Businesses in the US are caught between growing consumer expectations, new data privacy laws and concerns about potential fines. Yet there is still no single federal data privacy act that lays out exactly how an organisation must handle personal or sensitive data.

Instead, they must comply with a mix of state rules, sector laws and guidance from different regulators, all while their teams need reliable data to make decisions. It’s confusing, and waiting for clarity can feel risky.

This article will explain the current US landscape, highlight key risks and opportunities for marketers and data analysts and show practical steps they can take now to prepare.

Is there a federal Data Privacy Act in the US?

The short answer is: no. There isn’t a single, comprehensive federal “Data Privacy Act” in the United States that governs how every organisation collects and uses personal data. In its place is a patchwork of sector- and state-based laws.

While this may seem appealing to those who favour less regulation, it makes it harder for marketers and analysts to do their job. They have to learn how different rules overlap, where they conflict and how they apply to their analytics tools, as well as maintain compliance with any laws in countries or regions where they do business internationally.

Sector-specific federal laws

At the federal level, the United States regulates personal data through industry- and use-specific statutes. A few of the most important examples are:

• Health data: The Health Insurance Portability and Accountability Act (HIPAA) sets strict rules for how covered entities handle protected health information. If campaigns touch hospitals, insurers or clinics, marketing teams need to understand how HIPAA shapes what can be tracked, stored and shared.
• Children’s data: The Children’s Online Privacy Protection Act (COPPA) regulates how websites and online services collect personal data from children under 13. It affects consent flows, tracking and the type of profiling they can run on younger audiences.
• Financial data: The Gramm-Leach-Bliley Act (GLBA) governs how financial institutions safeguard consumer financial information. It has a direct impact on data security practices, internal access controls and some types of marketing based on financial history.

These sector rules sit alongside separate data breach notification laws and data security laws at the federal and state levels. As a result, two companies can face very different obligations depending on the type of consumer’s personal data they handle, even if they use similar analytics tools.

State-level privacy laws

Many states have started to build their own frameworks to protect their residents’ data. These data privacy laws give them specific consumer rights and place duties on each data controller that has controlled or processed their personal data.

A few of the key laws to know:

• California: The California Consumer Privacy Act (CCPA), as updated by the California Privacy Rights Act, gives broad consumer rights such as access, deletion and the right to opt out of the sale or sharing of personal data, requiring a visible “Do Not Sell or Share My Personal Information” link. It also covers rules for de-identified data, which affects how businesses anonymise identifiers used for analytics and measurement.
• Virginia: The Virginia Consumer Data Protection Act (VCDPA) sets out consumer rights and detailed controller obligations. It covers profiling, targeted advertising and sensitive categories like biometric data or precise geolocation data. Its rules often require businesses to perform protection assessments for higher-risk processing.
• Colorado: The Colorado Privacy Act (CPA) requires businesses to honour a universal opt-out mechanism for targeted advertising and the sale of personal data. That means they must respect a browser-level signal, instead of just their own consent banner.

This list is far from complete, as close to half of all US states have similar laws, including the Texas Data Privacy and Security Act, the Montana Consumer Data Privacy Act and the Oregon Consumer Privacy Act.

Sector-level laws (e.g., HIPAA, COPPA and GLBA) and state-level laws (e.g., CCPA, VCDPA and CPA) exist, but there is not yet a single overarching federal law.

Together, these state-level privacy regulations form a moving target. Each one defines personal data slightly differently and draws its own line between categories like pseudonymous and de-identified.

For many teams that rely on analytics, tracking a visitor’s state is a necessity for compliance.

Data privacy risks and challenges for businesses

The biggest challenge in the United States isn’t one strict law. It’s the many different ones.

For businesses operating across state lines, compliance means tracking:

• How each state defines personal data
• Which consumer rights apply
• How to respect opt-outs from targeted advertising or consumer data sales

One resident might see a universal opt-out link, while another only has a basic cookie banner. If an organisation can’t prove that it followed these laws, an attorney general can open an investigation after a complaint or a breach.

Privacy notices and consent flows also vary by location.

Some states require clear “Do Not Sell My Personal Information” links. Others focus on how to handle sensitive categories, such as health or location data.

Organisations must know:

• Where data is stored
• Who has access to it
• How to respond in the event of a data breach

Without this, it becomes hard to honour deletion requests, manage de-identified data correctly or prove that they handled information responsibly.

The risk isn’t just regulatory. It impacts brand trust and reputation.

When the most frequently targeted data category is personally identifiable information, trust becomes a competitive factor. Organisations that apply consistent privacy protections across all states, not just when required, are often better positioned for long-term credibility (and future laws).

Preparing now with privacy by design

No one can control when or how a federal data privacy act will finally pass, but organisations can control how ready they are when it does. Privacy by design is the philosophy that teams build respect for personal information into every system from day one, instead of waiting for a new law or, worse, a data breach.

Watching pending federal proposals

Several proposals have tried to create a single national framework for personal data. The failed American Data Privacy and Protection Act and the American Privacy Rights Act serve as two examples.

They include provisions around consumer rights, limits on the amount of collectable data and stronger enforcement powers for the Attorney General’s office or the Federal Trade Commission.

While any future bill is likely to look different, it likely will:

• Give data subjects stronger privacy protections
• Set baseline rules for how a data controller uses sensitive information
• Expect businesses to run regular data protection assessments and show their data security practices are robust

By reviewing the protections granted in these bills and weighing them with those already passed in existing state- and sector-level legislation, organisations can future-proof their systems now and gain a competitive edge.

Moving closer to GDPR style frameworks

US organisations pivoting to a more privacy-friendly stance should also study the European Union’s GDPR. Many of them already follow it because they serve EU or EEA data subjects.

It has requirements pertaining to:

• Purpose limitation
• Clear legal bases
• Strict data breach notification requirements
• Careful handling of de-identified data

It also pushes organisations to document how they have controlled or processed the personal data of individuals.

A future US consumer data privacy act is unlikely to copy GDPR word-for-word, but it might borrow many of the same themes, particularly around data minimisation and combining multiple data sources.

Building privacy by design into analytics

The best strategy for companies is to prepare their analytics infrastructure now as if a unified federal law were already in place. That means they should:

• Collect only the personal data truly needed for measurement
• Separate sensitive categories (such as consumer health data) wherever possible
• Define clear internal rules for data retention, access and deletion
• Choose analytics tools that honour consent choices and opt-outs by region
• Keep an inventory of where data is stored for quick request and incident response

Building privacy by design into your analytics infrastructure can be done by following the steps listed above.

These best practices turn privacy by design into something concrete. Teams still get the insight they need, but they do so within a framework that respects data subjects, aligns with emerging data security laws and reduces the risk of painful changes later when a national data privacy law finally lands.

Support compliance efforts with privacy-first analytics

Businesses based in states without strong data protection legislation are not exempt from compliance requirements if they conduct business across state lines.

That means an eCommerce company based in Wyoming collecting personal data from customers in states like California or Virginia must follow each state’s rules for every visit that makes its way into their analytics tools.

As both state- and sector-level regulations change, the privacy by design approach becomes more practical than not. At some point, any material advantages eked out by pulling more personal data are offset by the time and monetary costs of reconfiguring analytics tools.

A privacy-first platform helps teams:

• Minimise the amount of consumer personal data they collect
• Respect consent choices by region
• Work more confidently with de-identified data

It also gives a clear view of which data controller is responsible for what, how data subjects can exercise their consumer privacy rights and how teams can prove that they processed data lawfully.

Matomo is built on these ideas.

We’re an open source, privacy-first analytics suite that lets organisations own their data, deploy in the cloud or on-premise and configure tracking for compliance with strict regulations, like CCPA and HIPAA.

Features such as cookieless tracking, flexible consent tools and detailed access controls make it easier to align with state rules on personal data and consumer health data without losing sight of key metrics.

Matomo also avoids data sampling, which means compliance leads and analysts see the whole picture when they review behaviour or run data protection assessments. And it can track AI chatbot and AI agent traffic for free, something most tools can’t do.

Choosing privacy-first analytics now gives your team a stable base. As new state statutes arrive or a future national data privacy act takes shape, you can adapt settings rather than rebuild your measurement stack from scratch.

Staying ahead of any future US data privacy act

Personal data is everywhere, and the rules that guard it are only growing more complex. Even without a single federal data privacy act, state privacy laws and sector rules already shape how you collect, store and use personal data.

The most practical move now is simple: review your analytics stack and choose tools that support privacy by design as a default, instead of as an afterthought.

Start by mapping what you track, where it lives and which consent signals you respect, then phase out any platforms that cannot adapt to stricter requirements.

Matomo was built for this kind of future. Over a million websites trust Matomo for accurate, unsampled reporting, strong privacy controls and full data ownership.

Explore Matomo Cloud or On-Premise to prepare your organisation for whatever comes next.

Frequently asked questions

What is the DATA Privacy Act?

H.R. 5807 from the 117th Congress (2021-2022), better known as the Digital Accountability and Transparency to Advance (DATA) Privacy Act, was a proposed federal bill to establish national data privacy standards in the United States.

Like the American Data Privacy and Protection Act and the American Privacy Rights Act, the DATA Privacy Act failed to pass. However, a bill like it may pass in the future.

Which US states have data privacy laws?

