Cookieless tracking with Matomo in compliance with the GDPR

As the operator of a website or online store, collecting user data is crucial for analyzing website traffic. But also for us at web-vision, as a digital agency, looking at the user behavior of a TYPO3 website or a Magento store managed by us is mandatory.

With the advent of stricter data protection laws such as the General Data Protection Regulation (GDPR) in the European Union in May 2016, website operators must find new ways to respect the privacy of users on the one hand, but on the other hand to gain valuable information about user behavior and use this as a basis for optimizing their own website or online store.

One possible approach for this is "cookie-less tracking" with the open source software Matomo, which can be operated on your own servers.

What is cookieless tracking?

Cookieless tracking refers to the collection of user data without the use of cookies.

Cookies are small files that are stored on the user's device or browser and contain information about their user behavior.

However, not all cookies are automatically prohibited under the GDPR.

Necessary cookies that enableforbasic functions of a website are essential. They enable functions such as page navigation, access to secure areas of the website or the storage of products in the shopping cart of an online store. Since these cookies are absolutely necessary for the provision of the services that the user has explicitly requested, no consent is required. The website user can decide for themselves whether to register as a user on the website or to make a purchase in the store.

In this case, it is sufficient to simply inform the user about the use of cookies in the privacy policy.

Website tracking, Matomo and data protection

Matomo, an open source web analytics platform that can be installed and operated on your own server. Instead of transmitting data to external, popular analysis services such as Google Analytics or eTracker, the usage data is stored on the same web server as your own store or website, for example.

Matomo already offers a data protection mode that can be easily activated. The last two digits of the IP addresses of website users, which are classified as personal data according to the GDPR, are simply removed. It is therefore no longer possible to draw conclusions about individual visitors based on a unique IP address.

Matomo also offers an extended configuration that allows tracking to take place without cookies.

This allows website operators to continue to gain valuable insights into the behavior of their visitors without violating their privacy. Matomo respects the do-not-track setting of browsers and offers transparent data collection that complies with the GDPR.

Advantages of cookieless tracking with Matomo

  • GDPR compliance: Since no cookies are used, the risk of GDPR violations is reduced. This is particularly important for websites operating in the EU or targeting EU citizens.
  • Ease of use: Users no longer have to actively agree to the use of cookies or reject cookies, resulting in a better user experience when visiting the website or online store.
  • More data and higher data accuracy: Cookieless tracking can be more accurate in some cases as it is not affected by users who block or regularly delete cookies. Users who would otherwise object to the tracking of their data in the now common cookie consent banners usually do not appear in the user data. With cookie-less tracking, however, all website visitors can now be recorded again.
  • Improved data security: As less personal data is collected, the risk of data breaches is reduced.
  • Independence from third-party services: Especially in 2024, the change from Google Universal Analytics to Google Analytics 4 caused a lot of misunderstanding, unnecessary effort and long training periods. Although it seems "convenient" at first glance to rely on "free" third-party services such as Google, this shows that you are indirectly paying with user data and are dependent on the provider's range of functions. Even extended evaluations such as heat map analysis or A/B tests are possible with Matomo in compliance with data protection regulations.

Challenges, considerations and implementation

Limited personalization: Without cookies, the personalization of content for the user may be limited. However, if you want to avoid data analysis and individualization of content for individual users and thus user profiling, cookie-less tracking with Matomo is a good solution.

Technical implementation: Converting to a cookieless tracking system is hardly technically demanding and can be done within a few minutes. For online stores, e.g. with Magento or TYPO3 websites, only the snippets already configured in Matomo need to be integrated. Data protection-compliant integration is therefore possible in just a few minutes.


Cookie-less tracking in Matomo offers an effective solution for website operators who want to analyze the user behavior of their users while complying with the data protection regulations of the GDPR.

The elimination of the unpopular cookie consent banners in particular repeatedly causes unnecessary disruptions during website visits and, in the best case, leads to less user data being collected. In the worst case, however, the user is so annoyed by the banner, which is usually implemented as an overlay, that they abandon their visit to the website. In case of doubt, important conversions for the website or online store operator are lost.

On our TYPO3 website and in our Extendware Magento online store for extensions, we have therefore been dispensing with tracking with cookies and analysis by Google Analytics for a few weeks now. We now only have technically necessary cookies and have been able to remove the annoying cookie banners. Whereas we previously paid around EUR 50.00 per month for cookie banners, the current Matomo solution can be operated without a subscription and follow-up costs.

Note: This article reflects our opinion and that of Matomo, please check before switching to cookie-less tracking with Matomo whether the data protection recommendations in your country and federal state see it the same way.