Getting GDPR-compliant analytics for France used to mean working through a detailed checklist, tweaking buried settings, and hoping you hadn’t missed anything.

Matomo’s new 1-Click CNIL compliance feature handles that automatically, so you can focus on your data, not your configuration.

The new feature helps you assess your current setup against CNIL consent exemption conditions, apply supported settings in one click, and see clearly what still needs your attention.

Reminder: you need to comply with CNIL requirements as soon as your audience includes people in France, even if your organisation isn’t French.

Why this matters

For many teams, the hard part isn’t choosing a privacy-first analytics platform. The hard part is configuring it correctly, documenting it clearly, and reducing the back and forth between marketing, implementation, and compliance team.

That changes with today’s release. Instead of reviewing settings one by one across different parts of Matomo, the 1-Click CNIL compliance feature reduces that friction at every stage:

• Fewer back-and-forths between marketing, development and privacy teams during setup.
• Less risk of misconfiguration, because the platform enforces the required settings rather than relying on a checklist.
• Easier to review for stakeholders and DPOs, with a clear compliance status per site and a self-assessment document built in.
• Faster to deploy across multiple sites, without repeating the same manual process each time.

This is especially useful for teams that need a faster and clearer path to a CNIL-aligned setup, without relying on scattered documentation or repeated manual reviews.

It’s also relevant if you’re evaluating Matomo against alternatives. CNIL compliance has historically required external setup support or a specialist. It no longer does.

What 1-Click CNIL compliance does

The feature lives at Administration > Privacy > Compliance. Select a site from the dropdown and Matomo runs a full assessment of your current configuration against CNIL requirements.

Each setting is assigned one of three statuses:

• Compliant: your current configuration meets the requirement.
• Non-compliant: the setting needs to be changed, and Matomo can apply it automatically.
• Unknown: Matomo cannot verify this from within the platform. It requires a manual step on your end.

Once you’ve reviewed the results, enable “Enforce compliance where possible” and click Save. Matomo applies all supported settings in one go. The compliance page also links directly to the knowledge base and to the self-assessment document, which CNIL now requires analytics providers to make available to their customers.

What changes when you enable it

When CNIL mode is enforced, Matomo applies a restricted configuration for the selected site or app. That can include:

This is what makes the feature useful in practice. It does not just tell you what the requirements are. It helps you apply the supported settings in one place and makes the remaining gaps visible.

What still requires a manual step

This is worth reading before you enable the feature:

The opt-out mechanism is not configured automatically. CNIL requires that visitors can object to audience measurement, and this must be embedded in your privacy policy as an iframe or link. The compliance page flags this with an “Unknown” status. The configuration guide walks you through the setup.

Any settings marked Unknown in your assessment also need manual review. Matomo cannot verify them from within the platform, and CNIL compliance cannot be confirmed until they are addressed.

Custom goals and events you create must stay within the three categories of events permitted by CNIL: presence on a page, use of a feature, and page performance statistics. Anything outside that scope falls outside the exemption.

Finally, this feature supports the compliance process. It does not replace legal review. If you operate in a regulated sector or manage compliance across multiple jurisdictions, your legal or privacy team should validate your configuration.

Where to start

It’s already available for superusers in Privacy > Compliance. The feature is live now on Matomo Cloud and available on Matomo On-Premise with version 5.9.0.

If you want to use Matomo in a way that may qualify for CNIL consent exemption when properly configured, start here:

• go to Administration > Privacy > Compliance
• select the relevant site
• review the assessment results
• enable Enforce compliance where possible
• complete the remaining manual steps, especially opt-out setup
• review the detailed self-assessment and knowledge base guidance for the full scope and restrictions 

The full configuration guide and self-assessment document are available in our knowledge base:

• our English configuration guide
• our French configuration guide
• our technical documentation for 1-Click CNIL Compliance, with the CNIL self-assessment
• our opt-out setup guide

These resources explain the detailed conditions, scope limitations, and remaining manual actions required for your setup.

Analytics that are easier to review, easier to configure, and easier to trust

Privacy-conscious analytics should not require a maze of manual checks.

With 1-Click CNIL Compliance, Matomo gives your team a more direct way to assess its setup, apply supported CNIL-aligned settings, and document what still needs to be done.

It is a practical step toward analytics that are easier to configure, easier to review internally, and easier to operationalise across teams.

Learn more about this new feature here: How do I configure Matomo without tracking consent for French visitors (CNIL exemption)?

Wellington, 18 March 2026 – Matomo, the world’s leading privacy-first and ethical open-source analytics platform, announced the release of Matomo 5.8.0, the latest version of its web-analytics platform bringing new capabilities to enhance analytics insights in the age of AI. With this release, Matomo introduces AI chatbot tracking, a new report within its AI Assistant tracking capabilities. This report helps organisations understand how AI chatbots interact with their websites. Combined with the existing AI Agents report, it provides a clearer view on how AI tools access and analyse website content.

AI chatbots are redefining web analytics

Nowadays, companies face a new challenge: distinguishing between human visitors and interactions generated by AI chatbots. Without this differentiation, web analytics data becomes increasingly unreliable, affecting executive decision-making.

AI web traffic is not limited to a single type of interaction. It includes AI agents, which can autonomously browse or perform actions on websites, AI chatbots, which access and analyse website content to generate responses within their interfaces; and AI referrals, where users visit a website after clicking on links suggested by AI tools.

Matomo users can identify AI referrals directly in their acquisition reports, helping them understand how AI platforms influence website traffic and search visibility.

With its AI Assistants solution, Matomo offers dedicated tracking for AI chatbots and AI agents, providing businesses with a clearer picture of how AI interactions impact website traffic. This prevents AI interactions from distorting marketing attribution, traffic metrics, and conversion reporting.

“Without visibility into AI-driven traffic, analytics data becomes less reliable and less actionable. This challenge affects every team that relies on website data, from marketing to leadership. It’s crucial to be able to distinguish between human visitors and AI assistants in order to make informed business decisions,” said Matthieu Aubry, CPO and Co-founder of Matomo.

This release is part of Matomo’s broader strategy to position itself as a leader in AI-driven web analytics. Build on privacy-first foundation, Matomo enables organisations to understand both AI and human engagement on their websites while remaining fully compliant with data protection regulations. This privacy-led-by-design approach ensures that analytics insights remain accurate, trustworthy, and align with modern data expectations.

Privacy-first analytics built for the age of AI

As AI chatbots and automated agents increasingly interact with websites, many analytics tools struggle to interpret this traffic because they rely heavily on cookies and user identifiers, mechanisms that AI systems often reject or bypass. Built on first-party data and transparent measurement, Matomo’s privacy-first architecture allows organisations to detect and analyse these interactions more reliably. This provides clearer visibility into how AI systems access, read, and engage with website content

“As a privacy-first analytics platform, Matomo is independent from third-party cookies and invasive tracking, which is totally adapted to the requirements of the AI era. This release reinforces our human-first analytics approach, enabling our clients to accurately detect AI traffic while maintaining trustworthy web analytics results,” said Adam Taylor, CEO of Matomo.

About Matomo:

Matomo is a leading web analytics platform that helps organisations understand their audience and gives them full control over their data. More than 1.4 million websites in over 190 countries use Matomo to improve digital experiences and make confident decisions. 

Available on-premise or in the cloud, Matomo combines powerful analytics with data ownership, flexibility, and privacy through its open-source foundation. 

More information: Matomo.org

Media contact

Elise Duchateau
Head of Marketing and Communications
Matomo (InnoCraft Ltd.)
marketing@matomo.org

Often, their organic traffic is flat. But their content keeps showing up in ChatGPT answers. Something is clearly happening, but it’s not reflected in their analytics.

This is the new normal for a lot of teams. AI systems are interacting with websites in fundamentally different ways: some send real visitors, some read your content quietly in the background, and some never send anyone at all.

Understanding the difference is the first step to making sense of what you’re seeing:

1. The different types of AI systems interacting with websites
2. The difference between human visitors and automated traffic

Once you know this, tools like Matomo can help you measure what’s happening.

Understand the different types of AI on the web

When people talk about “AI traffic,” they often mix very different technologies together.
Not all AI systems behave the same way — and they affect your website in different ways.

Understanding these categories already removes much of the confusion around “AI traffic.”

Here are four types you’re likely to encounter.

AI chatbots: answer engines for users

These are tools like:

• ChatGPT
• Gemini
• Perplexity
• Claude
• AI-powered search assistants

Users type questions and receive answers written by the AI.

Sometimes these answers include links to sources. When a user clicks one of those links, they visit your website.
In analytics, this appears as referral traffic.

AI chatbots can also influence traffic when they’re not sending visitors. This happens when the AI provides a full answer inside its interface, and users don’t see the need to click the source link. In some cases, AI chatbots don’t even add a source link to their output. Both cases result in what is known as zero-click behaviour. Your content may still be used as a source, but no visit happens. And while technology can’t track human visits that aren’t happening, there are solutions to track non-human visits, performed by AI crawlers, scrapers and agents.

AI crawlers: automated content readers

AI companies also operate automated programs that read websites. These are called crawlers.

They visit pages automatically to:

• Discover content
• Collect information
• Update AI systems

These visits are not human. They’re automated requests made by software.

AI scrapers: targeted data collectors

Scrapers are similar to crawlers but more selective. Instead of reading entire websites, they extract specific pieces of content, such as:

• Article text
• Headlines
• Product details
• Structured data

This data may be used for training AI models or generating answers. Again, these visits are automated.

