Matomo and the CNIL Consent Exemption: Complete Configuration Guide

Why Matomo Is So Attractive to European Businesses

The French data protection authority (CNIL) grants a consent exemption to certain audience measurement tools, provided they comply with a strict framework. Matomo is the only major tool eligible. In practical terms, this means you can measure your site’s audience without displaying a cookie banner for analytics — and therefore collect data on 100% of your visitors instead of 60 to 70%.

This is a considerable advantage. But the exemption is not automatic. It depends on a precise configuration that many Matomo installations do not respect.

Eligibility Conditions

The CNIL imposes several cumulative conditions to benefit from the exemption. Collected data must serve solely to produce anonymous statistics. No cross-referencing with other processing is allowed. Data must not be transmitted to third parties. And users must be informed and able to opt out easily.

More specifically, here are the technical requirements:

The IP address must be anonymized by at least two octets (for example, 192.168.0.0 instead of 192.168.12.34). Geolocation data must not go below city level. The tracker cookie lifespan (typically _pk_id) must not exceed 13 months. And the session cookie (_pk_ses) must be limited to 30 minutes.

Precise Matomo Configuration

In Matomo’s administration interface, go to privacy settings. Here are the settings to apply:

IP anonymization: enable anonymization and configure it to 2 octets minimum. The CNIL recommendation is clear on this point — one octet is not enough.

Cookie duration: in tracking settings, reduce the visitor cookie duration to 13 months maximum and the session cookie to 30 minutes.

Do Not Track compliance: enable the “Respect browsers’ Do Not Track header” option. Even though this feature is declining on the browser side, the CNIL requires it.

No User ID: do not use the User ID feature if you want to benefit from the exemption. Cross-device tracking is incompatible with the exemption framework.

Accessible opt-out: integrate the Matomo opt-out widget on your privacy policy page. Users must be able to refuse audience measurement even in the absence of a consent banner.

Pitfalls to Avoid

The most common pitfall: enabling Matomo plugins that fall outside the exemption scope. Heatmaps, session recordings, A/B tests, or advanced e-commerce tracking involve processing that goes beyond simple audience measurement. If you enable them, the exemption no longer applies and you must collect consent.

Second pitfall: using Matomo Cloud without verifying server location. For the CNIL exemption, data must be hosted in Europe. Matomo Cloud is hosted in Germany, which is compliant. But if you have an on-premise installation, verify your hosting provider’s location.

Third pitfall: not informing users. Consent exemption does not exempt you from providing information. Your privacy policy must mention Matomo usage, the statistical purpose, data retention period, and the right to object.

How to Verify Your Compliance

The CNIL publishes a verification guide on its website. But the most reliable method is to inspect your site’s network requests: check the cookies set, the parameters sent in tracking requests, and the Matomo server responses.

If you are deciding between Matomo and GA4 or want to verify that your Matomo configuration qualifies for the exemption, an analytics compliance audit can settle the question quickly.