Do I need consent to use web analytics on my website?

The need for consent to use web analytics depends on the laws of the country where your website operates or targets visitors. Under EU ePrivacy laws:

  • Consent is required: If your analytics tools store or access information on a visitor’s device (e.g., cookies, JavaScript tracking) and are not strictly necessary for providing a requested service or facilitating communication.
  • Consent is not required: If no storage or access occurs, or the tools are strictly necessary for the requested service (e.g., session cookies to keep a shopping cart active).

What if my analytics tools are cookieless or anonymised?

The type of tracking technology does not exempt it from consent requirements. ePrivacy laws apply to any interaction with a visitor’s terminal device, whether through cookies, JavaScript, or other tools.

Yes, each EU country implements the ePrivacy directive into its national law, leading to differences in interpretation.

Most EU countries, such as Austria, Cyprus, Czech Republic, Denmark, Finland, Germany, Ireland and Latvia, require prior consent for all forms of analytics, even for first-party, anonymised and cookieless tools.

These countries interpret analytics tools that access or store information on users’ terminal devices as non-essential under the ePrivacy Directive, meaning they fall within the consent requirements, regardless of whether personal data is collected or not.

This interpretation is rooted in Article 5(3) of the ePrivacy Directive, which protects the confidentiality of communications and applies to device-level access, not just personal data processing under the GDPR.

Countries that allow limited exemptions for first-party analytics

In contrast, countries like France, Spain, Italy and recently the UK, recognise that some forms of website analytics can be essential and permit exemptions from consent requirement for first-party, non-invasive analytics tools under specific conditions. For example, France (via CNIL) conditions for consent-free analytics are described in more detail in the CNIL Configuration Guide.

Countries with more flexible approaches

Other European countries with strong privacy laws, such as Iceland and Switzerland- have not implemented ePrivacy laws. As a result, their cookie rules are more flexible and generally do not require prior consent for analytics when:

  • Data is not personally identifiable, and
  • Transparent disclosures are provided with opt-out options.

Consent requirements across Europe vary due to how national regulators interpret the ePrivacy Directive and define exemptions for analytics. Organisations should review local guidance carefully and, when in doubt, apply the strictest standard across regions or enable geo-based consent configurations.

Review the ePrivacy laws specific to your target countries and adjust your analytics setup accordingly. After reviewing consent requirements:

  1. Configure your Matomo privacy settings to align with your compliance goals.
  2. Minimise data collection where appropriate. This includes anonymising IP addresses, disabling tracking cookies, and enabling features that support a privacy-first approach.
  3. Consider integrating Matomo with a consent management platform (CMP) using either the standard tracking code or Matomo Tag Manager.
  4. Alternatively, offer an opt-out mechanism if it is compliant with the applicable privacy laws e.g., when implementing a CNIL configuration and tracking starts by default with clear opt-out options.
  5. Provide a Cookie Notice (for cookie-based tracking) and a Privacy Notice that explains what data is collected, for what purpose, and how users can manage their preferences.

Read the guides on GDPR and Matomo Analytics and the ePrivacy Directive for more detail on compliance strategies and technical configurations.

While consent requirements vary by region, taking a privacy-first approach helps build trust with your users and reduce legal risk. By configuring Matomo to respect user privacy, you can maintain compliance while still gaining valuable insights into website performance.

Note: Always review the latest legal guidance relevant to your audience and update your setup as needed.