As of early 2026, the following 20 states have data privacy regulations:

• California
• Colorado
• Connecticut
• Delaware
• Florida
• Indiana
• Iowa
• Kentucky
• Maryland
• Minnesota
• Montana
• Nebraska
• New Hampshire
• New Jersey
• Oregon
• Rhode Island
• Tennessee
• Texas
• Utah
• Virginia

The following states have laws that will carry over or be introduced in 2026:

• Georgia
• Hawaii
• Illinois
• Maine
• Massachusetts
• Michigan
• Mississippi
• New York
• North Carolina
• Oklahoma
• Pennsylvania
• Washington
• West Virginia
• Vermont
• Wisconsin

Alongside Washington, D.C., these states have no laws or current plans to enact them:

• Alabama
• Alaska
• Arizona
• Arkansas
• Idaho
• Kansas
• Louisiana
• Missouri
• Nevada
• New Mexico
• North Dakota
• Ohio
• South Carolina
• South Dakota
• Wyoming

What is the Data Privacy Act of the Philippines?

The Data Privacy Act is a Philippine law passed in 2012 that regulates the collection, processing, storage and sharing of personal data. It created the National Privacy Commission, the governing body responsible for its enforcement and applies to organisations operating in the Philippines, as well as those outside of the country working with the data of Philippine citizens and residents.

It’s similar in scope to the GDPR.

The post Is there a US Data Privacy Act? appeared first on Analytics Platform - Matomo.

The survey also highlights data privacy as one of the biggest obstacles to getting there. There’s a clear need for privacy-centric solutions and ethical data tools. Teams need ways to work with and analyse behavioural data, but without over-collecting, over-tracking or violating local requirements.

This piece looks at how data analytics in banking personalise financial services, reduce risk and support decision making, as well as how privacy-first solutions like Matomo help teams do it responsibly.

What is data analytics in banking?

Data analytics in banking is the process of collecting, organising and analysing financial, marketing and customer information to understand performance and make better future decisions.

It turns large volumes of raw data, such as transactions, channel performance or operational records, into meaningful insights that can support everyday banking operations and long-term strategy.

For example, instead of a bank seeing a simple list of monthly withdrawals, banking analytics identifies a consistent pattern of transfers to brokerage firms. With this insight, the bank can offer its own investment products to the customer.

Why is data analytics important for banks?

Data analytics helps banks identify strategic goals and work towards them with confidence, whether the focus is growth, customer retention or entering new markets. Data helps reveal problems to fix and opportunities worth investing in.

Without data analytics, decision makers don’t know how bad a problem might be or how good an impact a simple change might create. There’s no way to pinpoint what’s really driving customers away or what’s bringing them in.

Ultimately, data helps answer questions that drive success. What onboarding steps are creating the most friction with customers? Which regions are the most profitable? Which transactions have the highest fraud risk? The wins for banks are more clarity, the ability to pivot faster and less risk. Let’s take a look at how these data analytics benefits play out for banks.

Clearer strategic visibility

Boards relying on quarterly reports show past performance but offer limited forward visibility. This makes long-term planning slower.  

Data analytics brings financial, operational and risk data into a single view. For example, predictive modelling can help directors evaluate potential outcomes before making any decisions. Similarly, indicators such as forecasted risk exposure or revenue trends help banking leaders stay in control.  

Faster response to market and policy changes

Interest rate changes, economic uncertainty and evolving regulations all affect the banking environment. Traditional reporting methods may not be able to catch up when there are sudden shifts in rates, regulations or the market.

With analytics, banks are able to track performance trends in real time and test potential outcomes through scenario analysis. Tracking margin movement or liquidity trends can help banks adjust pricing, lending strategies or risk posture earlier, improving organisational agility.

Improved allocation of capital and operational resources

Finding out in which area capital delivers the best returns is difficult when banks rely only on overall profit numbers.

Data analytics allows deeper visibility into product performance, customer segments and regional activity. Metrics on factors such as product profitability, marketing channel performance and cost efficiency help shift resources towards sustainable growth rather than historical priorities. As a result, banks can identify high-margin areas, reassess legacy offerings and refine branch investment decisions.

Stronger evaluation during mergers and acquisitions

An institution’s true value can be difficult to judge when customer behaviour patterns and portfolio risks are unclear.

Analytics allows banks to examine customer retention, credit quality and what products or segments carry risks. These reveal warning signs like which portfolios are profitable but carry hidden threats. This information leads to better acquisition decisions and fewer post-merger surprises.

Growth in long-term customer value

Customer attrition can happen without any signals when systems are disconnected.

However, analytics allow teams to comprehensively look into usage behaviour and churn indicators to understand customer needs and product affinity. This early identification can guide timely retention efforts, improving customer lifetime value.

More relevant customer experiences

Uniform messaging won’t work for individual financial needs and choices.

Analytics helps banks to understand customer spending habits and interaction history. This can help with personalised outreach and improve engagement and conversion while also building trust. For example, if a customer repeatedly checks loan options in a banking app but doesn’t apply, this signals interest and allows the bank to share helpful guidance instead of broad promotions.

So, how are banks and other financial institutions using data analytics to improve customer engagement, reduce risk and drive growth? Let’s take a look.

Common banking analytics use cases

Banks are using analytics for everything from fraud detection to ad optimisation. It’s powering faster, more confident decisions related to lending, marketing and operations.

Some use cases involve real-time monitoring for faster responses, while others involve drawing on historical data to create context for big-picture decisions that drive growth. All of these banking analytics use cases involve collecting and analysing data while maintaining privacy controls and consent requirements. That way, insights can feed decisions without eroding customer trust or impacting compliance.

Credit risk assessment 

Analytics allow banks to assess if a borrower can repay a loan and track lending risk.  

• Transaction data can show income stability, sudden spending changes or early signs of financial stress. When combined with credit history and verified income information, this helps banks set loan interest rates and credit card pricing more accurately.
• Portfolio analysis shows how much lending is concentrated in certain industries, regions or customer groups. This helps risk teams reduce exposure if too many loans depend on the same economic conditions.
• Data can help regulators and internal risk teams understand and audit how approvals or rejections were made.

Fraud detection and prevention

Banks use analytics to detect suspicious activity by combining different types of customer and transaction data that may look normal on their own.

• Analysing device details, login activity and payments together helps detect unusual behaviour that fixed rule-based systems, which flag preset conditions like large transactions, may miss.
• Relationship analysis can uncover groups of linked accounts moving stolen money. And timing checks detect fraudulent card testing or attempts to take over accounts.
• Machine learning ranks transactions by risk so investigators review the most serious cases first.

According to the U.S. Department of the Treasury, enhanced fraud detection processes that rely on data analysis and AI prevented and recovered more than $4 billion in fraud and improper payments in 2024.

Customer segmentation

Analytics helps banks group customers based on behaviour and life stage so services match real financial needs.

• Behavioural and demographic insights guide when and how products are introduced, such as savings tools for new parents or credit-building options for graduates.
• Regional trends inform branch planning, ATM placement and local engagement strategies.

Operations and service

Banks use analytics to reduce friction in everyday processes while maintaining service quality.

• Customer journey analysis shows where applications are abandoned or where support steps repeat, allowing teams to reduce call volumes.
• Workforce analytics aligns staffing with predictable demand peaks, improving response times.
• Exception tracking in payments and treasury identifies recurring operational issues.

Auditability and governance

Analytics helps with transparency so banks can meet privacy regulations.

• Data lineage tracks information from source systems to final reports.
• Version control records how models change and who approved them.
• Clear documentation helps teams validate their decisions when regulators request evidence.

Real-world example: 7Assets and Matomo

Fintech firm 7Assets needed a familiar balance: better insight with strict privacy.

After moving to Matomo, the team limited collection to what was necessary, tracked website and in-product journeys and used session recordings to prioritise fixes while reducing legal overhead.

They were able to focus on collection, document decisions and keep users’ rights central with Matomo’s privacy-first approach to banking analytics.

Trends shaping data analytics in banking

Banks are using data analytics in new and evolving ways. The trends below explain the key shifts driving this change.

AI and machine learning

AI and machine learning can analyse large volumes of data fast. Machine learning models score transactions, prioritise sales opportunities and predict late payments. Large language models summarise customer cases and draft support responses, and predictive models identify churn risk and recommend next-best actions for customer engagement.

Real-time analytics

With real-time analytics, banks can track events as they happen instead of reviewing them hours or days later. For example, real-time systems can flag a card used in two distant locations within minutes. Repeated small payment attempts may trigger temporary card blocks before larger fraud occurs. Shared real-time data also helps service teams respond faster when customer behaviour signals frustration or urgency.

Sustainability

Banks are adopting advanced analytics to support sustainable financing decisions. ING, for example, has developed AI models that analyse sustainability indicators, evaluate transition strategies of high-emission businesses and benchmark environmental performance against industry peers.

HSBC is using computer vision and satellite imagery (remote sensing) to monitor forest cover, check biodiversity and evaluate environmental risk exposure within its lending portfolio.

Privacy-preserving techniques

As data use expands, banks are adopting techniques that reduce exposure to personal information. Federated learning and synthetic datasets train fraud detection and risk models without sharing raw customer data. Processing data closer to devices, such as mobile apps or ATMs, enables faster responses while limiting data movement.

Ethical data use

Growing reliance on analytics in lending, fraud detection and customer decisioning requires stronger data governance. Financial institutions need to follow responsible data practices to stay compliant, but also to maintain trust. Here are some ways banks are handling customer data ethically:  

• Purpose limitation ensures data is used only for clearly defined business objectives.
• Data minimisation reduces unnecessary personal attributes in datasets.
• Bias testing evaluates decision models across customer groups before deployment.
• Decision transparency preserves audit trails, model versions and input data to support reviews.

While there’s a lot on the horizon with AI-powered analytics and the adoption of privacy-first data management practices, there are still major challenges facing the industry.

Challenges of using data analytics in banking

Banks hold large volumes of customer data, yet making it usable, secure and compliant is hard work. From adhering to strict privacy rules to transforming data so it’s ready for analysis, these are the main challenges financial institutions face today when it comes to data analytics.

Navigating data privacy regulations

Banking operates under some of the strictest privacy rules of any industry.