AI agents: autonomous digital assistants

A newer category is AI agents. Agents are designed to perform actions on behalf of users.
For example, an AI agent might:

• Search multiple websites
• Compare products
• Fill out forms
• Complete tasks online

You might ask yourself how AI agents differ from AI chatbots. The difference is that AI chatbots require user prompts for each step, while AI agents can act autonomously once given an initial instruction.

Overview of AI types and what they do

How AI changes website traffic

Imagine you run a blog about marketing tools. Over time, you might notice several subtle changes:

• Some informational blog posts receive fewer visits because AI tools answer basic questions directly.
• Traffic patterns shift, with different landing pages receiving visits compared with previous months.

These different interactions can make traffic patterns look unusual at first glance. But once you understand the different actors, the effects become easier to interpret.

AI influences website traffic in three main ways:

AI sending real visitors

When users click links inside AI chatbots, they arrive on your website like any other visitor.
In Matomo, this traffic is visible in the Acquisition report, appearing as a dedicated referrer channel type. In a dedicated report, you can even see the metrics for multiple chatbots.

AI reducing clicks (zero-click behaviour)

Sometimes AI tools answer a question completely inside their interface. Users get the information they need without visiting the website. This means your content still influences the answer, but the visit never happens.

As a website owner or marketing team, over time you may notice fewer visits to informational content or changes regarding which landing pages are visited.

While analytics can’t measure visits that never occur, you can monitor visit trends over time, to get an understanding of the shifts that are happening. And keep in mind that zero-click behaviour doesn’t necessarily mean your content is less relevant. In many cases, it means the content is summarised or referenced by AI systems instead of generating direct visits.

To understand these shifts, it’s useful to monitor changes in landing pages, queries, and referral sources over time.

AI generating automated traffic

Crawlers, scrapers, and some agents generate non-human visits. With popular traffic analysis solutions, these visits often remain untracked and stay invisible. This is where Matomo comes into play. It offers visibility into AI traffic through different report angles.

How Matomo helps you stay oriented

When traffic patterns change, the goal is simple: separate signal from noise. To do this, start with the following quick check:

Quick check: how to spot AI-related traffic in Matomo

1. Look for AI chatbot referrals: 
Go to Acquisition → Referrals and check whether AI platforms appear as traffic sources.
2. Monitor landing page trends over time
: If AI tools answer questions directly, visits to informational pages may decline. Compare traffic patterns over time.
3. Inspect automated AI traffic
: Use AI Assistant tracking to see visits and engagement metrics for AI chatbots and AI agents.
4. Focus on long-term patterns
: AI-related changes usually appear gradually. Comparing months or quarters helps reveal meaningful trends.

If you want to explore these signals in more detail, the following sections explain how to investigate them in Matomo.

Keen about testing Matomo’s AI tracking capabilities yourself? Start your 21-day free trial and make the invisible visible!

For real visitors coming from AI: identify referral sources

Look at referral reports in Acquisition to see whether new sources, including AI platforms, are sending visitors.

You can analyse things like:

• How this traffic channel performs, compared with other channels like Organic or Social.
• How human traffic coming from AI chatbots changes over time and adds to goal conversions, and what happens in individual sessions coming from AI chatbots.
• What the visitors do after they land on your website, coming from an AI chatbot (e.g., which transitions happened).

Learn more here: How to track and analyse traffic from AI Assistants (like ChatGPT) in Matomo reports

This helps answer questions like:

• Is this traffic growing over time?
• How are visitors from AI tools behaving?
• Do they convert differently from traditional search visitors?

For automated traffic: inspect AI Assistant traffic

To gain visibility into non-human visits and to be able to act on it, you can use Matomo’s AI Assistant tracking. It offers a dedicated report for both AI Chatbots and AI Agents. And here’s what they do:

• AI Chatbots: This report contains three different sub reports, which help you answer the following questions:
  • How many requests from AI chatbots does your website get? And how do the chatbots behave during these visits, e.g. what’s the number of unique visited URLs, orphaned pages, or the click-through-rate?
  • How do metrics like visits and pageviews develop over time?
  • Which AI chatbots are accessing your website, and which pages are they visiting each?
• AI Agents: This report not only analyses AI traffic but also allows you to compare it to human visits. It offers two sub reports that provide insights regarding the following:
  • How many AI Agent visits are there, and how do the AI Agents behave? For example, how many actions are they performing, what’s their average visit duration and bounce rate, and more.
  • How do these metrics develop over time?

With both detailed reports, and the possibility to investigate behaviour over time, teams don’t need to waste time caring about daily fluctuations. Instead, Matomo allows to analyse longer-term patterns, helping teams compare months or quarters to see how traffic sources are shifting.

Making sense of the new traffic landscape

AI is not a single technology. It is an ecosystem of chatbots, crawlers, scrapers, and agents interacting with websites in different ways. Some bring visitors.
 Some reduce clicks.
 Some generate automated traffic.

In many cases, AI crawlers are discovering and analysing content that may later appear in AI-generated answers.

In that sense, AI systems can be seen as a new type of audience: not human readers, but systems that interpret and redistribute information across AI platforms.

That may sound complex, but the basics of analytics remain the same:

• Know your traffic sources.
• Separate humans from automation.
• Monitor trends over time.
• Make decisions based on your own data.

One advantage of privacy-first analytics platforms like Matomo is that they provide visibility into automated traffic.

Instead of hiding these signals behind aggressive filtering or opaque modelling, Matomo allows teams to observe how AI systems interact with their websites.

AI hasn’t made analytics more complicated. It has made the question more precise: are you looking at humans or machines? Once you can answer that, the rest of your analysis stays the same.

Matomo gives you the visibility to ask that question and answer it, whether it’s a chatbot sending referral traffic or a crawler reading your pages in silence.

Data privacy management software comes in many different forms. There are consent managers, mapping tools, breach response systems, vendor risk platforms, and more. 

This guide explains the main categories of privacy management software, what each type does and when to use it. We’ll also show you how to map your organisation’s needs to the right type of tool and highlight five tools that showcase different approaches to data privacy management

What is data privacy management software? 

Data privacy management software helps businesses properly handle personal data, protect user privacy and comply with privacy laws such as the GDPR and CCPA, as well as other global regulations. These platforms range from simple consent tracking tools to comprehensive systems for ensuring compliance across an entire organisation. 

Here are some of the standard features:

• Consent management: Collecting and recording user consent for data collection and processing activities. 
• Data subject request handling: Automating and tracking requests from people who want to access, correct or delete their data. 
• Granular tracking and auditing: Monitoring data flows across systems, providing a detailed record of who accessed what and when. 
• Policy automation and compliance templates: Simplifying compliance with privacy policy templates and automatic updates as regulations change. 
• Third-party risk management: Verifying that external tools and partners follow the same privacy and compliance standards. 
• Customisable reporting and alerts: Automated reporting and custom notifications to identify compliance risks early. 

The primary objective of these tools is to enhance data privacy protections and support compliance with requirements such as the ePrivacy Directive implementing laws (e.g., PERC (the UK), TDDDG (Germany), LSSI (Spain), TKG (Austria), the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Different types of data privacy management software

Data privacy management software is an umbrella term for platforms that address specific parts of compliance and data protection. Below are some of the most common types of privacy management software, along with their primary use cases. 

Matching your needs with the right privacy solution

Before comparing vendors, make sure you know which type of privacy management platform you’re looking for. Use the guide below to match your needs with specific tool capabilities and use cases. 

If you need to…

• Collect personal information online and prove lawful consent:
  • Consider consent management software to:
    • Update cookie consent banners.
    • Manage user preferences and Consent Mode.
    • Document audit trails.
• Inventory and secure personal data across your organisation:
  • Consider data mapping and inventory software to:
    • Scan databases/clouds.
    • Visualise data flows.
    • Support compliance audits.
• Implement new data processing activities or technologies:
  • Consider privacy risk assessment software to:
    • Conduct DPIAs (Data Protection Impact Assessments).
    • Assign risk levels.
    • Document mitigation plans.
• Respond to frequent privacy rights requests:
  • Consider data subject rights (DSR) management software to:
    • Automate intake and identity verification.
    • Update privacy notices.
• Handle breaches or other privacy incidents:
  • Consider breach and incident management software to:
    • Detect, log and assess the severity of events.
    • Support internal audit and compliance efforts.
• Assess and manage vendor risks:
  • Consider third‑party risk management software to:
    • Perform vendor risk assessments.
    • Monitor third-party compliance.
    • Centralise contracts and certifications.
• Protect individual privacy while working with large datasets:
  • Consider data anonymisation & tokenisation software to:
    • Mask and anonymise personal identifiers.
    • Support data minimisation principles.

Consent management software

Consent management software collects, records and manages user consent for data processing. The platforms display cookie consent banners or pop-ups that inform users about how their data will be used. Users can then choose which types of data collection they accept. 

The software stores these preferences and updates records if someone changes their settings. For example, if a user wants to withdraw their contact information, the system updates to reflect this change. 

It logs every consent action in accordance with relevant privacy laws, such as the ePrivacy Directive, which requires opt-in for all trackers and non-essential cookies.

Privacy-centric analytics platforms, like Matomo, also support Consent Mode. This means tracking is adjusted based on user choices.

Note: Consent is one lawful basis under GDPR. Some data processing activities may use other bases, such as contractual requirements or legal obligations.

Best for: Businesses that collect personal data from users online and need to maintain transparent records for compliance. 

Data mapping and inventory software

Data mapping and inventory software identify where personal data is stored and how it flows across systems. The platforms automatically scan databases, servers and cloud tools to locate personal information and map its journey within the organisation. 

This visibility is crucial for data governance. It helps businesses understand:

• What data they have
• Where it resides 
• How/With whom it’s shared

The system monitors who’s accessing data and why, giving compliance teams a clear picture of data handling practices. This helps them spot potential risks early on.

