matomo vs PostHog compared for self-hosting: traditional web analytics versus product analytics — features, resource usa...

compare

Plausible vs Matomo: Which Analytics to Self-Host?

Plausible vs Matomo comparison for self-hosting. Privacy, features, resource usage, and which analytics platform replace...

compare

PostHog vs Matomo: Which Should You Self-Host?

PostHog vs Matomo compared for self-hosting. Product analytics versus web analytics — features, Docker setup, resource u...

compare

Umami vs Matomo: Which Analytics to Self-Host?

Umami vs Matomo comparison for self-hosting. Simplicity vs features, resource usage, and which web analytics platform su...

Read Next How to Self-Host Matomo with Docker

Comments