Matomo offers a cookieless tracking mode that avoids storing any identifier on the visitor's device. Instead of relying on cookies like _pk_id or _pk_ses, Matomo generates a server-side hash called config_id to group page views into sessions. No cookies, no banner, full data - that is the promise. The reality under German data protection law is less straightforward.
How Matomo's Cookieless Mode Works
When cookies are disabled, Matomo stops setting first-party tracking cookies on the visitor's browser. Visitor identification shifts entirely to the config_id - a short-lived hash derived from the visitor's operating system, browser, browser plugins, IP address, and browser language. This hash resets every 24 hours, and the default look-back window for matching a returning visit is just 30 minutes.
The config_id is not a fingerprint in the traditional sense. Fingerprinting aims to persistently track users across sites and sessions, while the config_id is time-limited, randomly seeded, and stored only server-side.
Enabling it is a one-line change in the tracking code:
_paq.push(['disableCookies']);
Place this before the trackPageView call, and Matomo will operate without cookies for every visitor. For WordPress sites using the Matomo plugin, the same toggle exists under Matomo Analytics > Settings.
What You Lose Without Cookies
Cookieless mode comes with real trade-offs in data accuracy. Because the config_id hash resets frequently and cannot persist between sessions, several standard reports become unreliable.
| Report / Metric | With Cookies | Without Cookies |
|---|---|---|
| Returning vs new visitors | Accurate across sessions | All visits counted as new after hash reset |
| Visit count per visitor | Tracked over cookie lifetime (up to 13 months) | Lost after each session window |
| Multi-session attribution | Conversion credited to original campaign | Conversion credited to last-touch channel only |
| Cohort analysis | Functional | Not possible |
| Multi-channel attribution | Distributes credit across touchpoints | Cannot link sessions across visits |
| Ecommerce order attribution | Linked to original traffic source | Linked to session that completed the purchase |
Page views, event tracking, downloads, outlinks, and site search reports remain fully accurate. The loss is concentrated around anything that requires recognising the same person across multiple sessions.
The DSGVO and Section 25 TDDDG: More Than Just Cookies
Germany's DSGVO (the German implementation of the GDPR) governs the processing of personal data, but cookie consent rules come from a separate instrument: the Telecommunications Digital Services Data Protection Act, or TDDDG (formerly TTDSG). Section 25 of the TDDDG transposes Article 5(3) of the ePrivacy Directive into German law.
The critical detail: Section 25 does not mention cookies by name. It regulates the storage of information on, or access to information stored in, the end user's terminal equipment. This covers cookies, localStorage, fingerprinting scripts, and any JavaScript that reads device properties such as screen resolution or installed plugins.
Consent is only unnecessary if the access is "strictly necessary" for a service explicitly requested by the user. Web analytics, by definition, are not something the user requested - they are something the site operator wants. The German Data Protection Conference (DSK) has deliberately avoided granting analytics a blanket exemption from consent, unlike the French CNIL, which offers a specific audience measurement exemption for properly configured tools like Matomo.
Does Matomo's Cookieless Mode Require Consent in Germany?
This is where legal opinions diverge.
Matomo's JavaScript tracker, even without cookies, still reads information from the visitor's device - the browser's user agent string, screen resolution, installed plugins, and language settings are all accessed client-side to generate the config_id. Under a strict reading of Section 25 TDDDG, this device access triggers the consent requirement regardless of whether any data is stored on the device.
Some privacy practitioners argue that reading a user agent string - data the browser sends voluntarily with every HTTP request - is not the same as actively querying the device's storage. The German DSK has not published a definitive ruling on this scenario. The EDPB's 2023 guidelines on Article 5(3) of the ePrivacy Directive, however, adopted an expansive interpretation: any "gaining of access" to information on a terminal device falls within scope.
A March 2025 ruling by the Hannover administrative court reinforced this trend, finding that Google Tag Manager requires explicit consent before activation because it accesses device information during initialisation. In December 2025, the Frankfurt Higher Regional Court ruled that third-party cookie providers bear direct liability under Section 25 TDDDG for placing cookies without consent - broadening who can be held responsible for non-compliant tracking.
The Practical Takeaway for Germany
If your site targets German visitors, the safest position is: Matomo's cookieless mode reduces your compliance burden but does not eliminate the need for consent outright. Inform visitors about the tracking in your privacy policy, provide an opt-out mechanism, and configure Matomo to avoid processing personal data (IP anonymisation with 2-3 bytes, no User ID, no cross-domain tracking).
Many German site operators take a hybrid approach: track cookieless without prior consent, but offer a visible opt-out and keep data minimisation settings tight.
Where Cookieless Matomo Tracking Is Consent-Exempt
Germany's cautious stance is not universal across Europe. Several jurisdictions have carved out explicit exemptions for audience measurement tools that meet strict conditions.
France: The CNIL has confirmed that Matomo qualifies for its audience measurement exemption when properly configured. The requirements are precise: cookies limited to 13-month lifespan, data retained for a maximum of 25 months, no cross-site tracking, no User ID, no data sharing with third parties, and reports must be anonymised and aggregated. The CNIL updated its self-assessment guidelines in July 2025 and is preparing a new certification framework for early 2026.
The Netherlands and Spain: Both countries allow audience measurement cookies with limited privacy impact to be set without consent, under conditions similar to the CNIL framework. The Dutch authority emphasises data minimisation; the Spanish AEPD's 2024 guidance does not require full dataset anonymisation but limits purposes strictly to audience measurement.