Best for: Organisations that need visibility into where personal data is stored and how it’s used across systems. 

Privacy risk assessment software

Privacy risk assessment software lets businesses identify and mitigate potential data breaches. The technology assesses how personal data is collected, stored and shared, and assigns risk levels accordingly. 

The software also helps businesses conduct Data Protection Impact Assessments (DPIA), which are a key requirement under GDPR. Other privacy laws globally also require data controllers to carry out privacy impact assessments. The system:

• Documents the purpose of data processing
• Assesses potential privacy risks
• Evaluates the necessity and proportionality of the activity
• Records mitigate measures 

Best for: Companies performing privacy impact assessments for new data processing activities or third-party technologies. 

Data subject rights management (DSR) software

DSR software automates Data Subject Access Requests (DSARs), such as when individuals request access to, correct or delete their personal information. The platform speeds up request intake, verifies identities and tracks progress to ensure responses meet legal timeframes. 

Each request is logged and managed through a central dashboard, reducing manual effort and helping businesses meet their applicable privacy law or other compliance obligations.

Best for: Businesses that regularly receive data requests and need to manage them quickly and accurately. 

Breach and incident management software

Breach and incident software detects, documents and responds to data breaches or security incidents. The platforms automatically log potential breaches, assess their severity and guide teams through the best way to address or mitigate the issue. 

Here are some of the common causes of data breaches: 

Data breach features allow organisations to respond quickly to these incidents, reducing damage and maintaining compliance. 

The software helps teams assess whether the incident requires regulatory reporting and prepares notifications for authorities and affected individuals. 

Best for: Organisations that need a reliable data breach and incident response process. 

Third-party risk management software

Third-party risk management systems evaluate and monitor the privacy practices of external vendors and partners. This means businesses can identify potential compliance gaps and reduce the risk of data breaches through their vendor networks. 

It uses automated questionnaires, risk scoring and continuous monitoring techniques to verify that third parties meet compliance standards. 

The platform also stores documentation, such as contracts, certifications, and audit reports to provide an up-to-date record of each vendor’s compliance status. Alerts immediately notify teams of changes or risks, so they can respond quickly. 

With Matomo’s OneTrust Tag Manager integration, teams can align tracking practices with their broader third‑party management processes and vendor risk workflows. 

Best for: Privacy operations that rely on external vendors and need to ensure they comply with data protection laws. 

Data anonymisation, pseudonymisation and tokenisation software

Data anonymisation software permanently and irreversibly removes or alters identifiers so that they cannot be linked back to an individual, making personal information unidentifiable. If effectively anonymised, datasets fall outside the scope of privacy laws, such as the GDPR. 

By removing or replacing identifiers with tokens and prioritising data minimisation, businesses protect personal information. 

Masking, encryption and tokenisation usually create pseudonymised data, which still counts as personal data under GDPR, even though it’s better protected

Best for: Organisations that analyse large datasets but must protect individuals’ identities and comply with privacy regulations. 

Top data privacy management software 

Here are five top data privacy solutions that help businesses collect, manage, and use data responsibly. 

1. Matomo: A privacy-first web and analytics system

Matomo is a privacy-first analytics platform that allows teams to capture and analyse 100% of user actions while respecting user privacy. Trusted by over one million websites across 190+ countries, it offers full data ownership, no third-party sharing and unsampled, accurate reporting.

Matomo captures traditional web metrics (like visits, traffic sources, and conversions) and can be configured to support compliance with strict global privacy laws, including GDPR, ePrivacy implementing laws, CCPA, PECR, HIPAA, and LGPD. 

Matomo On-Premise is one of the few analytics solutions that give teams full control over their data by allowing them to self-host their analytics data. And, it’s free.

Matomo’s web analytics dashboard

Many businesses use tools like Google Analytics without realising how much data they’re exposing to third parties. Unlike platforms that sample or externalise data, Matomo On-Premise provides complete data ownership and sovereignty. 

Best suited for: Businesses that need privacy-first analytics or open-source flexibility.

Key features:

• Built-in GDPR manager 
• Self-hosted or cloud-based deployment options with configurable compliance settings
• IP anonymisation and data masking features, other data minimisation and retention controls
• No data sampling
• No third-party data sharing
• Advanced segmentation, custom reporting, session recordings and heatmaps

Why it’s worth using:

• Integrates with cookie consent banners and most CMSs and CRMs
• Supports strict regulatory standards without sacrificing insight
• Complete data sovereignty, transparency and open-source flexibility

Try Matomo for free.

2. OneTrust: Privacy, risk and compliance management software 

OneTrust is a privacy management platform built for enterprises dealing with complex, global data protection requirements. The solution offers tools to manage privacy, risk, and governance at scale. 

OneTrust’s website details dashboard

Best for: Large organisations subject to strict compliance standards.

Key features:

• Comprehensive privacy, security and governance suite
• Consent management across multiple devices and jurisdictions
• Data mapping and third-party risk monitoring
• AI-driven data discovery and classification

Why it’s worth using:

• Enterprise scalability
• Strong support and integrations

3. Osano: Cookie compliance and consent management platform

Osano is a lightweight privacy solution focused on cookie compliance and consent management.

Osano’s privacy compliance dashboard

It offers automated consent banners, centralised tracking and real-time policy updates.

Best for: Small to mid-sized businesses that need a lightweight tool.

Key features:

• Easy-to-implement cookie banners and preference forms
• Real-time compliance status and policy change alerts
• Legal templates and pre-built settings for major laws (GDPR, CCPA)

4. TrustArc: Privacy and data governance platform 

TrustArc is a privacy solution that helps businesses map and monitor data flows and manage privacy risks. 

TrustArc’s data privacy laws dashboard (Image source: TrustArc)

It can also automate data inventories, risk assessments and compliance reporting. 

Best for: Mid- to large-sized businesses that require centralised oversight of data usage and privacy risk.

Key features:

• Inventory and flow visualisation
• Consent lifecycle management
• Templates for GDPR, CCPA and other frameworks

5. BigID: AI-powered data intelligence and sensitive data management platform

BigID is a data intelligence platform that uses machine learning to find and classify sensitive information across the organisation. It provides audit-ready DSAR reporting and automated DSAR workflows. 

BigID’s security dashboard (Image source: BigID)

Best for: Organisations that need to quickly locate and manage sensitive data at scale.

Key features:

• Automatic identification of PII, personal health information (or PHI, which is specific to US HIPAA law) and other regulated data
• Integrations with cloud platforms, SaaS apps and data lakes
• Custom privacy workflows for managing compliance and risk

What’s in store for data privacy in 2026? 

Data privacy is evolving rapidly, driven by stricter regulations, growing consumer expectations and the rise of AI. 

More countries are implementing privacy and AI laws, making global compliance far more complex. Here are a couple of examples:

• New EU and UK developments

Evolving privacy obligations in 2026 include the EU’s Digital Omnibus Act and the UK’s updated Privacy and Electronic Regulation Code (PERC). These frameworks are strengthening cookie consent rules, cross‑border enforcement, and AI accountability. 

• India’s Digital Personal Data Protection Act

Establishes a national framework for processing personal data, emphasising user consent, data minimisation and cross-border data transfer controls. 

• Expanding regulations

Several states in America have enacted their own privacy laws (like California’s CCPA and Virginia’s CDPA), each setting unique requirements for data collection, user rights and business obligations. Use the US State Privacy Legislation Tracker to keep up with changes. 

• AI accountability

The EU AI Act outlines regulations for AI systems. It entered into force in 2024 and is being implemented in phases, with initial provisions beginning in 2025 and the majority becoming enforceable in August 2026. Full compliance across all categories extends into 2027. 

Businesses should expect stricter disclosure requirements around:

• Communicating with customers regarding AI.
• Explaining how automated decisions are made.
• Documenting the data sources used to train AI models.

As a result of these tighter data regulations, we expect a continued increase in steep fines and public investigations into AI compliance. Regulators are already ramping up enforcement against major tech companies:

• Meta’s €1.2 billion fine as a result of an EDPB binding decision, which found violations in data transfers between the EU and the U.S.
• CNIL’s 2024 enforcement report shows how France’s data protection authority introduced a simplified sanctioning process to resolve minor cases quickly. It allows the CNIL to issue fines without a full committee review. 

Simplify data privacy compliance with Matomo

The right data privacy software will depend on your organisation’s specific needs, whether that’s consent tracking, data mapping, or incident response. This guide broke down the different categories of privacy management software to help you determine which one meets your business requirements.

Matomo supports compliance efforts by offering privacy-first analytics and integrations with platforms like OneTrust and Osano. 

Over a million websites choose Matomo because it delivers real insights — without compromising user privacy or data ownership 

Start your 21-day free Matomo trial today. No credit card required. 

This gap between what happened and why it happened is a common challenge in analytics. Standard dashboards surface general patterns but struggle to explain their context.

Custom dimensions offer a way to capture that missing context by attaching meaningful attributes to visits and actions. Details, such as user roles, content categories or subscription tiers, can transform raw activity into insight. 

This article explores what custom dimensions are, how they work in Matomo and how to set them up for clearer, more relevant reporting.

What are custom dimensions?

Custom dimensions are extra pieces of information attached to visits or actions in an analytics tool. Instead of relying only on default fields, such as page URL or traffic source, an analyst can store tailored attributes that matter to the business, then use them in reports for deeper insight.

Each custom dimension holds a name and a value. During tracking, the value is sent with the hit, and Matomo stores it alongside standard metrics. When reports run, Matomo groups and filters data by these values, which keeps the analysis accurate and consistent.