Because these activities directly affect customers, regulators closely govern how financial institutions collect, analyse and transfer data. The main challenge is dealing with different rules across regions, which force banks to design analytics systems that remain compliant everywhere they operate.

In Europe, financial institutions have to follow the following data privacy regulations:

• General Data Protection Regulation (GDPR) requires banks to collect only necessary data and use it for a clear purpose. It also allows customers to request corrections and deletions.
• Data Protection Impact Assessments (DPIAs) are required when analytics may significantly affect individuals, such as behavioural profiling.
• Automated decision safeguards require banks to provide valid reasons for automated decisions.
• Standard Contractual Clauses (SCC) are legal agreements for personal data transfer between EU and non-EU countries.
• Open banking regulations require clear customer consent and allow users to control how their financial data is shared.

In the United States, there are several data privacy laws. Here are the main ones banks have to follow:  

• Gramm–Leach–Bliley Act (GLBA) requires banks to protect personal information and disclose how they share data, especially with third-party service providers.  
• Right to Financial Privacy Act (RFPA) lays down conditions on how federal authorities can access and use customers’ financial information.
• State privacy laws such as the California Consumer Privacy Act (CCPA) and CPRA empower Californian residents to request that businesses explain how their data is used or stored.
• Supervisory guidance expects banks to manage model risk, vendor risk and fair lending outcomes responsibly.

When navigating different regional laws, many banks adopt a practical strategy: they design analytics systems to meet the toughest regulatory requirements first and then adapt them for local markets. This reduces rework and helps teams scale analytics safely across regions.

Data quality

Analytics is only as reliable as the data behind it, and banking data often comes from multiple systems built at different times. Customer names, dates, account identifiers and transaction categories follow different formats across platforms, which can lead to misleading insights and data confusion. Ad platforms also use their own data formats, making it difficult to compare cross-channel performance and determine which channels are bringing in customers.

Banks need the proper data infrastructure to make sure data is clean, structured and analysis-ready. Data cleaning and transformation involves removing errors and duplicates and structuring it so formats are aligned before they begin analysis.

Operational complexity

Advanced analytics tools require investment in software, infrastructure, integration and skilled teams. Custom integrations with core banking systems can be expensive and slow.

Staff also need training to interpret results correctly and use models responsibly. A bank adopting a new analytics platform, for example, may spend months connecting historical data sources before seeing measurable value. The challenge is proving long-term return while managing short-term costs.

Matomo tracks channels and campaigns so banks can clearly see where new customers are coming from and what channels have the best return on investment (ROI) almost right away.

With filters and clear visualizations, it’s easier to turn data into insights quickly. And, your data stays private, so you won’t risk losing customer trust.

How privacy-first analytics platforms like Matomo help

Privacy-focused analytics tools like Matomo can reduce regulatory friction by aligning technical design with legal expectations from the start.

Banks can use Matomo to:

• Host analytics data on-premise or in approved regions, helping meet localisation and transfer requirements.
• Limit personal data collection through anonymisation and configurable retention settings aligned with GDPR principles.
• Manage customer consent choices across online and digital banking.
• Collect first-party data, reducing cross-border and vendor risks common in traditional analytics platforms.
• Control access securely through role-based permissions, audit logs, SSL encryption, single sign-on (SSO) and two-factor authentication (2FA), ensuring only authorised staff can view analytics data.

All data stays under your control. And with our API and BigQuery and Data Warehouse export feature, you have the flexibility to pull raw data and move it to a warehouse for storage, giving you total control over where your data lives.

A privacy-first approach to data analytics keeps banks in control

Data analytics is becoming the engine of modern banking.

Raw events and transactions are the fuel; models, governance and workflows turn that fuel into motion that improves service, reduces loss and finds new growth.

But engines also need brakes and gauges. Consent, data minimisation and audit trails keep programmes safe and fair, even as rules evolve and data volumes rise. That means joining behavioural and transactional data with a clear purpose, collecting only what’s needed and documenting every step.

Matomo helps teams do this with privacy-first analytics you own, accurate reporting without sampling and hosting options that fit banking controls. You get insight that’s defensible, and customers get confidence that their rights come first, as well as a great customer experience.

Start your 21-day free trial today. No credit card required.

Frequently asked questions

What are the benefits of data analytics in banking?

Data analytics can help banks better understand their customers, so they can create a more engaging customer experience and optimise their marketing. It can reduce fraud risk, which leads to better compliance and higher customer trust. Data also helps leaders make better-informed operational decisions, helping banks become more sustainable.

How can data analytics protect banks from fraud risk?

Data analytics can help protect against fraud by analyzing aggregated historical data to flag high-risk transactions and assess risks using automated scoring. Banks can then use this information to mitigate issues in real-time.

How concerned are bank app customers about data privacy?

Customers are very concerned about data privacy, and this is true across the globe. An analysis of financial app reviews worldwide published in Information and Software Technology found that customers are worried about their highly sensitive data being exposed during a breach, but they’re also uncomfortable with financial institutions sharing their data with third parties, particularly advertisers.

Many users won’t use an app if they’re asked to share personal information, such as location data or browsing history. They’re also likely to switch to a competitor if they feel the number of permissions is too high.

What can banks do to increase customer trust related to data privacy?

Banks can increase trust by being more transparent about how data is stored and shared. For example, providing clearer privacy policies can help. Using more robust privacy protection measures, such as having an opt-out function for web analytics tracking and making two-factor authentication available, can also help.

The post The potential of data analytics in banking appeared first on Analytics Platform - Matomo.

The problem is getting to them fast enough.

You need to check last week’s campaign performance. Compare traffic sources. Understand why conversions changed. Pull the right numbers before a meeting. All of that, before you can even answer the original question…

Matomo MCP helps reduce that friction.

With the new Matomo Model Context Protocol (MCP) Server, you can connect Matomo to AI tools like Claude, ChatGPT or OpenAI Codex, then ask questions in plain language and get answers based on your real analytics data.

Your team shifts from “Where can I find the right data to understand the situation?” to “What should we do next?”.

Why this new AI feature matters

Analytics should help your team make better decisions. But too often, the gap between question and answer slows the work down. And this matters even more with AI-assisted work becoming a normal part of modern data workflows. 

Matomo MCP reduces that gap at every stage:

• Faster answers for marketers, analysts, product teams and team leads, with less time spent navigating reports.
• Less friction across teams, because people can self-serve insights instead of waiting for someone to pull the numbers.
• More room for actual analysis, because data gathering stops being the bottleneck.
• A single conversation flow that supports follow-up questions, so you can dig into the why behind a number without starting from scratch.

This is especially relevant for teams that report on performance regularly, monitor campaigns across channels, or just want a quick read before a meeting. Matomo MCP helps your team get to a first answer faster.

It’s also relevant if you are evaluating Matomo against other analytics platforms. AI-assisted analytics is becoming a baseline expectation. Matomo MCP brings that capability into your workflow without turning your analytics data into another black box. You choose the AI tool, you control permissions, and Matomo remains the place where your analytics data is stored and managed.

What Matomo MCP does

MCP stands for Model Context Protocol. It’s an open standard that lets AI tools connect to your data and tools in a secure, structured way.

In Matomo, the MCP Server works as a bridge between your AI tool and your analytics data.

Here’s how it works:

1. The AI tool turns that data into a clear answer.
2. You ask a question in your AI tool.
3. The AI tool sends the request through the Matomo MCP Server.
4. Matomo retrieves the relevant analytics data.

No time to explore everything now? Download our MCP guide and keep the practical prompts, setup links and use cases ready for when your team starts using Matomo MCP.

What our MCP changes in your daily work

Three ways teams are starting to use Matomo MCP.

Some questions you can ask straight away:

• “What were my top 5 traffic sources last week on [your site]?”
• “Summarise our top traffic sources this quarter and highlight the main changes compared with last quarter.”
• “Which campaigns brought the most conversions and revenue last quarter?”
• “Compare conversion rates between mobile and desktop users for the past quarter.”

A note worth flagging: AI tools summarise well, but they can also make mistakes. We recommend verifying important numbers in Matomo before sharing them with stakeholders or clients.

What you stay in control of

Because Matomo MCP connects your analytics to an external AI tool, you decide:

• Which AI tool connects to your Matomo instance.
• What data the tool can access.
• Which permissions are granted through API tokens or OAuth 2.0 scopes.
• Whether access is read-only or includes broader permissions.

This is the part of the announcement we want to be clear about. AI in your analytics workflow raises two questions: who controls the data, and how accurate that data is. Matomo MCP is built for both. Your team keeps full control of access, by design. And because Matomo collects unsampled, first-party data, your AI tool works from a complete picture, so the insights you get reflect what’s actually happening. Learn more about Security considerations for the MCP Server in our Knowledge Base.

Where to start

Matomo MCP is now available on Matomo Cloud and on Matomo On-Premise.

If you are already using Matomo, head to our resource guide How you can use Matomo MCP to make faster, smarter decisions. It walks you through what MCP enables for marketers, analysts and product teams, with prompt examples, setup links, and tips for responsible use.

If you are evaluating Matomo, start a free trial to see how the platform combines privacy-first analytics with the kind of speed your team actually needs.

Analytics, in your team’s language

Matomo MCP helps your team move faster from analytics data to business decisions.

You can ask questions in plain language, explore results faster and turn your Matomo data into clearer next steps.

Matomo MCP adds AI to your analytics workflow without changing what makes Matomo trusted: your data stays with you, your team controls access, and your AI tool works from complete, unsampled data.

Faster decisions, in plain language, on data you can trust.

Want to learn more about our MCP? Download our free guide now to learn how to ask better questions, summarise reports faster and turn Matomo analytics into business decisions you can act on.

