When the GDPR and ePrivacy laws first came into force, it changed the way websites collected and used data. The ePrivacy Directive regulates access to information stored on user devices (such as cookies), while the GDPR applies where personal data is processed through such technologies. While understanding has improved, questions remain, especially now that cookies are just one of many tracking technologies in use today.
This article looks into what cookies really are, how they are used, and why they matter for consent and compliance.
What are cookies?
When you visit a website, your browser sends a request to load the website’s page (along with all its content, scripts, and other resources). As part of the website’s response, it can include an instruction to store a small file, called a cookie, on your device.
This cookie is saved by your browser and can contain simple data such as a unique identifier, session status, or user preferences. On future visits, your browser automatically sends this cookie back to the same website, allowing the site to recognise your device and tailor your experience, such as keeping you logged in or remembering items in your cart.
Are all cookies bad?
No. Cookies are usually harmless as they can’t infect computers with malware or execute code.
Cookies can be helpful for both users and website owners. For example:
- When you’re shopping online, cookies remember what’s in your cart as you move between pages.
- They keep you logged into a website without requiring your credentials every time.
- They help site owners understand repeat visits and how people interact with the site, so they can improve the user experience.
The not-so-sweet types of cookies:
Cookies that contain personal data
It is considered bad practice to store personal data such as names, demographics, or survey responses directly in a cookie. This can expose sensitive data and increase the risk of misuse or interception and may also breach data minimisation obligations.
Third-party cookies
Third-party cookies can track users across multiple websites. These are often set by advertising networks rather than the site you’re visiting directly.
For example, when you view an ad on one site, a third-party cookie might be created that allows the advertiser to track you as you browse other sites. While it enables highly targeted advertising, it also raises serious privacy concerns, as it contributes to user profiling without clear transparency or control.
Why does Matomo use cookies?
Matomo is a privacy-friendly analytics solution that gives you 100% data ownership and the tools to help you achieve GDPR compliance when configured correctly.
For accurate reporting of new and returning visitors, Matomo uses cookies to track visitor interactions on your website. We also use cookies to remember if someone gave consent to tracking or opted out of tracking.
Types of cookies Matomo uses:
- Matomo by default uses first-party cookies, set on the domain of your site.
- Cookies created by Matomo start with: _pk_ref, _pk_cvar, _pk_id, _pk_ses. Refer to this list of all Matomo cookies.
Learn more about the cookies created by the Matomo JavaScript tracking client.
Cookieless tracking
It is possible to disable tracking cookies in Matomo by adding a line on the JavaScript code or changing your privacy settings. When cookies are disabled, Matomo does not automatically stop tracking, but data will become slightly less accurate. For more detail on disabling Matomo cookies, refer to the guide on how to go cookieless.
In most European countries, cookieless does not mean consent-exempt, because the ePrivacy laws require websites to obtain consent before using any tracking technologies (including cookies, JavaScript-based tracking, and other similar trackers), unless the tracking falls into the strictly necessary tracking exemption.
Outside Europe, going cookieless may offer additional privacy benefits, as Matomo can be set up to avoid tracking or storing personal information altogether.
Cookies, the ePrivacy Directive, and the GDPR
In the EU, the ePrivacy Directive is the primary legal framework that governs the use of cookies and similar tracking technologies, including JavaScript-based analytics, pixels, and fingerprinting. While the GDPR applies when cookies are used to collect or process personal data, it is the ePrivacy Directive that sets the rules for obtaining consent before placing or accessing cookies on a user’s device.
When is consent required?
Under the ePrivacy Directive, websites must obtain prior consent before setting any cookies or trackers that are not strictly necessary. This includes cookies used for analytics (with some exceptions -see below), advertising, retargeting, fingerprinting or social media tracking.
Before placing any such cookies or similar trackers, the website owner must first obtain visitor’s consent. This consent must meet the GDPR standard of consent – clear, informed, specific, freely given, and affirmative – even if no personal data is processed. This means that you must:
- Receive user consent before using any cookies (except strictly necessary cookies). Read more on cookies that are “clearly exempt from consent”.
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
- Document and store consent received from users.
- Allow users to access your service even if they refuse to allow the use of certain cookies.
- Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
When is consent not required?
