Tracking and data protection don’t fit? Yes it can! Because that’s exactly what the web analysis tool Matomo Analytics has made its mission. Matomo is considered a more privacy-friendly alternative to Google Analytics and is therefore also being used more and more frequently on websites.
But be careful! Because under certain conditions, the integration of Matomo on your website may not be privacy-compliant.
This article explains what these conditions are and what you should consider in order to integrate Matomo into your WordPress website in a DSGVO-compliant manner!
What is Matomo?
“Matomo” is the Japanese word for honesty. Because that’s exactly what the free open source software has made its mission. If you’ve been around the World Wide Web for a bit longer, you may still know the analytics tool under the name Piwik.
As a community to create the leading open platform for digital analytics that gives every user full control over their data.
Like Google Analytics, Matomo is a web analytics tool that helps website operators better understand the behavior of their visitors so they can better target their own optimization efforts. However, secretly collecting data is out of place with the all-in-one web analysis platform. The collection of data should be as transparent as possible for both website visitors and operators. Likewise, data access to third parties should only be permitted after authorization.
Matomo is based on PHP and uses a MySQL database. You can either download and host it locally or move the hosting to the Matomo cloud.
Matomo and privacy
Although Matomo provides less data compared to its competitor Google Analytics, the analytics tool scores with more privacy-friendly features.
Some measures Matomo offers to comply with data protection:
- Anonymization of data.
- Users can opt out of any tracking
- First-party cookies as standard
- Individuals can view the data collected
- Ability to delete visitor data if desired
- Data is not used for other purposes (compared to Google Analytics)
- IP anonymization
- Visitor log and profiles can be disabled
- Data is stored in the EU (Matomo Cloud) or in any country of your choice (Matomo On-Premise)
So, as you can see, unlike Google Analytics, you don’t have to take much additional action to avoid any privacy violations when using an analytics service. For example, thanks to the location of the Matomo cloud in the EU, the thorny issue of data transfer to the USA is eliminated.
However, even Matomo is in some ways not completely free of errors.
If you do not host Matomo locally on your server, but on the Matomo cloud, the IP address – which is a personal data in many countries – is sent to the Matomo server.
In addition, the analysis service uses tracking cookies to distinguish users and to link data from multiple page views.
Tracking cookies belong to the non-essential cookies. Essential cookies are technically necessary cookies that are important for the basic functionality of the website (e.g. login area cookies). For non-essential cookies, you usually always need consent within the EU.
But don’t panic! In the next section, we’ll show you how you can easily obtain consent.
How to integrate Matomo in a DSGVO-compliant way
Although Matomo – as you now already know – is comparatively more privacy-compliant than Google Analytics, we still recommend that you meet the following criteria to be on the safe side so as not to commit any data protection violations.
✅ Opt-in consent
Matomo itself provides you with an opt-out function. However, we recommend that you rather rely on the opt-in principle – i.e., you obtain the active consent of your website visitor before setting non-essential cookies and transferring personal data. This way, you are definitely on the safe side if the worst comes to the worst.
This is the case if you host Matomo in the Matomo cloud.
To get opt-in consent as easily as possible, you should use a consent management plugin like Real Cookie Banner.
- Open your WordPress backend.
- Go to Plugins > Install in the left menu.
- Search for Real Cookie Banner.
- Install and activate the plugin. And Real Cookie Banner is ready to go.
- Navigate again on the left menu to Cookies > Services (Cookies) > Add Service.
- Search for Matomo.
- Click on the template. Now you are in the service configuration.
- Scroll down to the Technical Handling section.
- Enter your Matomo host name and Matomo site ID.
- Scroll to the end of the template and click Save.
In addition to creating the template, you should switch to Matomo Tag Manager event in Cookies > Settings > General in the Load services after consent using section.
Done! Now you can use Matomo DSGVO-compliant after the opt-in consent of your visitors.
Since the IP address is a personal data in some countries within the EU, you are generally only allowed to collect, process and store it on the basis of opt-in consent.
To get around this, there is the so-called IP anonymization. As the name suggests, the IP address of the visitor is changed or shortened so that a unique identification is no longer possible.
IP anonymization is activated by default in Matomo.
To make sure that this is the case, you can check it again under Administration > Privacy > Anonimyze data. Here, either the 2 bytes or 3 bytes option should be selected.
❌ DNT command
Unlike many other services, Matomo is probably one of the few that implement the user’s Do Not Track command. Roughly summarized, the DNT header is a web technology or function that automatically tells the HTTP header of a website when it is visited that the visitor does not consent to the collection and storage of their data. However, this command is not a legal one and therefore not useful in most cases.
Matomo respects the DNT wish of the visitor.
However, you still need to enable this feature in your Matomo account under Administration > Privacy > Users opt-out > Support Do Not Track preference.
Additionally you should include the code snippet
🤝 Order processing contract
You always need an order processing contract (AV contract) if you commission an external company to process personal data. This contract regulates the handling of this data in accordance with data protection requirements. The basis for an AV contract is Article 28 of the GDPR.
For the use of Google Analytics, you definitely have to conclude an order processing contract.
Not necessarily for the use of Matomo. You only need to sign an AV contract with Matomo if you host Matomo in the in-house cloud. If you host Matomo locally, you do not need an AV contract because the data is not forwarded to the Matomo servers.