The post Faster decisions from your data: Matomo MCP is now available. appeared first on Analytics Platform - Matomo.

Today, the problem remains. Valuable information exists, but it’s difficult to access, connect, and use across different systems. That leads to challenges like:

• Reduced efficiency, as people waste time searching for information and asking for information in meetings, instead of simply retrieving it.
• Impaired decision-making, as decisions are based on siloed data.
• Complicated automation, when workflows depend on fragile integrations, manual workarounds or incomplete data.

What are data silos?

According to IBM, data silos are “isolated collections of data that prevent data sharing between different departments, systems and business units.“

In an organisation, departments often use their own tools, which makes it difficult to share data directly with other teams without time-intensive or error-prone workarounds.

Here’s a real-world example.

Data silo example: marketing, sales, and support

A company might use HubSpot for marketing campaigns, Salesforce for sales pipelines, and Zendesk for customer support.

Each system contains valuable customer information, but that information remains siloed.

Marketing sees campaign engagement, the sales team sees deal status and revenue, support sees complaints and tickets, but none of them has the full picture.

That can create real problems. Sales may contact a customer without knowing they recently opened several support tickets. Marketing may send promotional emails to users who are already frustrated. Support may miss important context about a customer’s account value or recent sales conversations.

Why AI is making the problem more visible

Data silos are not new. So why are they getting so much attention now? One reason is AI.

Before generative AI became part of everyday work, teams often used manual workarounds to cope with data silos. Departments worked in separate platforms, and when needed, people copied information manually between systems.

There were integrations, of course. But often, they were usually built for one specific purpose and required ongoing maintenance. Of course, this setup was inefficient, but teams learned to work around it.

Modern AI tools are increasingly expected to work across many different systems. A single agent might need to:

• Pull customer details from a CRM
• Look at support tickets
• Check analytics
• Update tasks in a project management tool
• Trigger actions in another platform entirely

To do that well, systems need to share information smoothly with each other. But most tools weren’t built to work together this seamlessly. They use different data structures, APIs behave differently, and many integrations are custom-built for one narrow use case.

As a result, familiar problems become more visible. Information is fragmented, systems don’t communicate properly, and sometimes, integrations just break. As a result, important context gets lost between tools.

How companies usually deal with data silos

In addition to the workarounds mentioned above, organisations are continuously trying to address data silos in several ways. Some centralise data in warehouses or lakes. Others build API integrations, use automation platforms, or rely on business intelligence tools to bring information together. These traditional approaches to data silos help organisations collect, structure, and analyse data from different sources. Their main goal is to bring information together.

That works for many reporting and analytics use cases, but it becomes less flexible when systems need to interact dynamically. This is especially true for AI-powered tools. An AI assistant may not just need to read data from one place. It may need to understand what tools are available, access the right context, and trigger the right action across different systems.

That is where the conversation shifts from simply “breaking down data silos” to improving interoperability between tools.

From data centralisation to tool interoperability

All of these traditional approaches are still important, especially for reporting, analytics, and creating a reliable view of business data. But increasingly often, systems don’t just need to send data from one place to another. They also need to expose what they can do, what information they hold, and how other tools can interact with them. That’s where MCP becomes relevant.

What’s MCP?

MCP, short for Model Context Protocol, was introduced by Anthropic in 2024 as an open standard that helps AI tools work across existing business systems without every connection having to be built from scratch.

Instead of building custom integrations for every possible workflow, MCP creates a consistent way for AI to access external tools, data sources, and workflows. In simple terms, it acts like a common language between AI systems and the tools they interact with.

Rather than forcing organisations to centralise all their data into one system, MCP can help AI applications access data and tools where they already live.

If a company wants an AI assistant to work with a web analytics platform, CRM, help desk, or documentation system, someone needs to provide or build an MCP server for that system.

That means MCP isn’t universally available across all software yet. It can be implemented for many applications, but only systems with MCP support or an MCP server can participate.

Who offers MCP support or runs MCP servers?

There are three common ways of making MCP usable:

1. A software company, such as a CRM, analytics platform, help desk, or project management tool, can build and offer an official MCP server for its own product.
2. A company can build its own MCP server for internal systems.
3. A vendor, agency, consultant, or open-source maintainer can build MCP servers for popular tools.

A simple MCP example

Imagine a marketing team notices that conversions from paid campaigns dropped sharply last week. To investigate, they need to understand whether the issue came from campaign performance, website behaviour, tracking changes, or something else. An AI assistant could help with that investigation, but only if it can access the right context across different systems:

• Web analytics data showing traffic, conversion rates, referrers, and campaign performance
• Advertising data showing spend, clicks, and campaign changes
• CRM data showing lead quality or sales outcomes
• Support tickets mentioning checkout issues or broken forms
• Internal release notes showing recent website or tracking changes

Without a shared way to access that context, teams often fall back on manual checks, exports, dashboards, or one-off integrations.

For tools and data sources that support MCP, the protocol offers a more consistent way to expose relevant context and actions to an AI application. According to the official MCP documentation, it’s “an open-source standard for connecting AI applications to external systems“, such as data sources, tools and workflows.

This way, instead of treating every system as a separate integration project, an AI application could use a common protocol to discover what information is available, retrieve the right context, and support the team’s investigation. The systems remain separate, but the way the AI application works across those systems becomes more consistent.

That’s especially important when scaling: Every custom integration adds maintenance overhead and becomes more difficult to maintain as the number of systems in use grows and the need for interoperability increases.

What MCP isn’t

MCP isn’t a replacement for APIs, databases, or data warehouses. It also doesn’t magically eliminate data silos. The underlying systems still exist separately, and organisations still need governance, permissions, and reliable infrastructure.

What MCP does is reduce some of the friction caused by disconnected systems. It doesn’t replace APIs. In many cases, it uses them behind the scenes. APIs remain the way individual systems expose data and actions. MCP provides a common layer that helps AI applications discover and use those capabilities more consistently across different tools. In practice, MCP can help businesses make their existing tools more usable for AI-powered workflows, while still keeping data in the systems where it already lives.

Access still needs to be controlled

Making tools easier to connect doesn’t mean everything should be accessible to everyone.

If an AI application can operate across CRM data, support tickets, analytics, and internal documentation, access control becomes even more important. Organisations need clear rules around permissions, data governance, authentication, and auditability.

While MCP helps standardise how tools and context are exposed, it doesn’t remove the need for responsible implementation.

Why interoperability matters now

Most companies rely on dozens of tools that weren’t made to work well together. As automation and AI-powered workflows become more common, those gaps become harder to ignore. That’s why interoperability is such an important topic right now — with protocols like MCP as a way to expose information, context, and actions more consistently, without relying on endless custom integrations.

The direction is clear: the easier tools can communicate with each other, the more useful they become.

Want analytics that fits into your stack without giving up data ownership? Start your 21-day free trial.

The post From data silos to tool interoperability: where MCP fits in appeared first on Analytics Platform - Matomo.

This guide goes deeper into what each one does, how they differ and how to determine which setup is the best fit for your tracking needs.

And for those interested in options outside the Google ecosystem, we’ll explore how privacy-focused alternatives, like Matomo​’s free Tag Manager, can give teams complete control over their data.

Google Tag Manager vs Google Analytics 4 overview

Google Tag Manager and Google Analytics 4 play different but complementary roles in collecting, organising, and interpreting website activity.

Together, they help connect session metrics with visitor behaviour to give marketing and data teams more flexibility, visibility and control over the information they track.

What is Google Analytics 4 (GA4)?

Google Analytics 4 (GA4) is Google’s event-based platform for collecting and measuring user interactions across websites and apps. It captures page views, scrolls, button clicks and other user interactions to give marketing teams a better understanding of customer journeys and site performance.

GA4’s reporting capabilities depend heavily on custom configuration, with few built‑in reports beyond the basics. Its short data‑retention window also limits how far back teams can analyse trends.

Large, complex datasets may be sampled in GA4, leading to slightly skewed or less precise analyses.

What is Google Tag Manager (GTM)?

Google Tag Manager (GTM) is a system that lets teams add and manage marketing and analytics tracking codes without changing the website’s code.

Instead of needing a developer to add or modify tracking codes, they can use a simple tag manager interface to deploy and update them independently.

GTM uses a container system to hold the event-tracking tags, triggers and custom variables needed to capture specific data. The GTM container code, a small snippet added to your website or app, activates and manages these elements.

Teams can preview, debug and publish updates directly through the Google Tag Manager interface, reducing the risk of tagging errors and maintaining version control.

GTM supports both Google and third-party tags, giving flexibility for analytics, marketing tools, remarketing and goal conversion tracking.

How do GTM and GA4 work together?

Google Tag Manager (GTM) and Google Analytics 4 (GA4) are often used together to optimise data collection and reporting.

GTM handles deployment, while GA4 interprets and presents the collected data in reports. Here’s how the integration works in practice:

Configuration

• Teams first create a GA4 configuration tag in GTM and link it to their Measurement ID.
• This tag ensures that every page or app screen sends data to the correct GA4 property whenever it loads.
• It generates a unique ID for each visitor, which helps recognise returning users.
• The Client ID supports user segmentation by distinguishing new and existing audiences across multiple sessions.

Deployment

• GTM deploys GA4 event tags.
• These tags enable core tracking features, such as clicks, downloads and form submissions.

Validation

• Teams use GTM Preview mode and GA4 DebugView to confirm that each event fires correctly.
• It also ensures that data flows accurately to GA4 before publishing updates.

Reporting

• GA4 receives the data, processes the parameters and assigns them to events.
• GA4 dashboards show engagement, conversion paths and audience behaviour.
• These insights contribute to page performance reports.
• The insights help teams link user engagement data with site speed and interaction quality metrics.

Maintenance

• Teams can refine or pause tags directly in GTM.
• Tags can adapt as policies change or new campaigns roll out.

