How to get the CNIL consent exemption with Matomo?

CNIL exemption conditions

France’s CNIL (data protection authority) allows certain audience measurement tools to operate without prior consent, provided they meet strict criteria defined in its guidelines. Matomo is explicitly cited by the CNIL as eligible for this exemption, but only in a specific configuration.

The main conditions are as follows: the purpose must be strictly limited to audience measurement for the exclusive benefit of the site publisher, data must not be cross-referenced with other processing or transmitted to third parties, the tracking cookie must have a maximum lifespan of 13 months, and collected data must not be retained beyond 25 months. The tool must not enable tracking of the user’s overall browsing across multiple distinct sites.

Required technical configuration

In Matomo, enable IP address anonymization (at minimum the last two octets). Disable cross-site and cross-device tracking features. Set the visit cookie duration to a maximum of 13 months. Disable browser fingerprinting if this option is available. Enable Do Not Track respect if you wish to go beyond minimum requirements.

For hosting, prefer Matomo On-Premise (self-hosted) on a server located in the European Union. Matomo Cloud is also eligible since servers are located in Europe, but self-hosting offers total control over the data.

Verification and documentation

After configuration, use the CNIL’s official guide to verify each criterion point by point. Document your configuration in your processing register and explicitly mention the exemption in your privacy policy. Keep a record of the applied settings. If your configuration deviates from the criteria (adding heatmap features, session recording, CRM cross-referencing), the exemption no longer applies and consent becomes mandatory again.