For example, a “subscription tier” custom dimension can record whether a visitor is on a Free, Pro or Enterprise plan. Another might capture “Content type,” such as article, video or product page. 

Custom dimensions can be set up to avoid personal data, which helps teams measure behaviour without tracking names or contact details. They also give analysts more say in how results are grouped in reports.

Common use cases

Custom dimensions are most useful when they add context that standard metrics miss. The examples below show how a few extra fields can turn log data into clear, practical findings.

Content performance tracking

Editors can tag visits with content author, category or content type. Reports then reveal which authors keep visitors engaged, which categories attract new audiences and whether articles, videos or product pages drive the most conversions.

User segmentation

Marketers often track subscription tier, user type or acquisition channel as custom dimensions. A tier such as Free, Pro or Enterprise can be followed through funnels to compare feature usage, upgrade rates and campaign performance with clear, transparent splits.

Ecommerce insights 

Stores can attach product attributes, such as brand or collection, along with the customer lifetime value band. That makes it easier to compare groups that spend more or stay longer, without storing personal data.

Technical tracking 

Teams can record a page load time band or an error type. Lining those values up against clicks and conversions shows where slow pages or repeating errors cause visitors to drop off.

Implementing and managing custom dimensions

Implementing custom dimensions in Matomo follows two stages: define the dimension, then send values with each relevant hit. A little planning at this point protects accuracy, performance and privacy later.

Step 1: Plan and create the dimension

Before creating a new dimension, teams decide whether it should describe an entire visit (visit-scoped) or a single interaction, such as a page view or event (action-scoped). 

In Matomo, administrators click: 

• The Administration page (cog icon)
• Measurables or Websites (depending on setup) in the left-side menu
• Custom Dimensions

They can then add a name, choose the scope and set the dimension as active. 

Because each site has a limited number of slots per scope and dimensions usually can’t be deleted, only deactivated, most teams reserve them for stable concepts, such as subscription tier or content group, rather than volatile labels.

Step 2: Track values from the site or app

For sites that use the JavaScript tracker, custom dimensions are attached to hits through the _paq queue.

This simple example records a visitor’s plan:

This call runs before the relevant trackPageView or event, and Matomo stores the value alongside the standard metrics for that visit or action.

Matomo Tag Manager offers another route and keeps tracking logic in one place. A variable first captures the value, like a data layer field that holds userRole. In the Matomo Configuration Variable, the Custom Dimensions section maps a dimension index to that variable. When a tag that uses this configuration fires, it sends the custom dimension value with the hit. In preview mode, teams can check the container and see those values in the request before publishing any changes.

Server-side systems, background jobs or mobile apps that call the HTTP Tracking API add custom dimensions with dimension{id} parameters, such as dimension2=Enterprise. Separate ranges support visit and action scopes, which help keep imports structured and efficient.

Step 3: Maintain and validate

After tracking is live, teams should watch reports and logs for empty rows or odd values.

Action dimensions can also take values from URLs or page titles through extraction rules. That approach cuts down on code edits and makes it clear where each value comes from.

Periodic reviews of active dimensions, along with consent and data minimisation settings, help ensure the implementation remains accurate, privacy-friendly and easy to extend.

How custom dimensions affect analytics and reporting

Once custom dimensions begin collecting data, they become part of Matomo’s standard reporting flow. 

Each dimension appears in dedicated reports where metrics are grouped by the stored values. It keeps analysis consistent and makes it clear how attributes (like subscription tier or content type) relate to behaviour and results.

Matomo processes visit-scoped and action-scoped dimensions differently:

• Visit-level dimensions describe the whole session, so reports summarise complete visits and conversions by each value. 
• Action-level dimensions attach to individual events, page views or downloads. In these reports, a single visit can contribute multiple rows, which helps expose detailed patterns, like which content category generated the most downloads or form submissions.

Custom dimensions can also feed Custom Reports. Analysts can add a dimension as a row or column, then filter by action type to focus on events, downloads or other specific interactions. This level of control, combined with clear scopes, supports accurate reporting and efficient workflows without obscuring how Matomo stores and processes the underlying data.

Privacy and compliance considerations

Custom dimensions can touch personal data, depending on implementation, so they form an important part of privacy and compliance work.

Under GDPR and similar laws, any field that can identify or single out a person needs a lawful basis, a clear purpose and suitable safeguards. In practice, this means planning dimensions with legal and privacy teams, as well as analysts.

Data minimisation, careful consent management and anonymisation are at the core of a privacy-forward and compliant implementation.

For custom dimensions, that often means recording stable, non-identifying values, such as subscription tier or an internal segment label, instead of names or email addresses. It also means linking records with a pseudonymous ID.

Data minimisation keeps each dimension tied to a single purpose. Retention rules and deletion processes then clear out values once they are no longer needed. Anonymisation and aggregation features in Matomo, including IP masking and optional cookieless tracking, help reduce risk further when combined with explicit consent where required. 

Planned this way, custom dimensions support accurate analysis while maintaining transparency, user control and respect for local privacy requirements.

Advanced tips and best practices

Reserve slots for stable attributes

Custom dimension slots are limited and difficult to restructure later, so teams should stick to stable ideas and stay away from ultra-granular values that will bloat tables.

Planning ahead of time and consulting the Matomo Measurement Plan can prevent performance issues or dimension limit frustrations down the road.

Avoid high-cardinality values

High-cardinality dimensions, meaning those that have a large or infinite number of unique values, increase archive time and slow down reporting. Teams should avoid using dynamic values for their dimensions, like time stamps or full URLs with parameters.

Keep names simple and consistent

Naming matters. Simple labels such as “Subscription tier” or “Content category” make reports easier to scan and make future changes less painful. 

A shared naming convention for events, custom dimensions and variables helps everyone understand what each field stores and how it shows up in dashboards and exports.

Troubleshooting common issues

Data not appearing in reports

The most common cause of missing data is scope or timing. The dimension must be: 

• Active
• Attached to the correct site
• Sent before trackPageView or the relevant event

Reports only show data for the selected date range, so very recent hits may appear first in real-time or visit logs before they reach aggregated reports.

“undefined” or “Value not defined” dimension values

Reports may display “undefined” or “Value not defined” as a dimension value.

This has two causes:

• The tracker tried to use a variable that wasn’t defined when setCustomDimension was called, so it’s received as “undefined”
• The dimension was sent with an empty string, so it displays as “Value not defined”

To fix this, teams should set the dimension before the pageview or event is tracked and confirm that the variable returns a real value (unless intentionally left empty).

Inconsistent formatting

Inconsistent formats fragment results. For example, recording “pro”, “Pro” and “PRO” as separate values inflates the number of rows and makes comparisons harder. 

Shared naming conventions and validation on the data layer keep values accurate and readable.

Implementation validation

Tag Manager preview mode and browser Network tabs can confirm that dimension{id} is included in a tracking request. Teams can verify values in the Visitor Log before relying on aggregated reports.

Teams should also review dimension values to make sure no personal data is sent and the consent setup blocks tracking where required.

Using custom dimensions in Matomo

Custom dimensions fit neatly into Matomo’s privacy-first approach. The platform combines 100% data ownership with options such as IP anonymisation, cookieless tracking and no data sampling, so added context does not come at the expense of privacy or accuracy.

Matomo treats custom dimensions as first-class fields in many features. They appear in dedicated reports, can act as rows or columns in Custom Reports and can filter or group Goals, Funnels and E-commerce reports. A “Subscription tier” dimension, for example, can break down goal completions by Free, Pro and Enterprise across landing pages, events and revenue, which gives teams a clear view of how each tier behaves.

Business Matomo Cloud plans come with 15 visit-scope and 15 action-scope dimensions, but Enterprise’s total amount is customisable. On Matomo On-Premise, administrators can extend the default five per scope to around 50 per scope through a console command with SSH access.

Custom dimensions as a foundation for trusted analytics

Custom dimensions close the gap between raw metrics and meaningful insight by restoring context to every visit and action. 

Instead of isolated page views and bounce rates, teams gain a structured view of how real audiences behave across content, products and technical experiences. 

In Matomo, this richer picture rests on a trusted base: accurate data with no sampling, an open-source platform used by more than 1 million websites and features that can be configured for GDPR compliance. 

For organisations that value privacy and control, Matomo’s custom dimensions provide a practical path to clearer, more confident decisions.

Download Matomo and run it for free on your own server or start your free Matomo Cloud trial today — no credit card required.

FAQ

What is a custom dimension?

A custom dimension is a field that stores extra context for a visit or action, such as user role or content category. It appears in dedicated Matomo reports.

When should I use custom dimensions vs. custom variables?

Custom dimensions are the modern way to track extra metadata in Matomo. Custom variables are deprecated and mainly kept for legacy installations.

What’s the maximum number of custom dimensions allowed in Matomo?

Matomo Cloud Business Plan supports 15 custom dimensions per scope (visit and action), so 30 in total. The Enterprise plan has customisable limits. 

On-Premise starts at 5 per scope and can be extended to at least 50 per scope using console tools with SSH access. 

Can you add custom dimensions retroactively in Matomo?

Custom dimensions record values from the time tracking is implemented. Earlier visits without that value remain empty in reports.

How do custom dimensions differ from segments in Matomo?

A custom dimension adds a new field to the dataset, like a membership tier. A segment filters existing data, such as visits from a specific region.

Are Matomo custom dimensions GDPR-compliant?

Custom dimensions in Matomo can be made GDPR-compliant when configured and governed correctly, following consent, data minimisation, limited retention and anonymisation of personal data where possible. You can learn more in our handy GDPR guide.

Can I use custom dimensions in Matomo’s mobile app analytics?

