In the context of the GDPR privacy regulations, when you are processing personal data, in some cases you will need to ask for your users' consent. To identify whether you need to ask for any consent, you need to determine whether your lawful basis for processing personal data is "Consent" or "Legitimate interest", or whether you can avoid collecting personal data altogether. We recommend to learn more about the lawful basis under the GDPR for Matomo.
Matomo differentiates between cookie and tracking consent:
Follow the steps below to ask your user for either tracking or cookie consent before their data is processed within Matomo.
To require consent, insert the following line at top of your existing Matomo Tracking code on all your pages:
// require user tracking consent before processing data
_paq.push(['requireConsent']);
// OR require user cookie consent before storing and using any cookies
_paq.push(['requireCookieConsent']);
_paq.push(['trackPageView']);
[...]
requireConsent
is executed then no tracking request will be sent to Matomo and no cookies will be set.requireCookieConsent
is executed tracking requests will still be sent but no cookies will be set.Now you can ask the user for consent for example by displaying a clear privacy notice on your pages. Learn more about privacy notices and asking for user consent. Note that Matomo does not yet offer the feature to display a privacy notice, but may implement such a feature in the future to easily let you display the notice and gather user consent.
Once a user gives consent, you can either A) let Matomo remember the consent, or B) use your own consent tool to remember the consent. We present the two solutions below:
Once a user gives their consent, you can let Matomo remember that the user has given consent by simply calling the following method once the user has given their consent:
// remember tracking consent was given for all subsequent page views and visits
_paq.push(['rememberConsentGiven']);
// OR remember cookie consent was given for all subsequent page views and visits
_paq.push(['rememberCookieConsentGiven']);
Matomo will then remember on subsequent requests that the user has given their consent by setting a cookie named "consent". As long as this cookie exists, Matomo will know that consent has been given and will automatically process the data. This means that you only need to call _paq.push(['rememberConsentGiven'])
or _paq.push(['rememberCookieConsentGiven'])
once.
Notes:
_paq.push(['rememberConsentGiven', optionallyExpireConsentInHours])
or _paq.push(['rememberCookieConsentGiven', optionallyExpireConsentInHours])
.In some cases, you record the information that the user has given consent to be tracked directly in your own system or CMS (for example when you use your own a cookie to remember user consent). Once you have the consent by the user to process their data, you need to call the setConsentGiven
or setCookieConsentGiven
method:
// require user tracking consent before processing data
_paq.push(['requireConsent']);
// OR require user cookie consent before storing any cookies
_paq.push(['requireCookieConsent']);
_paq.push(['trackPageview']);
[...]
// user has given consent to process their data
_paq.push(['setConsentGiven']);
// OR user has given consent to store and use cookies
_paq.push(['setCookieConsentGiven']);
This lets the JavaScript tracker know that the user has given consent and ensures the tracking is working as expected. This function needs to be called anytime after _paq.push(['requireConsent'])
or _paq.push(['requireCookieConsent'])
.
Notes:
_paq.push(['setConsentGiven'])
or _paq.push(['setCookieConsentGiven'])
, Matomo will not remember on subsequent requests that this user has given consent: it is important that you call setConsentGiven on every page._paq.push(['requireConsent'])
in the first place.In order to remove his consent the user needs to perform a specific action, for example: clicking on a button "I do not want to be tracked anymore".
When the user has expressed they no longer give consent, you need to call the following method once:
// revoke tracking consent
_paq.push(['forgetConsentGiven']);
// OR revoke cookie consent
_paq.push(['forgetCookieConsentGiven']);
This makes sure the cookie that remembered the given consent is deleted.
When the user has expressed they no longer give consent, you shall not call the following method anymore:
// do not call this once user has removed their consent
_paq.push(['setConsentGiven']);
// OR this method if you are using cookie consent
_paq.push(['setCookieConsentGiven']);
Wanting to build a custom opt-out form instead of a consent screen? Check out the guide for creating a custom opt-out form.