The pair works well inside Google’s ecosystem, but there are alternative approaches for teams exploring privacy‑centric or sovereign setups.

Matomo Tag Manager: A privacy-first alternative 

Matomo Tag Manager is another solution that lets teams add and manage website analytics tracking and marketing code snippets without editing the site’s source files.

Unlike Google Analytics and other deeply interconnected vendor systems, Matomo promotes sovereign, privacy-first setups.

Simplified Matomo Tag Manager workflow

1. Matomo Tag Manager container script loads in a site’s code.
2. A pre-defined website user interaction (or event) occurs.
3. Event triggers fire tracking tags and sends interaction details to Matomo.
4. Teams analyse the resulting analytics and conversion details.

Teams can add, modify, disable, or copy variables, tags, and triggers directly through the Matomo interface, or insert custom HTML or JavaScript tags to track anything not included in the built-in templates.

Beyond that, the Matomo Tag Manager data layer can track more complex actions or information, such as:

• Order details, user types or product information
• User form submissions, multi-step form processes or interactions with third-party embedded content
• Purchases above a specified amount or custom attributes that meet certain conditions

Consent-aware tracking

Matomo’s Tag Manager integrates with CMPs for consent-aware tracking based on saved user preferences. This ensures that tags and tracking only fire after the user has given informed consent.

By collecting data only when legally permitted, consent manager integrations help organisations respect user choices and support compliance with regulations such as GDPR and the ePrivacy Directive.

​Now that you understand how Matomo Tag Manager works, let’s consider how it compares to Google Tag Manager in practice.

Google Tag Manager vs. Matomo Tag Manager

Choosing between Matomo and Google’s tools often comes down to how much control and transparency you need over your data. The points below show where Matomo provides a stronger data foundation.

Full data ownership

Unlike Google Tag Manager, which operates within Google’s broader ecosystem (including Google Ads), Matomo’s Tag Manager works in tandem with its analytics platform to create a unified, privacy-first measurement environment. You can even run Matomo Tag Manager entirely within your own infrastructure, giving you full oversight into how data is collected, processed and stored.

This design reflects Matomo’s core value of full data ownership. Your organisation decides where analytics data resides, who can access it and how long it is retained. That clarity offers greater transparency and operational independence.

Open-source analytics platform

Matomo is fully open-source software (GPL v3 or later), so teams can inspect, modify and extend the codebase. This offers clarity and transparency into tracking, storage, processing and everything else that normally stays behind the scenes on proprietary platforms.

With open-source setups, a global community reviews code and contributes to the platform, continually strengthening its security and reliability.

Choosing an open-source platform like Matomo gives you control over your analytics stack, allowing you to host it on your own server and avoid the unpredictable changes in data, behaviour or monetisation common in closed platforms.

Unsampled reports

Platforms like GA4 often rely on data sampling, especially for high-traffic sites or detailed segmentation analyses. This can obscure or distort meaningful trends, as you’re only examining a subset of the collected data that may not accurately reflect the actual traffic.

With Matomo, you see 100% of your data. That means analytics dashboards and reports always reflect actual, aggregated user activity, not approximations.

Matomo’s unsampled approach avoids those gaps and supports accurate measurement and clearer insight. This way, you can base your decisions on reality.

Data sovereignty in analytics workflows

In 2025, data sovereignty moved from a compliance concern to a strategic priority. According to KPMG’s Ten Key Regulatory Challenges: 2025 Mid-Year Report, organisations face growing scrutiny around how and where data is stored, processed and transferred.

The report highlights growing concerns and rules surrounding the use and protection of third-party data and emphasizes why organisations need to exercise tighter control over how and where their data is stored and managed.

The GDPR, CCPA and other privacy standards require organisations to demonstrate the legality of their data processing, determine data retention periods and manage international data transfers responsibly.

Due to heightened concerns about US data transfers when using Google services and the potential exposure risk, more organisations are choosing privacy-first web analytics that keep all data within EU borders.

Owning and managing your own data systems provides stability and improves audit readiness. You can:

• Define access and retention: Teams control who can view or edit data and decide how long to store it. This approach increases transparency and simplifies compliance checks.
• Demonstrate accountability: Businesses show regulators that they follow privacy rules and manage data responsibly by maintaining direct control over their data.
• Reduce external risk: Organisations lower the risk of data misuse or sudden policy changes by limiting reliance on third-party providers.

Strong governance and ethical data practices build user trust. When people know their data stays within a secure, well-managed system, they’re more likely to come back. In a market where privacy awareness influences customer choices, businesses that prioritise data sovereignty and user trust have a genuine competitive advantage.

That’s also why it’s important to consider how different tag managers align with your organisational goals and data practices.

Tag manager decision guide

Once you know what exactly you need to track and your organisation’s data priorities, certain options will stand out. Start with the questions below.

• Do you need to manage multiple tracking tags across your website or app?
  • Yes: Continue
  • No: You may not need a tag manager.
• Do you handle confidential, sensitive or highly regulated user data?
  • Yes: Consider Matomo Tag Manager.
  • No: Continue  
• Do you need native integrations with Google Ads or Meta Pixel?
  • Yes: Consider Google Tag Manager.
  • No: Consider Matomo Tag Manager or other privacy-first alternatives.

Start the shift to privacy-first analytics

Google’s tools prioritise convenience, but this comes with trade-offs in data privacy and sovereignty. With Matomo, you’re in control of how your site collects, stores and uses data.

If you’re already deep in Google’s ecosystem and looking for a privacy-first setup, Matomo makes it easy to migrate from Google Tag Manager to Matomo. If you’re switching from GA4, you can import all of your historical data into Matomo and maintain continuity in your reporting.

Matomo offers two deployment options:

• Matomo On-Premise is completely free to install.
• Cloud-hosted Matomo Analytics

Start your 21-day free trial of Matomo Cloud today – building a privacy-first analytics setup that you truly control.

The post Google Tag Manager vs Google Analytics 4 (& other solutions) appeared first on Analytics Platform - Matomo.

The figure isn’t that surprising, just another reminder of the importance of data privacy laws, especially with regulations quickly evolving in places like California.

California’s CCPA represents one of the most comprehensive regulations designed to protect consumer data and hold businesses accountable for the personal data they gather.

Many businesses will look at that and think they’re exempt because they’re B2B. That’d be a mistake. The CCPA also extends to business-to-business operations.

This article explains everything you need to know about California’s data privacy regulations, including how the CPRA amended and expanded upon the CCPA, recent updates to the CCPA and the implications for businesses and data processing services — including web analytics.

Key takeaways

1. California’s main data privacy law, the California Consumer Privacy Act (CCPA), was amended by the California Privacy Rights Act (CPRA) and has gotten stricter since it first went into effect, with ongoing updates businesses must watch for.
2. The CCPA details how businesses, contractors, service providers and third parties must handle the personal information (PI) of California residents. It has tighter stringencies for a subcategory of PI known as sensitive personal information (SPI).
3. The CCPA has six rights for consumers: the rights to know, delete, opt-out, non-discrimination, correct and to limit how SPI is used and shared.
4. The California Privacy Protection Agency (CPPA) was introduced to help the Attorney General enforce this privacy law. They have additional powers, as well, like updating regulations.
5. Penalties for non-compliance increased in 2025 and will increase every odd year to match the cost performance index.
6. A recent update to the CCPA mandates security audits and audit reporting, as well as risk assessments for certain businesses.
7. New rules have also been added to address the use of Automated Decisionmaking Technology (ADMT).
8. The Delete Request and Opt-Out Platform (DROP), introduced by 2023’s Delete Act (separate from the CCPA), is available as of 1st Jan. 2026. Data brokers will need to comply with requests starting 1st Aug. 2026.

What is California’s data privacy law?

California’s main data privacy law is the California Consumer Privacy Act (CCPA), which went into effect in Jan. 2020. It sets up core data privacy rights for consumers, granting them control over their Personal Information (PI) and setting initial business compliance requirements.

State lawmakers strengthened the CCPA via the California Privacy Rights Act (CPRA), an amendment that has been in effect since Jan. 2023. It expanded consumer rights and created the California Privacy Protection Agency (CPPA) for enforcement.

Another data privacy law, the Delete Act, was passed by the state legislature in 2023. This law introduces new compliance standards for data brokers, as well as a platform that sends consumer requests for deletion to all applicable brokers.

CCPA fundamentals in 2026

The goal of this California data privacy law is to give consumers in the state greater PI protection. It accomplishes this by holding businesses to higher standards for data handling, requiring them to configure their systems to comply with the rules.