United Kingdom: The Data (Use and Access) Act 2025 introduces updates to PECR that are expected to make it easier to use privacy-friendly analytics without consent, provided the data is strictly statistical and not shared for other purposes. The ICO is expected to publish updated guidance on this exemption in 2026.
How to Configure Matomo for Maximum Privacy Compliance
Regardless of whether your jurisdiction demands consent for cookieless tracking, minimising the personal data Matomo collects is good practice. These steps bring Matomo closer to compliance across all major frameworks.
Step 1: Disable Cookies
Add _paq.push(['disableCookies']); before trackPageView. Alternatively, enable "Force tracking without cookies" in the Matomo admin panel under Privacy settings (available since Matomo 4).
Step 2: Anonymise IP Addresses
Mask at least 2 bytes (3 bytes recommended) of the IP address. Under the DSGVO, IP addresses are personal data. Full masking is possible and eliminates this risk entirely.
Step 3: Anonymise Referrer Data
Referrer URLs can contain personal data - campaign parameters, usernames, or links from personal pages. Enable referrer anonymisation (Matomo 4+).
Step 4: Disable Features That Process Personal Data
Turn off User ID tracking, ecommerce tracking, heatmaps, and session recordings. If you need them, gate them behind consent using a consent management platform.
Step 5: Use Single-Site Tracking Only
Do not use cross-domain tracking or third-party cookies. Track each site independently to prevent visitor profiles from spanning multiple properties.
Step 6: Inform Users and Provide Opt-Out
Describe the tracking in your privacy policy. Embed the Matomo opt-out iframe or implement an equivalent mechanism. Even where consent is not required, an opt-out is expected by every major European DPA.
The Hybrid Approach: Cookieless by Default, Cookies After Consent
Many site operators use a two-tier strategy. Matomo runs in cookieless mode for all visitors by default. When a visitor grants consent via the cookie banner, the tracking code calls _paq.push(['setCookieConsentGiven']); and Matomo switches to full cookie-based tracking - unlocking returning-visitor data and multi-session attribution for those who opt in. Consent management platforms like Kukie.io support this pattern through their Matomo integration.
EU Reform on the Horizon
The European Commission's Digital Omnibus initiative, formally proposed in November 2025, may reshape these rules. The draft would exempt consent for device access when it is strictly necessary for aggregated audience measurement by the site owner. If adopted - potentially in 2026 - this would codify at the EU level what the CNIL already permits in France.
Until these reforms take full effect, the safest course is to configure Matomo for maximum data minimisation and consult local legal advice for your specific jurisdiction.
Frequently Asked Questions
Does Matomo's cookieless mode collect any personal data?
In its default cookieless configuration, Matomo still accesses browser properties (user agent, screen resolution, language) and the visitor's IP address. If you anonymise the IP by at least 2 bytes and avoid tracking User IDs or ecommerce order IDs, the remaining data is generally not considered personal. Full IP masking removes the last personal identifier.
Can I use Matomo without a cookie banner in Germany?
Possibly, but it depends on legal interpretation. Section 25 of the TDDDG covers any access to information stored on a user's device, not just cookies. If Matomo's JavaScript reads device attributes, some legal experts argue consent is still required. Disabling cookies and minimising data collection reduces risk, but a definitive DSK exemption for analytics does not exist in Germany.
What is the config_id in Matomo?
The config_id is a server-side hash generated from a visitor's operating system, browser type, plugins, IP address, and language. It groups page views into visits for up to 24 hours. It is not stored on the visitor's device, resets daily, and Matomo distinguishes it from fingerprinting because it is time-limited and randomly seeded.
How does France's CNIL exemption for Matomo work?
The CNIL allows Matomo to operate without consent if configured to produce only anonymised, aggregated audience reports. Conditions include: cookies limited to 13 months, data retained for a maximum of 25 months, no cross-site tracking, no User ID, no data sharing with third parties, and visitors must be informed with an opt-out option. Both Matomo Cloud and On-Premise can be configured to meet these requirements.
What reports become inaccurate in Matomo's cookieless mode?
Returning visitor counts, visit frequency, multi-session campaign attribution, cohort analysis, and multi-channel attribution reports all lose accuracy. Page views, event tracking, downloads, outlinks, and site search remain unaffected. The core limitation is that Matomo cannot reliably identify the same visitor across separate sessions without cookies.
Is the Matomo cookieless config_id considered browser fingerprinting?
Matomo explicitly states that config_id is not fingerprinting. Fingerprinting aims to persistently identify users across sites and sessions. The config_id is randomly seeded, time-limited to 24 hours, stored server-side only, and used on a single site. The CNIL has accepted this distinction. German authorities have not published a specific position on it.
Should I use a hybrid cookieless-plus-consent approach?
A hybrid approach is the most practical strategy for many sites. Track all visitors in cookieless mode by default, then switch to full cookie-based tracking for visitors who consent. This captures aggregate metrics for 100% of traffic while preserving attribution data for opted-in users. Most consent management platforms support this pattern.
Get Full Visibility Into Your Cookie Compliance
Whether you run Matomo with cookies, without them, or in hybrid mode, knowing exactly what your site sets - and when - is the first step. Kukie.io scans, categorises, and monitors every cookie, giving you a clear picture of your compliance status across jurisdictions.
