Skip to main content
Back to Guides
Compliance6 min read

Does Matomo Need Consent? It Depends on the Config

Matomo can run without a cookie banner, but only in a specific configuration. Turn on cookies, heatmaps, User ID, or session recording and you're back to needing consent. Here's exactly where the line sits and how to stay on the right side of it.

"Matomo Is Privacy-First, So No Banner" Is Half True

Matomo has earned its privacy reputation. You can self-host it, so the data stays on your own servers, and the French regulator, the CNIL, has formally listed it as eligible for the analytics consent exemption. That combination leads a lot of teams to assume Matomo never needs a cookie banner. The exemption is real, but it is conditional, and the default install does not automatically qualify. Switch on the wrong feature and you've quietly stepped outside it. So the honest answer to "does Matomo need consent" is: it depends entirely on how you run it.

The CNIL Exemption, and Its Fine Print

The CNIL allows audience-measurement tools to run without prior consent when they stay inside a tight box. For Matomo, the conditions are specific. The tool must be used only to measure your own site's audience for your own benefit. No cross-referencing the data with other datasets. No sharing it with third parties. IP addresses must be anonymized. Cookies, if any, live at most 13 months, and the data itself is kept no longer than 25 months. And visitors still get a clear way to opt out, even though you're not asking them to opt in.

These Features Break the Exemption

The exemption covers plain audience measurement. It does not cover Heatmaps, Session Recording, User ID, Ecommerce tracking, or Advertising Conversion tracking. Turn any of those on and that processing needs consent, because it goes beyond simple aggregate counting into behavior capture or identity. Session Recording in particular can pull personal data straight off the page, which is a long way from an anonymous visit count. If you use these features, you're on the consent-based path, not the exempt one.

Three Consent Modes, and What Each One Does

Matomo gives you distinct switches, and the names are close enough that people mix them up. The difference matters, because one keeps tracking and one stops it.

Matomo consent settings compared

SettingBefore consentUse it when
disableCookiesTracks with no cookies at all, permanentlyYou want the CNIL-exempt, cookieless setup and never intend to set cookies
requireCookieConsentTracks cookieless immediately; sets cookies only after consentYou want measurement from the first visit but richer, cookie-based tracking after opt-in
requireConsentNo tracking of any kind until consent is givenYou are relying on consent as your legal basis and want nothing processed before it
// Cookieless-first, cookies only after consent (stays measuring):
var _paq = window._paq = window._paq || [];
_paq.push(['requireCookieConsent']);
_paq.push(['trackPageView']);

// When your banner records acceptance of cookies:
_paq.push(['rememberCookieConsentGiven']);

// Stricter: no tracking whatsoever until consent:
// _paq.push(['requireConsent']);
// ...then on acceptance:
// _paq.push(['rememberConsentGiven']);
Copy code to clipboard

requireCookieConsent Keeps Counting. requireConsent Doesn't.

This is the distinction that decides your compliance story. requireCookieConsent means Matomo tracks cookielessly out of the gate and only asks about the cookies, which fits the exemption if the rest of your config qualifies. requireConsent means Matomo does nothing until the visitor agrees, which is what you want when you've decided consent is your basis for everything. Choose based on which legal footing you're standing on, not on which word sounds safer.

Self-Hosted vs Matomo Cloud

Self-hosting is what makes the strongest privacy claims possible, because the data never leaves your infrastructure and there's no third-party processor in the analytics path. Matomo Cloud is hosted by Matomo (InnoCraft) in the EU, which introduces a processor relationship you should paper with a data processing agreement, though it stays within the EU. Neither choice changes the ePrivacy question on its own. Cookies are cookies whether the backend is yours or theirs. What changes the question is the feature set and the cookie configuration, not where the server sits.

Even Cookieless Matomo Processes an IP

Cookieless does not mean data-free. Matomo still sees the visitor's IP address to derive things like country and to count uniques, and an IP is personal data under the GDPR. The exemption expects you to anonymize it, which Matomo can do by masking the last octets before storage. So the cookieless path is not "no privacy obligations," it's "an obligation you meet with configuration rather than a banner." Anonymize the IP, keep the retention windows honest, and don't quietly enable a feature that pulls you back over the line. For the wider picture on measuring without cookies, see first-party cookieless tracking.

Matomo Consent Decision Checklist

  • You know which path you're on: exempt cookieless, or consent-based

    The two have different code and different legal reasoning. Don't blur them.

  • IP anonymization is enabled

    Required for the CNIL exemption and good practice regardless.

  • Heatmaps, Session Recording, User ID, and Ecommerce are gated behind consent

    These features fall outside the exemption. If they're on, you need opt-in.

  • Cookie lifetime is 13 months or less and data retention is capped at 25 months

    Both are hard conditions of the exemption.

  • Visitors have a working opt-out even on the exempt path

    No consent required does not mean no choice offered.

Doing It With CookieBeam

If you run consent-based Matomo, CookieBeam holds the tracker and its cookies until the visitor accepts analytics, then releases them, and calls the Matomo consent methods so the tracker knows the decision. If you run the exempt cookieless setup, the useful part is verification: CookieBeam's scanner audits your pages and confirms Matomo is genuinely setting no cookies, so you can prove the exempt config is actually behaving as claimed rather than assuming it is. It also flags the moment a new feature starts writing a cookie, which is how exemptions get broken by accident.

Matomo Cookie Consent: When You Need a Banner | CookieBeam | CookieBeam