CCPA key definitions

• Consumer: A California resident. They must be a “natural person” per the wording of the bill and not a business entity. The CCPA protects them even if they’re temporarily out of state.
• Business: A for-profit entity that collects consumers’ PI, does business in California and meets at least one of the following thresholds:
• Annual gross revenue of $26,625,000 USD or more (per a 2025 update)
• Buys, receives, sells or shares the PI of 100k or more consumers or households
• 50% or more of their annual revenue is received through the sale of consumer PI
• Business purpose: Narrowly scoped purposes that a business, service provider or contractor can collect and use PI for. Some examples include internal research, specific forms of ad and marketing analytics and debugging certain types of errors.
• Contractor: A person that a business provides with a consumer’s PI for a business purpose. Contractors must follow strict requirements laid out in a written contract drawn up by the business, covering prohibited actions (e.g., no selling or sharing PI) and compliance monitoring terms. If the contractor involves any other parties in their handling of PI, the business must approve, and they must sign the contract.
• Service provider: A person who processes PI on behalf of a business for a business purpose. They must sign contracts with similar terms to those of contractors.
• Third party: Any person who is neither the business the consumer is willingly interacting with nor one of the business’s service providers or contractors.
• Consent: The clear and unambiguous agreement to PI processing for a specific and defined purpose. Consent can be given by the consumer, their legal guardian, the person with power of attorney over them or their conservator.
• Personal Information (PI): Information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes but is not limited to names, email addresses, IP addresses, browsing history, purchase history and certain professional information. Publicly available information (like real estate or professional licensing records) is not considered PI.
• Sensitive Personal Information (SPI): A subset of PI added by CPRA. Businesses have stricter requirements for handling SPI. The amended CCPA text defines SPI as a consumer’s:
  • Specific government identifiers, including passport and social security numbers
  • Account logins, financial accounts and debit/credit card numbers with security codes, passwords or any other credentials required for access
  • Precise geolocation data
  • Mail, email or text message contents
  • Genetic data, such as DNA test results
  • Processed biometric information used for identification
  • Health information
  • Sex life and sexual orientation information
  • Racial/ethnic origin, religious/philosophical beliefs or union membership

Personal Information vs Personally Identifiable Information

It’s important for businesses to know the difference between PI and a similar term used in data privacy: Personally Identifiable Information (PII). PII describes information that directly identifies an individual: name, social security number or driver’s licence number.

PI is much broader than PII.

As mentioned above, the CCPA’s definition includes not only information that directly identifies someone but also information that can be indirectly linked to them. The wider definition is important because it covers data points that might not identify an individual on their own (like an IP address or browsing history) but can be linked to them if combined with other information.

Consumer rights under CCPA

The CCPA grants Californian consumers six core rights:

• Right to know: Twice a year and without cost, they can ask a business what PI it collects, where it got it, what it’s used for and who it’s shared with.
• Right to delete: They can request that a business delete PI collected from them.
• Right to opt-out: They can tell a business not to sell or share their PI. The business will not be able to do so again unless authorised again by the consumer at a later date.
• Right to non-discrimination: Businesses can’t treat them differently because they exercised their CCPA rights. This covers service denial, changing prices and the offering of lower quality products or services.
• Right to correction: Consumers can ask businesses to correct inaccurate PI they hold.
• Right to limit how SPI is used and shared: They can tell businesses to use their SPI only for what’s needed to provide the goods or services they asked for.

The obligations of businesses

The CCPA also imposes significant obligations on businesses operating in the state. These include:

• Providing clear privacy notices: The businesses must inform consumers about their data collection practices. They must explain what types of PI they collect, why it’s collected and how consumers can exercise their rights.
• Implementing reasonable security measures: Protecting PI is critical, and businesses are expected to do everything they can to prevent unauthorised access, use, disclosure, alteration or destruction of PI.
• Responding to consumer requests: Businesses must put in verifiable processes to be able to respond to consumer requests within specified timeframes. For instance, they must respond within 15 days of an opt-out request.
• Not selling or sharing of minors’ PI without consent: Businesses are explicitly forbidden from selling or sharing the PI of consumers under 16 unless they have consent in the form of an explicit opt-in by a teen consumer (for ages 13-15) or a parent (for those under age 13).

On that last point, it’s important to understand that consent means far more than what’s generally understood as permission. It can’t be inferred from silence, pre-checked boxes or the closing of a consent manager. Affirmative consent must be:

• Explicit action: The person must take a deliberate, positive step to give consent. That could be clicking an “Accept” button, checking an unchecked box or signing a document.
• Unambiguous: There can be no doubt at all about what the person is agreeing to, so the request for consent must be clear and very specific.
• Informed: The person must grasp fully what it is that they’re consenting to. That includes knowing why the data is being collected and how it’ll be used. It also includes knowing about any third parties involved.
• Freely given: Consent must be voluntary. It can’t be bundled in with other terms and conditions. It can’t be obtained via dark patterns.
• Revocable: The person must be able to withdraw their consent as easily as they gave it.

Enforcement authorities, mechanisms, actions and penalties

Enforcement of the CCPA is handled by the California Attorney General (AG) and the CPPA.

Both are able to take consumer reports about potential CPPA violations and take action against non-compliant businesses. The difference is that the AG handles cases via the legal system, and the CPPA does it through their own internal administrative proceedings.

Since the CPPA operates within its own system, it can enforce the law faster. However, the AG has authority over the CPPA, and the AG can pause a case or take it over.

The AG can also enforce additional laws if violations are found, as they did in Feb. 2026 by fining Disney $2.75m USD for both CCPA and Unfair Competition Law violations.

CPPA also has its own additional powers beyond enforcement that the AG doesn’t. It’s responsible for spreading awareness of consumer rights, updating the CCPA with new regulations and taking input from consumers and businesses about proposed updates.

The CPPA outlines the following penalty amounts as of a January 2025 update:

• Monetary damages of $107–$799 USD per consumer per either incident or actual damages (Civil Code § 1798.140(d)(1)(A))
• Administrative fine amounts of at least $2,663 USD for each unintentional violation of adult consumers’ rights (Civil Code § 1798.155(a))
• Administrative fine amounts of at least $7,988 USD for each intentional violation of adult rights or violation (intentional or unintentional) of those of minors (Civil Code § 1798.155(a))
• Civil penalty amounts that mirror the administrative fines outlined above (Civil Code § 1798.199.90(a))

These amounts are set to be adjusted in January of every odd year, meaning they will be adjusted next in 2027.

Prior to the CPRA, businesses were allowed a 30-day window to fix violations, but this was removed in 2023.

A 2025 update to the CCPA mandates annual cybersecurity audits and audit reports from all businesses whose processing of PI presents a significant risk to consumers’ privacy or security.

Businesses must comply with security audits by these dates if they make the specified amount of revenue in the year provided:

• By 1st Apr., 2028, if the business made $100m USD annual gross revenue in 2026
• By 1st Apr., 2029, if the business made between $50m and $100m USD annual gross revenue in 2027
• By 1st Apr., 2030, if the business made less than $50m USD annual gross revenue in 2028

Another new requirement (effective 1st Jan. 2026) is the risk assessment, which applies to businesses processing PI that present a significant risk to a consumer’s privacy. This covers (but isn’t limited to) selling or sharing PI, processing SPI or using Automated Decisionmaking Technology (ADMT) for important decisions about the consumer.

Risk assessments must examine the concrete benefits the business, consumer and other parties will get from this specific processing use case, possible negative impacts, the safeguards the business will employ and more.

The last major update is a set of rules regarding the use of ADMT in making significant decisions about a consumer. This will go into effect on 1st Jan. 2027.

Businesses must inform consumers of their rights regarding the use of ADMT, including but not limited to their use of ADMT, the consumer’s right to opt out of it and the right of the consumer to non-discrimination for opting out.

There are some stipulations where a business doesn’t need to provide an opt-out, like for certain hiring decisions.

The Delete Act and DROP

While not technically part of the CCPA itself, the Delete Act is an amendment to a 2019 data broker law that similarly protects Californian consumer rights. It’s also enforced and managed by the CPPA.

As of 1st Jan. 2026, residents can use the Delete Request and Opt-Out Platform (DROP) to submit requests for brokers to delete their PI. On 1st Aug. 2026, data brokers must comply with DROP and adhere to requests within 45 days or 90 days (with an extension). They will then need to delete any newly collected information every 45 days.

Non-compliance will result in penalties and fines.

California data privacy law compliance strategies for businesses

Organisations that need to follow the CCPA must look beyond just avoiding penalties. Here are some compliance areas that companies can get started with.

Data mapping and inventory

While the CCPA doesn’t demand data mapping by name, implementing it makes compliance simpler, as it helps you know which third parties have access to PI, what has happened to the data, etc. Most importantly, it helps companies quickly and efficiently respond to consumer requests.

Updating privacy policies

The CCPA mandates that organisations must update their privacy policies at least once a year.

Privacy policies must inform consumers about their rights, like the right to know and the right to correction. The policy should also detail the categories of PI collected, the sources and the business purpose for collecting it.

Consumer request systems

The California data privacy law specifies that businesses must establish a clear process for consumers to submit requests to exercise their rights. Typical systems should involve at least two ways requests can be submitted, such as a toll-free number and a website form.

The formal term the CCPA uses is Data Subject Access Requests (DSARs), and the law gives organisations 45 days to respond to DSARs. Failure to do so, or to request a 45-day extension from the consumer, can result in significant fines.

Employee training

Ignorance is no defence. The CCPA clearly states that employees who handle consumer inquiries or are responsible for compliance must be adequately trained.

Training must cover all the requirements of the law and consumer rights, as well as how to deal with DSARs. It should also emphasise the importance of data security and privacy.

Technical safeguards

The law also mandates protection against data breaches by requiring businesses to implement “reasonable” security measures to protect the personal data in their care.

This usually includes measures like encryption, access controls and regular security assessments.

And while the term “reasonable” isn’t strictly defined in legislation, it’s often benchmarked against industry standards like the Centre for Internet Security (CIS) Controls.

Data management tools

Implicit in all of these strategies is the need for effective data management tools that’ll support efforts to achieve and maintain compliance. As a baseline, the tools that organisations deploy should help them with data anonymisation, pseudonymisation, consent management and fulfil DSARs.

For a more hands-on walkthrough for privacy-focused web analytics, read our CCPA compliance guide.

Protecting your business with Matomo

Achieving and maintaining that compliance can seem daunting. But there are tools that make the job easier and are helpful in satisfying the technically challenging demands of data privacy. Matomo is one of these.

It empowers businesses with full data ownership and control of their analytics data, not allowing it to be shared with third parties.

Matomo is a privacy-first web analytics platform that primarily uses first-party cookies. That’s something that ticks one of the boxes of almost all privacy regulations worldwide.

Matomo protects consumer rights with consent management features, support for Consent Mode v2 and integration with external Consent Management Platforms. Its design supports data minimisation and retention policies as well as anonymisation and pseudonymisation.