Yes. Matomo’s mobile SDKs for Android and iOS support tracking custom dimensions alongside events, screens and ecommerce actions.

With privacy-centric methods like server‑side tagging and consent-based event measurement, marketing teams can still capture the contextual and behavioural signals they need to connect with target audiences and personalise content.

This guide explores first-party cookies and their use in marketing. We’ll discuss their benefits, how they differ from third-party cookies and their value in web analytics workflows, especially in marketing attribution. Finally, we’ll highlight potential risks to keep in mind and best practices to implement first-party cookies while promoting data minimisation, transparency and trust.

What are first-party cookies?

First-party cookies are a type of tracking code that helps a site remember visitor preferences. They keep people signed in, preserve baskets between pages, recall language and region choices and connect page views so analytics data can count user sessions and attribute conversions. 

They also give marketing teams direct customer behaviour signals without third-party intermediaries, which improves reporting accuracy and aligns with GDPR and other privacy requirements. 

Unlike Google Analytics and most legacy solutions that were initially designed around cross-site tracking, privacy-first tools are built around direct user interactions. These ethical analytics platforms focus on extracting insights while still respecting user privacy.

How do first-party cookies work?

When someone visits your website, your domain creates a small text file (the “cookie”) through your site’s script or web server and stores it in their browser to remember them.

Then on future visits or pageviews, the browser returns the same value to your domain, allowing you to link actions throughout a user session or over a short time frame.

First-party vs third-party 

First-party cookies are set and read by the site a person visits. Third-party cookies originate from embedded domains and are used for advertising purposes. Here’s a breakdown of their characteristics: 

While first-party cookies raise fewer ethical and privacy concerns, they still handle personal data and must be managed carefully. If responsibly implemented, with a clear purpose and transparency, they can provide significant benefits.

Benefits of first-party cookies

First-party cookies provide marketing teams with the necessary signals while keeping data within the bounds a visitor has chosen. The result is better measurement, clearer choices and a stronger foundation for privacy.

Clear ownership

Unlike tracking cookies used by advertisers and other third parties, first-party cookies are created and set by the website owner. Since tracking stays on your site and is limited to the purposes you declare, it’s much easier to explain to users. Visitors know exactly who is collecting their data and why, which builds trust.

Consistent data quality

Because first-party cookies travel between a browser and the site a person is on, they work consistently across your own pages. 

Teams get steadier session counts, cleaner attribution within a domain and fewer gaps caused by blocked third-party requests. 

You can also define sensible expiries to keep user data fresh, which improves the quality of conversion and cohort analysis.

Transparency and control

First-party setups are easier to explain and manage. You can show plain-language descriptions and provide a preference centre that lets people opt in or out later. 

It is straightforward to rotate identifiers, shorten lifetimes and minimise what you store. Clear naming and documentation create an audit trail that your legal and security teams can review.

Compliance support

Regulators emphasise transparency, purpose limitation and choice. Under the GDPR, CCPA and similar frameworks, data shouldn’t be kept any longer than necessary for the purpose it was collected. What’s considered a “reasonable” cookie expiry period varies by jurisdiction and industry.

First-party setups can be configured to support GDPR and similar rules by defining specific purposes, collecting only the minimum data, honouring consent, and setting sensible expiries. 

Teams should:

• Document expiry decisions and align them with local regulator guidance.
• Review expiries regularly as part of compliance checklists and audits.
• Adjust retention periods when business needs or regulatory expectations change.

Data privacy considerations with first-party cookies

First-party strategies avoid the broad cross-site profiling that made third-party cookies contentious. But they still involve personal data, so they require careful handling and safeguarding. Reusing identifiers or failing to obtain consent can increase data privacy risks.

Consent management issues

Under GDPR and similar laws, non-essential cookies need a lawful basis. So analytics and personalisation require consent. As an organisation using first-party cookies, make sure to stick to the following best practices: 

• Describe purposes in plain language.
• Honour preferences on every page load.
• Ensure settings sync across subdomains.
• Use a consent management platform.

Data storage and security considerations

Limit what a cookie stores. Keep values short, avoid storing sensitive data in the browser and set sensible expiration times. 

Secure attributes such as HttpOnly and SameSite help reduce exposure. In your systems, restrict access, log reads and changes and retain data only as long as needed for the declared purpose.

Cross-device tracking limitations

First-party cookies are browser-bound. They don’t link phones, tablets and laptops without an account or server-side logic. You can either accept these limits or consider explicit, consent-based methods such as signed-in measurement.

Balancing personalisation with privacy

Considering data privacy when using first-party cookies also means: Start with data minimisation. Use the least intrusive signal that achieves the goal. Prefer session-level metrics when possible. 

And always keep in mind to provide value in return for consent and make controls easy to find. The aim is to create more positive user experiences that respect data subjects’ choices and privacy.

Potential for misuse despite being “first-party”

Without proper implementation, first-party strategies can still have privacy risks. Watch out for common pitfalls to avoid. These include:

• Overly long lifetimes: Don’t keep identifiers longer than necessary, it can feel invasive and increase risk. Many tools default to 30‑day lifetimes, but privacy‑focused teams usually adopt shorter, purpose‑bound limits in the 7 to 14 day range.
• Fingerprint‑like IDs: Avoid using highly specific or persistent identifiers that resemble device fingerprinting
• Undisclosed reuse or repurposing: Be transparent if you reuse cookie data across contexts or for new purposes. 
• Sensitive data combinations: Be cautious when combining cookie data with sensitive information or using it for profiling or targeting.
• Rights handling: Users have the right to access or delete, or object to how their data is used. Make sure these options are easy for them to find and act on.

To avoid these pitfalls and make sure your first-party strategy is effective, start with the best practices below.

First-party cookie implementation best practices 

Done well, first-party cookies can support useful analytics and respectful personalisation. Follow the steps below to maintain a clear, auditable and user-centric setup.

Consent mechanisms

To meet the GDPR’s lawful basis, make sure to implement user-friendly consent mechanisms. Keep in mind to:

• Group cookies by purpose.
• Make it easy to change or withdraw consent.
• Obtain consent before setting non-essential cookies.

Value exchange

Help visitors understand how their choices shape their experience. You can add explanatory text to your cookie banners, for example:

• “Analytics cookies help us improve site performance and page loading times.”
• “Session cookies keep you signed in and save the items in your shopping cart.”
• “Preference cookies load the site with your preferred language and display settings.”
• “Personalisation cookies tailor content and product recommendations to your interests and region.”

Data minimisation 

To minimise privacy risk and support compliance, make data minimisation a top priority. Its core principles include the following:

• Store only what is necessary.
• Default to short randomised user IDs.
• Align expiries with purpose.
• Use session cookies where possible. 
• Scope strictly necessary cookies to the smallest path or subdomain that still works.

Audits & cookie lifecycle management

To encourage accountability and avoid unchecked cookie growth, conduct regular cookie audits and follow the following approaches:

• Maintain a cookie inventory that includes the name, purpose, domain, expiry date and owner.
• Regularly review inventory and remove legacy entries.
• Apply Secure, HttpOnly and SameSite attributes to strengthen browser protection.
• Enforce data retention limits
• Rotate identifiers regularly.

Privacy by design principles

To align internal privacy controls with regulator expectations, its crucial to understand privacy as a core principle of ethical marketing and embed it deep into your analytics approach:

• Conduct DPIAs for new feature releases or data uses.
• Opt for privacy-enhancing technology.
• Implement role-based access controls.
• Log all reads and changes, and document decisions for review and future reference.

When implemented with these safeguards, first‑party cookies can support ethical analytics and improve customer relationships.

From tracking to trust

First‑party cookies foster more respectful and transparent relationships with customers. When aligned with jurisdictional requirements and industry best practices, they’re effective and ethical analytics tools.

If your team needs a privacy-first approach to analytics, consider Matomo. It’s an open-source platform that lets you easily configure privacy settings to align with GDPR, CCPA and other privacy laws.

Whether you choose on-premises deployment or Matomo Cloud, you have full control over your customer data and everything you need to interpret user behaviour while still respecting their privacy.

Download Matomo On-Premise completely free, or start a 21-day free trial of Matomo Cloud.

That’s a sentiment we see echoed all the time within marketing circles. It’s tempting to believe this idea when marketers are struggling to prove the value of their efforts. Attribution models like last-click models overvalue the final touchpoint, while first-click models overvalue the early stage of the customer journey.

But if single-touch models distort the picture, it doesn’t mean attribution is dead. You should consider alternatives, such as multi-touch attribution models, that let you see the full picture — at least to some extent.

Time decay attribution is one such model.

In this article, we’ll explain the concept of time decay attribution, how it works and help you decide if it’s the best attribution model for your business.

What is time decay attribution?

Time decay attribution is a multi-touch model that assigns more credit to touchpoints closer to the conversion. The more recent the touchpoint, the greater the weight.

Nuclear Physics scientists use a concept called “half-life.” It refers to the time it takes for a substance to reduce to half its amount, and it’s used to assess how long a radioactive substance remains hazardous.

Similarly, in time decay attribution, the model assigns credit to a specific touchpoint based on the half-life you set. The half-life period is considered the most “critical” because it’s closest to the conversion.

For instance, if your half-life is set to seven days, a touchpoint that occurred a week before conversion receives half the credit as one that occurred on the day of conversion. But if it’s more than two weeks, it’ll receive a quarter of the credit.

An example of time decay attribution

The table below shows a hypothetical journey for James, a small-business owner researching loan options over three weeks.