Some cookies are exempt from consent requirements under the ePrivacy Directive. These are typically essential for the operation of the website or strictly necessary to provide the service explicitly requested by the visitor. The following do not require
consent: user input cookies, for the duration of a session.
- authentication cookies, for the duration of a session.
- user-centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration.
- multimedia content player session cookies, such as flash player cookies, for the duration of a session.
- load balancing session cookies and other technical cookies, for the duration of session.
- user interface customisation cookies, for a browser session or a few hours, when additional information in a prominent location is provided (e.g. “uses cookies” written next to the customisation feature).
In some European jurisdictions, limited tracking may be exempt from consent requirements if no personal data, such as visitor IDs, is collected or stored and other conditions are met. Refer to the CNIL exemption guide on how to configure Matomo without tracking consent for French visitors.
Tracking cookies and consent vs legitimate interest
If a cookie or tracker processes personal data (IP address, User ID, visitor ID) then GDPR applies, and you must have a legal basis for collecting and processing the data.
Cookies that require consent
To determine on which legal basis you will be processing personal data using cookies, you must first comply with the ePrivacy laws that govern user device access. If applicable ePrivacy laws require you to obtain consent for the specific cookies or trackers, that consent must meet the standards set by the GDPR. Your legal basis for processing personal data contained in these cookies will be the valid consent provided by the user.
Strictly necessary cookies
If the cookies or trackers are strictly necessary or consent-exempt, then you will not be required to obtain prior consent under the ePrivacy law.
Does it mean you have to ask for consent under GDPR to allow you to process personal data connected to such cookies? Not necessarily.
Some supervisory authorities agree that if the cookie is essential to deliver the service or perform the contract, you may be able to rely on contractual necessity. Most agree that if a cookie or tracker processing personal data is necessary to protect the system (security) or is necessary for the functioning of the website, you will be able to rely on
legitimate interests as your legal basis. The GDPR states that processing of personal data is lawful “if processing is necessary for the purposes of the legitimate interests, pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”
Consent-exempt website analytics
Some national regulators allow analytics cookies without consent, if strict conditions are met (e.g. CNIL in France, AEPD in Spain, AP in the Netherlands, Garante in Italy). Even if consent is not required under ePrivacy, you still need a lawful basis under the GDPR if any personal data is processed (e.g., received IP address is masked as required by CNIL). In such case, you can only rely on legitimate interest if:
- It is in relation to cookies or trackers that are only strictly necessary or consent-exempt and do not require consent under ePrivacy;
- Complete a Legitimate Interest Assessment (Document the purpose, necessity, and balancing test), and Configure Matomo Analytics to be consent-exempt under specific ePrivacy laws and offer opt-out where required; and
- Inform your users clearly about the use of website analytics.
How is Matomo Analytics GDPR compliant?
If you process personal data and fall into the territorial and material scope of the GDPR, refer to the GPDR and Matomo Analytics Guide for detailed information. Matomo can easily be configured to ensure that your users’ privacy is respected.
Ready to begin your journey to GDPR compliance? Check out our live demo and start your free 21-day trial of Matomo now – no credit card required.
New developments on cookies and the GDPR
Since the introduction of the GDPR, many websites adopted cookie management platforms (CMPs) to help meet consent requirements. However, early implementations often failed to comply with the law where pre-ticked boxes for cookie consent and dark patterns were implemented. These are design techniques that nudge users toward accepting tracking more easily than rejecting it.
To comply with GDPR and ePrivacy requirements, it is essential to use a reputable CMP that:
- Blocks all non-essential cookies by default.
- Requests informed, explicit, and granular consent.
- Does not rely on default opt-ins or implied consent (unless configured for CNIL exemption).
- Offers equally prominent options to accept or deny consent.
- Avoids deceptive design or imbalanced presentation of choices.
Compliance is not only a legal obligation but also a design responsibility that ensures users privacy rights are respected.
Be compliant with secure GDPR analytics
As the privacy and eprivacy laws continues to evolve, you can rest assured that Matomo will be at the forefront of these changes. Try our online demo now and start your free 21-day trial of Matomo – no credit card required.
Disclaimer
This guide is for general information purposes only, and it is not intended to constitute legal advice or be a substitute for it. Please consult your privacy advisors, who can assess your overall data processing and compliance context. This information may change as laws and regulations evolve.
