GDPR-compliant tracking with Matomo

The GDPR makes conventional tracking of website visitors more difficult. With Matomo, an alternative is available that enables your company to use GDPR-compliant tracking. In this article we describe the advantages of the server-based solution and its possible uses.

These are the main challenges related to the GDPR

The General Data Protection Regulation (GDPR) is important for all companies in the EU. One of the most important changes concerns the sharing of data that you collect on your website. Since 2018, this is only permitted with the consent of the visitor.

So far, website operators have used cookie banners to obtain the consent of their users. This solution was always controversial, soon it will no longer be sufficient. This basically makes data sharing a problem. The IP address of your visitors is also one of the personal data to which the GDPR refers.

No data processing without consent

The personal data of your website visitors may only be processed if the users have consented to this. You must meet the associated data protection requirements before processing. It is a misconception that you could also obtain this consent afterwards. Consent is a legal term that means prior consent. Subsequent consent is approval, but it is not sufficient for the processing of personal data.

Handling user data is a sensitive topic and will become even more demanding in the future due to the regulations of the GDPR. Companies like yours need to adapt to these changes today.

What is Matomo?

Matomo provides you with an analysis platform that you can use to regain control of your data. Matomo is hosted on-premise. On-premise means you set up the software on your own servers. The data of your users no longer get out, so that third parties cannot process them. It's the most thorough way to avoid privacy issues.

Matomo's solutions are aimed at data-sensitive companies. If you use your own servers, you decide what happens to the data. Rely on servers located in Germany to meet the EU's strict data protection requirements for cloud services. Adjustments and extensions are possible at any time and to the desired extent. In addition, no data restrictions hinder your business.

Matomo is an open source solution that emerged in 2018 from the well-known and popular tracking tool Piwik. The advantage of open source: With Matomo's decision, you do not tie your company to a private provider - as is the case with Google Analytics, for example. Matomo's source code is freely available and is continuously optimized and expanded by experts worldwide.

Like other web analysis options, even the basic version of Matomo offers you numerous analysis functions that show you the behavior of visitors to your website on clear, freely definable dashboards. If you would like to delve deeper into the collected data, Matomo can be completely adapted to the needs of your company with free or paid plug-ins. Depending on the desired analysis, Matomo offers you different functions for filtering, display and export.

Why your company should also track on the server side in the future

With the introduction of the GDPR, website operators must use a so-called cookie banner to inform their visitors about the use of tracking tools such as Google Analytics - and obtain the visitors' explicit consent that their data may be collected and analyzed. However, more and more people are refusing this consent. The acceptance of making personal data available to a global corporation like Google is steadily declining. For your website, this means: You lose valuable information about the behavior of your visitors or - what is even more fatal - the visitors jump off when the cookie banner appears.

With server-side tracking, as offered by Matomo, you focus on the protection of your visitors' personal data. Because Matomo makes it possible to track your website visitors in compliance with GDPR, without the data leaving your company! The "trick" is very simple: While Google Analytics sends the data to the USA and analyzes it there, Matomo analyzes it directly on your own server. This means you can do without annoying cookie pop-ups - and thus keep bounce rates low and possibly even increase your conversion rate!

The big advantage of Matomo is the control of the data records. With Matomo's server-side solution, you retain complete control over which of your customers' data you want to collect and evaluate.

What is not GDPR compliant about Google Analytics?

The fact that Google Analytics violates the GDPR has been in the air at least since the decision of the Austrian data protection authority on December 22, 2021 (GZ D155.027, 2021-0.586.257). Google Analytics collects personal data and forwards it to Google. This is problematic because the US company has to pass on all data to the US secret service. According to Article 44 GDPR, there is no longer a sufficient level of protection.

If you use Google's statistics program, you pass on the following user data to the group:

• The unique user identification number
• IP address
• browser parameters

Data protection authorities in Germany and the Netherlands are examining this decision. The crucial point is the transfer of data to third parties. This is always problematic because it is not clear who ultimately receives the data and how they process it. If you pass on data, you are basically entering legally uncertain territory.

For this reason, solutions that exclude data transfer from the outset are coming to the fore. If you work with software on your own servers for tracking, the user data will no longer reach Google. This legally secures your offer and prevents fines that are provided for under the GDPR.

As a result of the developments described, the use of Google Analytics on company websites will soon no longer be possible throughout the EU. Because there is a risk that this could be a violation of the GDPR. Google has reacted and provides encryption for its cloud services, for example. There is a high probability that these and the adjustments to the group's data protection guidelines are not sufficient to establish GDPR compliance.