Here’s what the customer journey looks like:

• Day 1: He starts with a blog post about business financing (21 days out).
• Day 8: He receives an email newsletter highlighting competitive rates (14 days out).
• Day 15: He visits a product comparison page and bookmarks it (7 days out).
• Day 22: He returns directly to the site and submits his application.

Under time decay attribution, the application page and comparison page receive the largest share of credit because they were closest to the decision. But the blog post and email also get credit, but not equally.

What are the different types of marketing attribution?

There are two types of marketing attribution models: single-touch and multi-touch. The former credits a single channel with the conversion, while the latter credits multiple channels.

Time decay is one of several multi-touch attribution models available to marketers.

Apart from time decay attribution, here are the different types of attribution models:

1. Last-click attribution

Last-click attribution assigns 100% of the credit to the final touchpoint before conversion. If a customer clicked a paid search ad and then converted, that ad gets all the credit — regardless of what they did before.

While it’s a simple model to use and report on, it ignores every interaction that builds awareness and consideration. If you’re a company with long research or sales cycles, you could end up overindexing your investment on one channel.

2. First-click attribution

First-click attribution does the opposite of last-click attribution. It assigns all credit to the first touchpoint that introduced the customer to your brand.

This model spotlights the channels that generate initial awareness. It’s a useful model if you’re focused on filling the top of the funnel. The trade-off is that it ignores everything that happened afterwards.

3. Linear attribution

Linear attribution distributes credit equally across all touchpoints. If there are four interactions, each receives 25%.

In this case, each channel gets equal credit. If you prefer a more balanced view or want to understand which channels you should invest in, the model works well. But it also treats a casual blog visit the same as a demo request.

4. Position-based (U-shaped) attribution

Position-based attribution assigns 40% to the first touch, 40% to the last and spreads the remaining 20% across everything in between.

This model balances awareness and conversion but also accounts for the messy middle. The problem is that the 40/40/20 split is arbitrary because your actual customer journey might not follow that pattern.

5. Algorithmic (data-driven) attribution

Algorithmic attribution uses machine learning models to assign credit based on historical conversion patterns. Instead of following fixed rules, it adapts to your specific data.

When it works well, it offers the most nuanced view of channel performance. But it requires large data volumes and technical resources to maintain. If you use it, you need to be technically sound to explain why a channel received its score, since it doesn’t give you the most straightforward answer.

What are the benefits of time decay attribution?

Regarding complexity, time decay attribution sits in the middle ground because it’s more sophisticated than single-touch models but doesn’t require the data infrastructure of algorithmic approaches. If you’re in a company with complex sales cycles, this matters.

Unlike single-touch models, you’re considering that other channels were also involved in the conversion. But the actual action could’ve been majorly influenced by the phone call.

That’s why this model can be used for short and long sales cycles. The channel that receives the most credit under the model is the one closest to where the user or customer takes the desired action.

Gives a better picture of the customer journey

The problem with single-touch models is that they force you to pick a winner. Once the channel gets all the credit, the rest get ignored. The reality is that it takes a few touchpoints before you ever get a conversion. 

Time decay attribution looks at the entire journey. The only difference is that it weights the credit based on when the user went through the touchpoint. When you’re reporting to stakeholders, it helps them see the whole picture, which builds confidence in your data.

Supports long sales cycles

There are many industries where the sales cycle can last months. According to Focus Digital’s benchmark report, in the financial services industry, it takes 98 days to close a deal. That’s just one example of how complex today’s customer journey is.

Time decay attribution handles these journeys well compared to single-touch models. It looks at all the channels but doesn’t overindex on the earlier touchpoints. As a result, you don’t undervalue top-of-funnel acquisition while analysing your marketing performance and investments.

Three limitations of time decay attribution

Ultimately, we also have to acknowledge that no attribution model is perfect. Even time decay attribution can’t give you the most accurate picture, as it’s a hypothetical, rule-based model whose assumptions may not fit every situation.

Here are its limitations:

1. It undervalues early interactions

The way that time decay works creates a structural bias towards top-of-funnel activity.

Even if a prospect found your brand through a LinkedIn post targeting IT directors, that interaction receives the least credit. Even though that post was the very reason they found you in the first place, it’s not necessarily true that the last touchpoint actually encouraged the conversion.

If you’re primarily investing in top-of-funnel activities, it’d be better to use another multi-touch model.

2. It’s difficult to find the optimal half-life

Also, the half-life setting determines how quickly each touchpoint’s credit decays. If it’s set too short, the early touchpoints become almost invisible. But if it’s set too long, you lose the recency weighting that makes the model useful.

Most platforms default to seven days, but it is arbitrary. You’ll need to adjust it based on your sales cycles. 

3. It’s misaligned with long-term strategy

Time decay attribution favours short-term optimisation. Since it weights the most recent channel most heavily, you might over-optimise that channel. It’s more commonly used to measure the impact of specific marketing campaigns, which is a more short-term approach.

That’s why most companies in the early and late stages tend to use multi-touch attribution more than growth-stage companies do. Growth-stage companies tend to scale through curated campaigns and ads, while early- and late-stage companies tend to prefer a bird’s-eye view of their marketing efforts. 

Multi-touch attribution usage grows with company size.
(Image source)

Choosing the right attribution model

So is attribution dead? Not quite. But it doesn’t make sense to expect a single model to give you all the answers you need. Each model takes a different (and hypothetical) approach based on certain assumptions.

Time decay takes you one step closer to using multi-touch attribution to give a more representative view of your customer journey. It doesn’t require a complex data infrastructure like algorithmic attribution, and it captures every touchpoint if possible.

Ask yourself these questions to determine if it fits:

• Does your sales cycle span multiple weeks? Time decay handles long journeys and gives late-stage touchpoints their due while still crediting earlier interactions.
• Are you trying to optimise bottom-of-funnel performance? The model highlights the channels that were closest to conversion, which is useful when you need to refine late-stage tactics.
• Do you need a middle-ground approach? If last-click feels too blunt and algorithmic attribution feels too complex, time decay gives you an easier middle ground to start with.
• Do you need to justify marketing spend to stakeholders? Time decay provides a clear, explainable logic (recent = more credit) that’s easier to defend in budget conversations compared to algorithmic attribution.
• Is your team optimising campaigns in real-time? If you’re adjusting spend weekly or monthly based on performance, time decay highlights which late-stage tactics are working now.
• Are most of your conversions influenced by multiple channels? If prospects typically interact with three or more touchpoints before converting, you’ll notice that single-touch models mislead you. Time decay is better suited for those situations.
• Is your priority conversion efficiency over brand awareness? Time decay tends to favour bottom-of-funnel optimisation. If top-of-funnel growth is your focus, you may want to pair it with first-click or run both in parallel.

Time decay attribution is also very useful when combined with another model. For instance, you can run a first-click model with it to see which channels introduce prospects versus which ones close them.

So, choose the best model depending on your goals, company stage, and sales cycle to get the most representative view of what’s happening.

If you’re ready to experiment with time decay attribution, consider starting a 21-day free trial using Matomo Cloud (no credit card required).

Wellington, New Zealand — 18 February 2026 — Matomo, the world’s leading privacy-first and ethical open-source analytics platform, today announced the appointment of Adam Taylor as Chief Executive Officer (CEO), effective Monday 2 February 2026.

Building on years of sustained growth, Matomo is accelerating the value it delivers to customers worldwide by strengthening its product leadership and deepening its proximity to key markets. To lead this next phase of international development, Adam Taylor, formerly Chief Operating Officer (COO), has been appointed CEO as part of an evolution of the company’s global governance.

Taylor transitions from his role as Chief Operating Officer (COO), where he helped lead Matomo through a major phase of operational change and global scaling. He brings significant experience in leading global technology and digital transformation organisations — most recently leading GHD’s Digital Transformation business across the APAC region, alongside supporting its GovTech business.

Taylor succeeds Matomo co-founder and long-standing CEO Matthieu Aubry, who will transition into the role of Chief Product Officer (CPO) after more than 10 years leading Matomo’s global growth.

In this capacity, Aubry will focus on reinforcing Matomo’s product vision, innovation roadmap, and alignment with customer needs.

As part of this evolution, Matomo is also expanding its presence across Europe with the appointment of two Country Sales Leads in Germany and France, reflecting growing demand across EMEA for privacy-first analytics, digital sovereignty, and GDPR-aligned measurement.

A deliberate leadership transition for Matomo’s next stage of growth

The CEO transition follows a deliberate succession process as Matomo continues to scale globally across enterprise, public sector, and regulated industries.

“After more than 10 years as CEO of Matomo, I’m stepping into a new chapter,” said Matthieu Aubry, Co-founder of Matomo. “As of Monday 2 February, Adam Taylor officially becomes CEO of Matomo, and I move into the role of Chief Product Officer.”

“Over the past year, Adam has already been operating as a de facto CEO, leading a major phase of change as we prepared Matomo for its next stage of growth,” Aubry added. “He brings calm judgement, strong execution, and deep experience leading large global teams — with a genuine commitment to supporting customers and partners worldwide.”

Aubry emphasised the importance of the transition for Matomo’s global community and commercial momentum. “Matomo has always been built with and for its community — and we’re seeing that trust translate into growing adoption among organisations that want clarity, compliance, and control. This step helps us scale responsibly, stay close to customers, and keep delivering a platform people can rely on for the long term.”

Matthieu Aubry to focus on product strategy, innovation, and long-term direction

In his new role as CPO, Aubry will focus on product strategy, innovation, and long-term direction — ensuring Matomo continues to serve both its global community and commercial customers with a platform that remains transparent, trustworthy, and fully under customer control.