More importantly for compliance with the CCPA, Matomo assists with accountability by providing clear records of data processing.

And for businesses seeking maximum control, the platform is available as a self-hosted, on-premise option that keeps data entirely within your infrastructure.

Data privacy laws are here to stay

California’s journey with the CCPA is a major step for data privacy in the US. The “California Effect” is already happening as other states follow suit by developing their own privacy legislation.  

One thing is certain: privacy laws are increasingly becoming the norm, as evidenced by the CCPA and GDPR. Trying to exploit the gaps by following each country’s laws individually is an expensive exercise in futility. A more sensible approach is to use tools that are built with these laws in mind.

A privacy-centric web analytics tool like Matomo that can easily be configured for compliance is a great place to start. Download Matomo On-Premise completely free or start your 21-day free trial of Matomo Cloud (no credit card required).

Frequently asked questions

What is the new data privacy law in California?

In terms of ballot-level legislation, the newest data privacy law in California is CPRA, an amendment to the existing CCPA. However, the CPPA is continuously updating the CCPA and introduced three new articles in 2025 dealing with security audits, risk assessment and ADMT.

What is the difference between CCPA and CPRA?

CCPA is the original California data privacy law. CPRA is an amendment that expanded consumer rights, enacted harsher penalties for non-compliance and introduced an enforcement agency.

Which state has the strictest data privacy laws?

The states with the strictest data privacy laws are California, with the CCPA, and Maryland, with the Maryland Online Data Privacy Act (MODPA):

• California’s laws (including the Delete Act) could be considered the strictest in terms of enforcement (with a dedicated agency), handling AI-related consumer rights (the new ADMT regulations) and deletion (the Delete Request and Opt-Out Platform).
• Maryland’s law would be considered strictest in its prohibition on the sale of sensitive data, its harsher punishments for the data of minors (defined as under 18) and its tighter thresholds for the use of its equivalent of PI and SPI.

The post Understanding California’s data privacy laws: CCPA in 2026 appeared first on Analytics Platform - Matomo.

Why we’re making this change

Over time, Matomo has grown significantly. New features, new use cases, and a growing global community have shaped what the platform is today.

As an open-source platform, feedback, contributions, and real-world usage play a direct role in how the product evolves. That creates a continuous loop between how Matomo is used and how it improves. Over time, we’ve gathered lots of great feedback on how users experience Matomo, what works well, and where things slows them down.

Some patterns became clear: For many users, navigation could be more intuitive, key insights could surface faster and onboarding could be smoother.

Our rebrand is the starting point for addressing these areas more systematically. Our overall goal is to reduce friction so you can get value from your data faster.

From feedback to product improvements

By turning all our user touchpoints into a modern, clear, and cohesive experience, we want to make it easier for users to understand, adopt, and get value from Matomo.

You’ll start to notice:

• Updated navigation (top bar and main menu) for better readability
• Improved main selectors (website, segment and dashboard) for easier use
• A modernised overall layout, refreshed widgets shadows being an exemplary detail

Our product now even offers a dark-mode that users can easily select in their Matomo settings.

What’s changing, and when?

Starting today, you’ll see the first changes with the updated look and feel of our website. We’ll continue rolling out improvements across onboarding, education, usability, and the overall product experience. All of these improvements are guided by the same principle of putting our users first.

While the brand evolves, our values remain the same:

• Full data ownership
• Privacy-first analytics
• Transparency and control
• Flexibility for different teams and use cases
• Accurate, reliable data

If anything, this rebrand sharpens these commitments.

Where we go from here

Rebrands often focus on how things look. This one is about how things work and how they feel to use.

We’d value your feedback as we continue the roll-out. You can reach us at marketing@matomo.org or via our social channels.

Not using Matomo yet? You can explore the new experience with a 21-day free trial.

The post Announcing our rebrand: A clearer, more intuitive Matomo appeared first on Analytics Platform - Matomo.

Getting GDPR-compliant analytics for France used to mean working through a detailed checklist, tweaking buried settings, and hoping you hadn’t missed anything.

Matomo’s new 1-Click CNIL compliance feature handles that automatically, so you can focus on your data, not your configuration.

The new feature helps you assess your current setup against CNIL consent exemption conditions, apply supported settings in one click, and see clearly what still needs your attention.

Reminder: you need to comply with CNIL requirements as soon as your audience includes people in France, even if your organisation isn’t French.

Why this matters

For many teams, the hard part isn’t choosing a privacy-first analytics platform. The hard part is configuring it correctly, documenting it clearly, and reducing the back and forth between marketing, implementation, and compliance team.

That changes with today’s release. Instead of reviewing settings one by one across different parts of Matomo, the 1-Click CNIL compliance feature reduces that friction at every stage:

• Fewer back-and-forths between marketing, development and privacy teams during setup.
• Less risk of misconfiguration, because the platform enforces the required settings rather than relying on a checklist.
• Easier to review for stakeholders and DPOs, with a clear compliance status per site and a self-assessment document built in.
• Faster to deploy across multiple sites, without repeating the same manual process each time.

This is especially useful for teams that need a faster and clearer path to a CNIL-aligned setup, without relying on scattered documentation or repeated manual reviews.

It’s also relevant if you’re evaluating Matomo against alternatives. CNIL compliance has historically required external setup support or a specialist. It no longer does.

What 1-Click CNIL compliance does

The feature lives at Administration > Privacy > Compliance. Select a site from the dropdown and Matomo runs a full assessment of your current configuration against CNIL requirements.

Each setting is assigned one of three statuses:

• Compliant: your current configuration meets the requirement.
• Non-compliant: the setting needs to be changed, and Matomo can apply it automatically.
• Unknown: Matomo cannot verify this from within the platform. It requires a manual step on your end.

Once you’ve reviewed the results, enable “Enforce compliance where possible” and click Save. Matomo applies all supported settings in one go. The compliance page also links directly to the knowledge base and to the self-assessment document, which CNIL now requires analytics providers to make available to their customers.

What changes when you enable it

When CNIL mode is enforced, Matomo applies a restricted configuration for the selected site or app. That can include:

This is what makes the feature useful in practice. It does not just tell you what the requirements are. It helps you apply the supported settings in one place and makes the remaining gaps visible.

What still requires a manual step

This is worth reading before you enable the feature:

The opt-out mechanism is not configured automatically. CNIL requires that visitors can object to audience measurement, and this must be embedded in your privacy policy as an iframe or link. The compliance page flags this with an “Unknown” status. The configuration guide walks you through the setup.

Any settings marked Unknown in your assessment also need manual review. Matomo cannot verify them from within the platform, and CNIL compliance cannot be confirmed until they are addressed.

Custom goals and events you create must stay within the three categories of events permitted by CNIL: presence on a page, use of a feature, and page performance statistics. Anything outside that scope falls outside the exemption.

Finally, this feature supports the compliance process. It does not replace legal review. If you operate in a regulated sector or manage compliance across multiple jurisdictions, your legal or privacy team should validate your configuration.

Where to start

It’s already available for superusers in Privacy > Compliance. The feature is live now on Matomo Cloud and available on Matomo On-Premise with version 5.9.0.

If you want to use Matomo in a way that may qualify for CNIL consent exemption when properly configured, start here:

• go to Administration > Privacy > Compliance
• select the relevant site
• review the assessment results
• enable Enforce compliance where possible
• complete the remaining manual steps, especially opt-out setup
• review the detailed self-assessment and knowledge base guidance for the full scope and restrictions 

The full configuration guide and self-assessment document are available in our knowledge base:

• our English configuration guide
• our French configuration guide
• our technical documentation for 1-Click CNIL Compliance, with the CNIL self-assessment
• our opt-out setup guide

These resources explain the detailed conditions, scope limitations, and remaining manual actions required for your setup.

Analytics that are easier to review, easier to configure, and easier to trust

Privacy-conscious analytics should not require a maze of manual checks.

With 1-Click CNIL Compliance, Matomo gives your team a more direct way to assess its setup, apply supported CNIL-aligned settings, and document what still needs to be done.

It is a practical step toward analytics that are easier to configure, easier to review internally, and easier to operationalise across teams.

Learn more about this new feature here: How do I configure Matomo without tracking consent for French visitors (CNIL exemption)?

The post CNIL compliance in Matomo is now a single click. Here’s what that changes. appeared first on Analytics Platform - Matomo.

Wellington, 18 March 2026 – Matomo, the world’s leading privacy-first and ethical open-source analytics platform, announced the release of Matomo 5.8.0, the latest version of its web-analytics platform bringing new capabilities to enhance analytics insights in the age of AI. With this release, Matomo introduces AI chatbot tracking, a new report within its AI Assistant tracking capabilities. This report helps organisations understand how AI chatbots interact with their websites. Combined with the existing AI Agents report, it provides a clearer view on how AI tools access and analyse website content.

AI chatbots are redefining web analytics

Nowadays, companies face a new challenge: distinguishing between human visitors and interactions generated by AI chatbots. Without this differentiation, web analytics data becomes increasingly unreliable, affecting executive decision-making.

AI web traffic is not limited to a single type of interaction. It includes AI agents, which can autonomously browse or perform actions on websites, AI chatbots, which access and analyse website content to generate responses within their interfaces; and AI referrals, where users visit a website after clicking on links suggested by AI tools.

Matomo users can identify AI referrals directly in their acquisition reports, helping them understand how AI platforms influence website traffic and search visibility.

With its AI Assistants solution, Matomo offers dedicated tracking for AI chatbots and AI agents, providing businesses with a clearer picture of how AI interactions impact website traffic. This prevents AI interactions from distorting marketing attribution, traffic metrics, and conversion reporting.

