Matomo (formerly known as Piwik) is an open source web analytics platform that is considered a privacy-friendly alternative to other analytics tools such as Google Analytics. However, website operators must also ensure that Matomo complies with the requirements of the General Data Protection Regulation (GDPR). and integrate Matomo/Piwik Pro in a legally compliant manner with legal web privacy cloud.
A key point here is when Matomo can be classified as “technically necessary” and can therefore be operated without user consent. It does not matter whether it is Matomo On-Premise, Matomo Cloud or Piwik PRO.
Depending on the configuration, Matomo or Piwik Pro may be operated as technically necessary or only with the consent of the visitor. The following article describes both methods and their required configuration.
Technically necessary data processing
According to the GDPR, data processing without consent is permitted if it:
- is based on a legal basis, or
- is necessary for the performance of a contract or for the implementation of pre-contractual measures (Art. 6 para. 1 lit. b GDPR), or
- is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests of the data subject (Article 6(1)(f) GDPR).
Web analytics can be considered a legitimate interest in some cases, especially if it serves to optimize the website. However, specific requirements must be met in order to achieve the status of technical necessity and to be able to dispense with consent:
Parameters for a data protection-compliant technical necessity
- Deactivating cookies The use of cookies requires consent in most cases, as cookies can collect personal data, e.g. by setting unique IDs. Therefore, the command:
window._paq.push(['disableCookies']);
decisive. This deactivates the setting of cookies in Matomo and Piwik PRO and ensures that no information is stored in the user’s browser. - Anonymization of users
- With Piwik PRO: Users can be anonymized directly using the following command:
window._paq.push(['setUserIsAnonymous', 1]);
This removes all personal characteristics, e.g. the IP address, so that users cannot be identified directly or indirectly. - For Matomo: Anonymization must be carried out via the data protection settings in the Matomo backend. Detailed instructions can be found here: Configuring the privacy settings in Matomo.
- With Piwik PRO: Users can be anonymized directly using the following command:
Use with consent
If a complete web analysis is desired that includes personal data, e.g. through cookies or the creation of user profiles, the express consent of the user is required. The following commands are used:
- Enable cookies
window._paq.push(['enableCookies']);
This command allows Matomo and Piwik PRO to set cookies, e.g. to identify returning visitors. - Deanonymization of users
- For Piwik PRO:
window._paq.push(['deanonymizeUser']);
This command uses personal data such as the IP address or other identifiers. - With Matomo: Users can only be de-anonymized via the configuration in the backend. The linked instructions also provide information on this: Configuring the data protection settings in Matomo.
- For Piwik PRO:
Without the express consent of the user, these settings violate the GDPR, as personal data may only be processed with consent (Art. 6 para. 1 lit. a GDPR).
legal web privacy cloud supports both types of integration and takes over the correct integration as well as texts in the privacy policy. You can quickly and easily integrate Matomo/Piwik Pro in a legally compliant manner with the help of legal web privacy cloud.
Why operators need to make conscious decisions
Website operators must be aware of the consequences of their decision as to whether Matomo/Piwik Pro is operated with or without consent. Incorrect configuration can:
- Legal consequences, including fines and warnings.
- Negatively impact user trust if the impression is created that data protection is not taken seriously.
- have technical effects on the functioning of the website, e.g. through limited analysis capability.
A data protection-compliant use of Matomo without consent is therefore required:
- The deactivation of cookies.
- Complete anonymization of users.
- Transparent information for users about data processing as part of a data protection policy.
Operators should also document the legal basis on which they carry out the analysis and which settings have been implemented. This ensures that, in the event of an audit, they can prove that the GDPR has been complied with.
Integrate Matomo/Piwik Pro in a legally compliant manner with legal web privacy cloud
With legal web cloud, you only need to select the correct type of integration when preselecting the services.
If you want “extended tracking”, you must always select integration with consent.
This will :
- Matomo / Piwik Pro displayed in the cookie popup
- only loaded after consent of the visitor
- the correct text including the legal basis mentioned in the privacy policy
Can I first download the anonymized version of Piwik Pro and then switch to the other version once I have given my consent?
Add both variants as integrations.
In the code field, load the integration that does not require consent as you would load it without a special case. Copy the complete snippet into the code field. Make sure that you also set the following commands:
window._paq.push([‘disableCookies’]);
window._paq.push([‘setUserIsAnonymous’, 1]);
For the integration requiring consent, copy only the 2 commands into the code field that remove the anonymization:
window._paq.push([‘enableCookies’]);
window._paq.push([‘deanonymizeUser’]);
This initially results in anonymous tracking, which is converted to extended tracking via the user’s consent and features such as the creation of a user profile are activated.