“As Matomo grows, we want to move faster on what matters most to the people who rely on us — clearer insights, better usability, stronger enterprise capabilities, and technology that remains transparent and fully auditable,” said Aubry. “My focus as CPO is to keep raising the bar on product excellence and ensure our roadmap continues to reflect real customer needs.”

Expanding Matomo’s presence across Europe

More fundamentally, these changes are driven by Matomo’s commitment to being closer to its local customers and partners and developing a deeper understanding of their needs. By strengthening its on-the-ground presence and elevating product leadership through the creation of the CPO role, Matomo is embedding a customer-first approach at the core of both its strategy and product development.

To support this ambition, Matomo has appointed Sarp Özuğurlu as Country Sales Lead for Germany and Damien Robillard as Country Sales Lead for France. Reporting to CEO Adam Taylor, both leaders will work closely with customers to grow Matomo in these key regions — bringing deep market insight and local understanding to strengthen partnerships, improve customer outcomes, and ensure Matomo remains closely aligned to regional needs.

Özuğurlu brings more than a decade of experience across AdTech and SaaS leadership roles, including RTB House, Storyly, and Quantcast, with a track record of building market presence, scaling teams, and delivering large customer outcomes.

“Germany is one of the most demanding analytics markets in Europe — with particularly high standards for privacy, transparency, and reliability,” said Sarp Özuğurlu. “What convinced me about Matomo is that privacy is not just a marketing promise, but the foundation of the product. My focus is to strengthen the local presence in Germany, work closely with customers and partners, and help organizations adopt analytics they can fully trust.”

Robillard brings deep experience building and deploying B2B sales strategies in complex and regulated technology environments. With nearly 10 years of experience in key roles at DigiTruck, Dokey, and Prelude, he has helped transform early-stage sales organisations into high-performing growth engines. His understanding of privacy, data governance, and enterprise purchasing dynamics strongly aligns with Matomo’s positioning and values.

Continuity for customers, partners, and the community

By bringing its teams closer to its customers and partners, Matomo’s primary objective is to design a product that is even more closely aligned with the needs of local markets. This customer-first approach aims to create greater value, foster innovation, and help marketers around the world improve their performance through reliable, complete, and actionable data.

These organisational changes also reaffirm Matomo’s commitment to innovation while staying true to its core values of privacy, ethics, and European data sovereignty. Strengthening regional teams will accelerate localisation efforts and enable more meaningful experiences for customers and partners, further consolidating Matomo’s position as the leading ethical, privacy-first web analytics platform in Europe and beyond.

Adam Taylor, CEO of Matomo, said: “These announcements mark an important step in our growth strategy. With strong regional leadership, we’re expanding our presence across Europe, deepening relationships with customers, partners, and the Matomo community, and building an even better understanding of local needs in every market. Our mission stays the same: give organisations full control over their data, without compromise.”

Aubry added: “To our customers, partners, and community — thank you for the trust you place in Matomo. We’re here for the long run. This structure helps us scale support, expand locally, and keep delivering privacy-first analytics that organisations can confidently build on.”

About Matomo

Matomo is a leading web analytics platform that helps organisations understand their audience and gives them full control over their data. More than 1.4 million websites in over 190 countries use Matomo to improve digital experiences and make confident decisions.

Available on-premise or in the cloud, Matomo combines powerful analytics with data ownership, flexibility, and privacy through its open-source foundation.

Media contact

Elise Duchateau
Head of Marketing and Communications
Matomo (InnoCraft Ltd.)
marketing@matomo.org

You installed a tracker, watched your traffic go up or down, checked conversions, and trusted that what you were seeing represented real people doing real things on your site. If sessions grew, you assumed you were winning. If they dropped, you assumed something was wrong. 

That mental model no longer works. 

As AI assistants increasingly replace traditional search and browsing, many marketers are reassessing their analytics stack. The challenge is no longer just collecting data, it is understanding whether your data reflects real human behaviour or AI traffic. This is where privacy-first web analytics is becoming strategically important. 

Today, a growing share of what appears in dashboards isn’t human at all. It’s AI assistants, automated agents, scrapers and LLM crawlers that “visit” pages without ever intending to behave like users. 

From a server perspective, all of this looks like traffic. 
From a marketer’s perspective, it often looks like chaos. 

We now have more data than ever, and less reliable signals than ever. 

How AI is changing web analytics 

When many of us started working in analytics, the story was simple: people came to a site, they clicked around, and their behaviour told us something meaningful about intent. 

That story has quietly changed. 

We are no longer only measuring people. We are measuring other kinds of actors on the web, including AI tools and automated systems that interact with pages in ways that mimic users but don’t actually represent them. 

If we don’t separate human from automated behaviour, we end up making decisions based on noise while thinking we’re acting on insight. 

You’ve probably already seen this in your own data: sudden spikes from odd referrers, pages that rack up visits without meaningful engagement, or traffic patterns that don’t match what sales, support, or real customers are telling you. 

A lot of this isn’t “classic spam bots.” It’s AI systems pre-fetching pages, querying sites for structured data, or scanning content on behalf of users who never actually land on your website themselves. 

If you treat all of that as equal to human visits, your growth story starts to blur. 

You might celebrate “activity” while your real audience is quietly shrinking. In that case, you’re not optimising for people, you’re optimising for ghosts. 

Why traditional web analytics fails with AI traffic 

Most mainstream analytics platforms were designed in a cookie-based era where a “visit” mostly meant a person with a browser. 

AI doesn’t play by those rules. 

It often comes without typical identifiers, doesn’t interact with consent banners, accesses pages in unusual ways, and moves through sites without anything resembling a normal journey. It doesn’t scroll like a person, it doesn’t follow neat funnels, and it doesn’t “convert” in ways marketers expect. 

As a result, tools built primarily around identifiers and linear user journeys can misclassify activity in both directions, sometimes counting machines as people, and sometimes filtering out real users who behave in unexpected ways. 

That’s why a new, very practical question has become central for many teams: 

“How much of our traffic is actually human?” 

Why human-first analytics matters in an AI world 

Something deeper is changing in how serious analysts think about data. 

The goal today is clean, trustworthy, human traffic. 

This is where privacy-first analytics platforms have gained unexpected relevance. Because they don’t depend heavily on third-party cookies or invasive tracking, they tend to focus more on real interactions, what people actually do on a site, rather than stitching together identity across the web. 

That approach turns out to be surprisingly well suited for the AI era. When your measurement is grounded in genuine behaviour rather than synthetic identifiers, it becomes easier to spot what looks like real engagement versus automated activity. 

In other words, tools built for privacy are increasingly becoming tools that help protect the meaning of your data. 

How Matomo separates AI traffic from human traffic 

A growing number of teams are now looking for analytics tools that can detect AI traffic rather than treating every visit the same. 

Rather than pretending AI activity doesn’t exist, Matomo allows you to identify and separate traffic coming from known AI assistants and tools as its own channel in reports. 

This isn’t just a cosmetic label. It changes how you interpret your data. 

Instead of staring at one blended traffic line and guessing what is real, you can compare what recognised AI tools do on your site, and what real humans actually do. 

You can see whether a spike came from people or from machines. You can tell whether a page is really engaging your audience or simply being read at scale by automated systems. 

For analysts, this moves the conversation from endless debate: “Is this real?” to evidence: “Here’s what humans did versus what AI did.” 

Many mainstream analytics platforms still blend human and automated visits together. They are powerful for reporting, but they don’t give teams a clear way to separate AI traffic from real users. By contrast, platforms that explicitly surface AI-assistant traffic, such as Matomo,  provide clearer, more trustworthy insights in an AI-heavy web. 

When human traffic is under pressure, that clarity becomes more important, not less. 

The bigger shift marketers need to grasp 

For years, many organisations treated raw traffic as a proxy for success. More sessions felt like more attention. More pageviews felt like more impact. 

AI has broken that assumption. 

In a world where a growing share of “traffic” can be machine activity, and where many users now get answers without clicking, visit volume is no longer a reliable indicator of human interest. 

If your KPIs are still built mainly around total sessions, you risk optimising for activity that doesn’t represent your audience at all. 

Privacy-first platforms like Matomo have long emphasised meaningful behavioural signals over surveillance-style tracking. That perspective now feels less like a compliance requirement and more like a strategic advantage. 

If what you care about is understanding people, not just counting hits, that approach aligns better with today’s reality. 

AI and web analytics: what marketing teams have to consider 

Should we optimise for AI discoverability? (Yes, but separately) 

It is not smart to ignore AI discoverability. 

In fact, optimising for AI is becoming a legitimate marketing strategy in its own right. Still, it sits alongside human optimisation, and doesn’t replace it. 

You now effectively have two audiences: 

• Human users who click, browse, compare, and convert. 

• AI systems which not only read, summarise, reference, and recommend, but increasingly act as agents that directly interact with websites, navigating pages, retrieving information, and completing tasks on behalf of the users.

 Each requires its own optimisation and measurement approach.

For AI discoverability, you care about whether your content is clearly structured, factually precise, and easy for systems to interpret, and whether your brand is represented accurately inside AI responses. 

That’s a valid objective, but it is not the same as human engagement. 

The real mistake many teams make is mixing everything into one headline KPI called “traffic.” 

A better model is: 

• One set of metrics for human performance 

• One set of metrics for AI visibility and presence 

This is exactly where tools like Matomo become useful: they help you see these two worlds separately instead of mashed together. 

If your analytics tool can’t do that, you may not have the full visibility needed in an AI-first web. 

Is AI increasing or decreasing website traffic? 

For many websites, AI is more likely to reduce real human traffic over time. 

As more people get answers inside assistants, fewer will feel the need to click through, especially for informational queries. Gartner predicts that search engine volume will drop by 25% by 2026 as users increasingly rely on AI chatbots and others virtual agents instead of visiting websites. 