“Without visibility into AI-driven traffic, analytics data becomes less reliable and less actionable. This challenge affects every team that relies on website data, from marketing to leadership. It’s crucial to be able to distinguish between human visitors and AI assistants in order to make informed business decisions,” said Matthieu Aubry, CPO and Co-founder of Matomo.

This release is part of Matomo’s broader strategy to position itself as a leader in AI-driven web analytics. Build on privacy-first foundation, Matomo enables organisations to understand both AI and human engagement on their websites while remaining fully compliant with data protection regulations. This privacy-led-by-design approach ensures that analytics insights remain accurate, trustworthy, and align with modern data expectations.

Privacy-first analytics built for the age of AI

As AI chatbots and automated agents increasingly interact with websites, many analytics tools struggle to interpret this traffic because they rely heavily on cookies and user identifiers, mechanisms that AI systems often reject or bypass. Built on first-party data and transparent measurement, Matomo’s privacy-first architecture allows organisations to detect and analyse these interactions more reliably. This provides clearer visibility into how AI systems access, read, and engage with website content

“As a privacy-first analytics platform, Matomo is independent from third-party cookies and invasive tracking, which is totally adapted to the requirements of the AI era. This release reinforces our human-first analytics approach, enabling our clients to accurately detect AI traffic while maintaining trustworthy web analytics results,” said Adam Taylor, CEO of Matomo.

About Matomo:

Matomo is a leading web analytics platform that helps organisations understand their audience and gives them full control over their data. More than 1.4 million websites in over 190 countries use Matomo to improve digital experiences and make confident decisions. 

Available on-premise or in the cloud, Matomo combines powerful analytics with data ownership, flexibility, and privacy through its open-source foundation. 

More information: Matomo.org

Media contact

Elise Duchateau
Head of Marketing and Communications
Matomo (InnoCraft Ltd.)
marketing@matomo.org

The post Matomo announces new chatbot tracking in its AI Assistants suite, offering comprehensive insights into AI traffic appeared first on Analytics Platform - Matomo.

Often, their organic traffic is flat. But their content keeps showing up in ChatGPT answers. Something is clearly happening, but it’s not reflected in their analytics.

This is the new normal for a lot of teams. AI systems are interacting with websites in fundamentally different ways: some send real visitors, some read your content quietly in the background, and some never send anyone at all.

Understanding the difference is the first step to making sense of what you’re seeing:

1. The different types of AI systems interacting with websites
2. The difference between human visitors and automated traffic

Once you know this, tools like Matomo can help you measure what’s happening.

Understand the different types of AI on the web

When people talk about “AI traffic,” they often mix very different technologies together.
Not all AI systems behave the same way — and they affect your website in different ways.

Understanding these categories already removes much of the confusion around “AI traffic.”

Here are four types you’re likely to encounter.

AI chatbots: answer engines for users

These are tools like:

• ChatGPT
• Gemini
• Perplexity
• Claude
• AI-powered search assistants

Users type questions and receive answers written by the AI.

Sometimes these answers include links to sources. When a user clicks one of those links, they visit your website.
In analytics, this appears as referral traffic.

AI chatbots can also influence traffic when they’re not sending visitors. This happens when the AI provides a full answer inside its interface, and users don’t see the need to click the source link. In some cases, AI chatbots don’t even add a source link to their output. Both cases result in what is known as zero-click behaviour. Your content may still be used as a source, but no visit happens. And while technology can’t track human visits that aren’t happening, there are solutions to track non-human visits, performed by AI crawlers, scrapers and agents.

AI crawlers: automated content readers

AI companies also operate automated programs that read websites. These are called crawlers.

They visit pages automatically to:

• Discover content
• Collect information
• Update AI systems

These visits are not human. They’re automated requests made by software.

AI scrapers: targeted data collectors

Scrapers are similar to crawlers but more selective. Instead of reading entire websites, they extract specific pieces of content, such as:

• Article text
• Headlines
• Product details
• Structured data

This data may be used for training AI models or generating answers. Again, these visits are automated.

AI agents: autonomous digital assistants

A newer category is AI agents. Agents are designed to perform actions on behalf of users.
For example, an AI agent might:

• Search multiple websites
• Compare products
• Fill out forms
• Complete tasks online

You might ask yourself how AI agents differ from AI chatbots. The difference is that AI chatbots require user prompts for each step, while AI agents can act autonomously once given an initial instruction.

Overview of AI types and what they do

How AI changes website traffic

Imagine you run a blog about marketing tools. Over time, you might notice several subtle changes:

• Some informational blog posts receive fewer visits because AI tools answer basic questions directly.
• Traffic patterns shift, with different landing pages receiving visits compared with previous months.

These different interactions can make traffic patterns look unusual at first glance. But once you understand the different actors, the effects become easier to interpret.

AI influences website traffic in three main ways:

AI sending real visitors

When users click links inside AI chatbots, they arrive on your website like any other visitor.
In Matomo, this traffic is visible in the Acquisition report, appearing as a dedicated referrer channel type. In a dedicated report, you can even see the metrics for multiple chatbots.

AI reducing clicks (zero-click behaviour)

Sometimes AI tools answer a question completely inside their interface. Users get the information they need without visiting the website. This means your content still influences the answer, but the visit never happens.

As a website owner or marketing team, over time you may notice fewer visits to informational content or changes regarding which landing pages are visited.

While analytics can’t measure visits that never occur, you can monitor visit trends over time, to get an understanding of the shifts that are happening. And keep in mind that zero-click behaviour doesn’t necessarily mean your content is less relevant. In many cases, it means the content is summarised or referenced by AI systems instead of generating direct visits.

To understand these shifts, it’s useful to monitor changes in landing pages, queries, and referral sources over time.

AI generating automated traffic

Crawlers, scrapers, and some agents generate non-human visits. With popular traffic analysis solutions, these visits often remain untracked and stay invisible. This is where Matomo comes into play. It offers visibility into AI traffic through different report angles.

How Matomo helps you stay oriented

When traffic patterns change, the goal is simple: separate signal from noise. To do this, start with the following quick check:

Quick check: how to spot AI-related traffic in Matomo

1. Look for AI chatbot referrals: 
Go to Acquisition → Referrals and check whether AI platforms appear as traffic sources.
2. Monitor landing page trends over time
: If AI tools answer questions directly, visits to informational pages may decline. Compare traffic patterns over time.
3. Inspect automated AI traffic
: Use AI Assistant tracking to see visits and engagement metrics for AI chatbots and AI agents.
4. Focus on long-term patterns
: AI-related changes usually appear gradually. Comparing months or quarters helps reveal meaningful trends.

If you want to explore these signals in more detail, the following sections explain how to investigate them in Matomo.

Keen about testing Matomo’s AI tracking capabilities yourself? Start your 21-day free trial and make the invisible visible!

For real visitors coming from AI: identify referral sources

Look at referral reports in Acquisition to see whether new sources, including AI platforms, are sending visitors.

You can analyse things like:

• How this traffic channel performs, compared with other channels like Organic or Social.
• How human traffic coming from AI chatbots changes over time and adds to goal conversions, and what happens in individual sessions coming from AI chatbots.
• What the visitors do after they land on your website, coming from an AI chatbot (e.g., which transitions happened).

Learn more here: How to track and analyse traffic from AI Assistants (like ChatGPT) in Matomo reports

This helps answer questions like:

• Is this traffic growing over time?
• How are visitors from AI tools behaving?
• Do they convert differently from traditional search visitors?

For automated traffic: inspect AI Assistant traffic

To gain visibility into non-human visits and to be able to act on it, you can use Matomo’s AI Assistant tracking. It offers a dedicated report for both AI Chatbots and AI Agents. And here’s what they do:

• AI Chatbots: This report contains three different sub reports, which help you answer the following questions:
  • How many requests from AI chatbots does your website get? And how do the chatbots behave during these visits, e.g. what’s the number of unique visited URLs, orphaned pages, or the click-through-rate?
  • How do metrics like visits and pageviews develop over time?
  • Which AI chatbots are accessing your website, and which pages are they visiting each?
• AI Agents: This report not only analyses AI traffic but also allows you to compare it to human visits. It offers two sub reports that provide insights regarding the following:
  • How many AI Agent visits are there, and how do the AI Agents behave? For example, how many actions are they performing, what’s their average visit duration and bounce rate, and more.
  • How do these metrics develop over time?

With both detailed reports, and the possibility to investigate behaviour over time, teams don’t need to waste time caring about daily fluctuations. Instead, Matomo allows to analyse longer-term patterns, helping teams compare months or quarters to see how traffic sources are shifting.

Making sense of the new traffic landscape

AI is not a single technology. It is an ecosystem of chatbots, crawlers, scrapers, and agents interacting with websites in different ways. Some bring visitors.
 Some reduce clicks.
 Some generate automated traffic.

In many cases, AI crawlers are discovering and analysing content that may later appear in AI-generated answers.

In that sense, AI systems can be seen as a new type of audience: not human readers, but systems that interpret and redistribute information across AI platforms.

That may sound complex, but the basics of analytics remain the same:

• Know your traffic sources.
• Separate humans from automation.
• Monitor trends over time.
• Make decisions based on your own data.

One advantage of privacy-first analytics platforms like Matomo is that they provide visibility into automated traffic.

Instead of hiding these signals behind aggressive filtering or opaque modelling, Matomo allows teams to observe how AI systems interact with their websites.

AI hasn’t made analytics more complicated. It has made the question more precise: are you looking at humans or machines? Once you can answer that, the rest of your analysis stays the same.

Matomo gives you the visibility to ask that question and answer it, whether it’s a chatbot sending referral traffic or a crawler reading your pages in silence.

The post From humans to AI agents: understanding the new web traffic appeared first on Analytics Platform - Matomo.