At the same time, AI systems may still generate background activity on your site, which traditional analytics tools may still record as visits, making dashboards look busy even as your real audience shrinks. 

You can therefore end up with a misleading picture: 

• Analytics showing “activity,” 

• But your actual human reach quietly declining. 

That’s why the key metric of the coming years won’t be total sessions, it will be human sessions. 

And that is exactly what your analytics tool needs to make visible. 

What to consider when choosing a modern analytics tool? 

If AI is changing both how people use the web and how machines interact with websites, then the criteria for a good analytics tool must also change. 

You no longer just need a platform that counts visits. 

You need a platform that helps you understand who those visits really are. 

Modern analytics tools now provide:

• Clear separation of human traffic from AI and automated activity. 

• Focus on real behavioural signals, not just identifiers. 

• No reliance on third-party cookies. 

Many mainstream tools are excellent at collecting data, but far less transparent about what that data actually represents. 

Platforms that explicitly surface AI-related traffic, like Matomo, give teams a clearer foundation for decision-making in an AI-heavy web. 

If your dashboards and your business reality no longer match, this distinction matters more than any fancy attribution model. 

The new reality for marketers and analysts 

As this settles in, the questions that actually matter are changing. 

The key question is now how much of your traffic represents real human behaviour: 

• How much of our traffic is human? 

• Are AI referrals ever leading to real conversions? 

• Are we visible inside AI tools, even if fewer people click? 

Teams that can answer these questions clearly will make better decisions than teams chasing ever-higher session numbers. 

That is why privacy-first analytics are gaining credibility: they keep the focus on real people rather than artificial noise. 

Final take 

AI isn’t a distant disruption for web analytics, it’s already reshaping what our numbers mean. 

The organisations that will win in this environment won’t be those with the biggest dashboards or the highest visit counts. 

They will be the ones that can confidently say: 

“We know which of this traffic represents real humans, and we know how visible we are to AI as well.” 

In that sense, human traffic has become your most valuable metric,  while AI discoverability has become a new strategic layer alongside it. 

To gain confidence in you data, your analytics tool needs to help you clearly distinguish between human visitors and automated traffic. 

If you are rethinking your analytics stack in light of AI, it makes sense to prioritise tools that let you see human and AI traffic separately rather than blending everything together. 

Because at the end of the day, analytics should help you understand real people, not just count visits.

Start a free Matomo trial and see how much of your traffic is truly human. 

First, it’s important to understand who’s bound by the GDPR. According to the regulations, any business established in the EEA must comply, regardless of whose data it processes. The GDPR also applies to organisations located outside of the EEA if they target or monitor individuals within the EEA.

It’s easy these days to lose track of what data you collect and why. But ignorance is no defence. At the heart of demonstrating compliance and managing this complexity lies a crucial, yet often misunderstood, requirement: the Record of Processing Activities (ROPA).

This article explains what a ROPA is, who needs to keep one, common challenges and why it’s a strategic asset and foundational document for GDPR compliance and ethical data handling.

What is a ROPA (Record of Processing Activities)?

A ROPA (Record of Processing Activities) is a GDPR-mandated inventory (under Article 30) detailing processing activities under an organisation’s responsibility. It includes information such as:

• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• Transfers to third countries
• Retention periods
• Security measures

Understanding ROPA roles and purpose

A ROPA is an internal, living document that demonstrates an organisation’s commitment to data protection. With proper attention and regular updates, it becomes a vital tool for accountability and data transparency with authorities and the public. 

There are two main parties responsible for its creation and maintenance:

• Data controllers: These are organisations that determine the purposes and means of processing personal data. They bear the ultimate responsibility for ensuring compliance with data protection regulations.
• Data processors: These are external organisations or entities that process personal data on behalf of a data controller, acting strictly on their instructions.

GDPR obligations of data controllers

Data controllers must maintain a record that includes specific information about the personal data their organisations handle. Unless there’s a valid reason not to, this record should detail:

• Contact details: For the controller, any joint controllers, representatives, or Data Protection Officers (DPO).
• Purposes of processing: The reasons for collecting and using the data.
• Categories of data: The types of individuals whose data are processed and the categories of personal data collected.
• Recipients of data: The types of organisations or individuals who receive the data, including those in other countries or international organisations.
• International transfers: Details of any data transfers outside the EU, specifying the country and documented protections.
• Retention periods: The envisaged time limits for data erasure.
• Security measures: A general description of the technical and organisational security measures used to protect the data, as required by GDPR Article 32(1).

GDPR obligations of data processors

Data processors are also required to maintain a record of their processing activities. This record must include:

• Contact details: For the processor and for each controller they work for, including any representatives or Data Protection Officers (DPO).
• Processing activities: The types of processing operations carried out on behalf of each controller.
• International transfers: Details of any data transfers to other countries or international organisations, and any protections in place for these transfers.
• Security measures: A general description of the technical and organisational security measures used to protect the data.

Why is ROPA important?

A well-maintained Record of Processing Activities is a strategic asset for any organisation handling personal data. Beyond its legal mandate under Article 30 of the GDPR, here are a few more reasons why its importance is hard to overstate:

• It helps businesses understand their data: The record requires organisations to clearly document all personal data collected, the purpose of its collection, and its planned deletion and retention periods.
• It demonstrates accountability: Maintaining detailed records and strong documentation standards demonstrates an organisation’s commitment to data protection and GDPR compliance.
• It helps with risk management: Documenting data processing activities helps identify and resolve privacy risks, prevent breaches and ensure safer handling of personal data.
• It makes audits easier: A well-maintained ROPA simplifies data protection authority audits by demonstrating compliance with regulations.
• It builds trust: Responsible data handling and privacy practices help foster customer trust, brand loyalty, and a positive public image.

In short, a Record of Processing Activities helps businesses protect personal data, manage risks, and build trust with their customers. 

It also helps regulators assess compliance. GDPR’s emphasis on accountability through record-keeping set a global standard for privacy, not just EU compliance. 

Today, maintaining processing records is a baseline expectation in most modern privacy laws, even if the terminology differs. 

Who needs to keep a ROPA?

As mentioned before, the GDPR applies to any business in the EEA. It also applies to organisations outside the EEA that aim their services at or watch individuals within the EEA. 

There’s an exemption for firms with fewer than 250 employees. However, this exception only applies if their processing is: 

• not regular;
• unlikely to cause risk; and 
• does not involve special types of data or information related to criminal convictions.

These exceptions also don’t apply if the data being processed falls into the special categories listed in Article 9 of the GDPR. These categories include, for example, data that shows:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership.

The GDPR also restricts the processing of genetic or biometric data if it is used to uniquely identify an individual. The same rule applies to health data or data about a person’s sex life or sexual orientation. Special category data requires a separate legal basis under Article 9(2) and enhanced safeguards.

In reality, most organisations process data regularly, so they usually need a ROPA. Even when exceptions apply, it’s generally considered best practice to keep one anyway.

How to create a ROPA

Creating and keeping a Record of Processing Activities is a structured process. Here are six steps that guide the process of documenting data processing operations:

• Step 1: Identify your role (controller or processor):
  • → First, determine if your organisation is a data controller, a data processor, or both.
  • • Controllers determine the nature and extent of data processing.
    • Processors execute the controller’s instructions.
  • → Your record needs different information based on your role, as per GDPR Article 30.
• Step 2: Map all processing activities:
  • → List every activity where your organisation handles personal data.
  • → This includes how data is collected, stored, used, shared and deleted across all departments and systems.
• Step 3: Document key ROPA elements (Article 30):
  • → For each activity, record the specific details required by GDPR Article 30.
  • → This covers:
  • • • Processing purposes
    • • Types of data subjects and personal data
    • • Data recipients (including international transfers)
    • • Data retention periods
    • • Security measures.
  • → Be precise and thorough.
• Step 4: Implement security measures:
  • → The ROPA requires a general description of your security measures.
  • → This means putting in place proper technical and organisational protections for personal data.
  • → Review and update these measures regularly to keep data secure.
• Step 5: Review and update regularly:
  • → Data processing changes frequently, so you must review and update your ROPA regularly.
  • → Update this regularly, ideally after major changes or at least annually, to keep it current.
• Step 6: Automate (where possible):
  • → Use privacy-first tools to help create and maintain your ROPA.
  • → Automation makes the process more efficient, reduces errors and keeps your ROPA current and visible.
  • → This is crucial for supervisory authority requests, which often require prompt responses.

Common challenges

Creating and maintaining a ROPA can present several challenges. Recognising them early can help prepare for and overcome them.

• Unclear data flows: Many organisations struggle to map how personal data moves through their systems and departments. Data is collected in various ways, processed by different teams, and shared with third parties, making it hard to see the full picture.
• Third-party risks: Sharing data with third parties and external processors requires verifying GDPR compliance, which can be complex. Documenting these transfers in the ROPA can also be challenging.
• Retention policies: Deciding how long to keep different types of personal data can be challenging due to conflicting legal, regulatory, and business priorities.
• Static documentation: A ROPA is a living document that requires regular updates due to frequent changes in data processing. Without these updates, the ROPA loses its value in terms of compliance and accountability.

Take a proactive approach to data protection 

Following privacy laws and strengthening data management practices helps mitigate the risks associated with data breaches and build trust with users.

Matomo can support your ROPA process by giving you clearer visibility into your analytics data processing activities. Matomo can make parts of your processing easier to document, like the analytics data you collect, how it’s processed, and where it’s stored.

To see how Matomo can support your compliance efforts, download Matomo On-Premise for free or start your 21-day free trial of Matomo Cloud today — no credit card required.