New regulations across Europe (and slowly growing to be worldwide) are forcing a hard look at how organizations collect web data. The tools you choose now will define your compliance posture for years to come.
For most of the last decade, web analytics operated in a legal gray zone comfortable enough that organizations rarely questioned it. You installed a tracking script, accepted a set of terms of service, and in exchange received a dashboard full of insights about your audience. The arrangement felt mutually beneficial, almost frictionless, and the idea that it might one day require serious legal scrutiny seemed remote. That comfortable gray zone is rapidly shrinking.
The pressure is not confined to Europe. In the United States, California continues to lead a fragmented but increasingly assertive state-level push toward stronger data privacy. The California Privacy Rights Act, which expanded and strengthened the original CCPA, gives consumers explicit rights over the collection, sale, and use of their personal data, and requires businesses to honor opt-out requests in ways that directly affect how analytics tools operate. Other states including Colorado, Connecticut, Virginia, and Texas have passed their own comprehensive privacy laws, each with varying thresholds and requirements. A federal framework remains elusive, but the cumulative effect of state legislation is already reshaping expectations for any organization with a meaningful US audience. Analytics platforms that rely on broad data collection, cross-site tracking, or the sale of behavioral data face growing exposure on both coasts, and the days of treating web analytics as a regulation-free zone are ending on this side of the Atlantic as well.
Across the European Union, France, and the United Kingdom, regulators are crystallizing their expectations around what constitutes lawful audience measurement. The shift is not merely procedural. It represents a fundamental reassessment of who owns user data, who benefits from its collection, and what consent is truly required before that collection begins. For organizations still relying on legacy analytics platforms, particularly those built around advertising ecosystems, the coming months will demand difficult conversations and, in many cases, a change of tools.
The good news is that this reckoning is not a crisis for every organization. Those who have already moved to privacy-first analytics platforms are well positioned. For everyone else, this is an urgent call to act, and to act thoughtfully.
What Is Actually Changing
Three distinct regulatory developments are converging in 2026, and each one tightens the conditions under which web analytics can legally operate without explicit user consent. Understanding them together paints a picture of where the regulatory direction of travel is clearly heading.
In France, the CNIL, which is the country’s data protection authority, has moved away from maintaining a list of pre-approved analytics providers. As noted by Matomo in their January 2026 regulatory overview, the CNIL is introducing a self-assessment framework, requiring analytics providers to evaluate their own compliance against standardized published criteria rather than rely on informal interpretations or previous approvals. This places accountability squarely on the analytics provider and the organizations deploying them, and makes documentation, configuration transparency, and auditability non-negotiable.
At the EU level, the Digital Omnibus initiative, which was adopted by the European Commission in late 2025, proposes significant amendments to the GDPR and the ePrivacy Directive. One proposal stands out for analytics teams: a potential consent exemption for strictly aggregated audience measurement, but only under tightly defined conditions. As described in Matomo’s analysis of the initiative, this exemption would apply only when the website controller is collecting data exclusively for their own purposes, when that data is not combined with other datasets, and when the analytics provider does not reuse or monetize the data for its own ends. This is a critical and intentional distinction.
In the United Kingdom, the Data (Use and Access) Act 2025 introduces updates to the Privacy and Electronic Communications Regulations, commonly known as PECR. These changes are expected to create a clearer pathway for consent-free analytics provided that the use is strictly statistical in nature, that data is not shared or repurposed, and that users have been clearly informed and given a genuine means to opt out. As Matomo points out, these PECR updates have not yet come into force and are expected to be clarified further through ICO guidance in early 2026.
The regulatory signal is unmistakable: analytics that serve advertising ecosystems, that pool data across clients, or that exist to enrich a platform’s commercial interests, are no longer aligned with the direction of European privacy law.
Why Most Analytics Tools Have a Structural Problem
The challenge with dominant analytics platforms is not that they are careless about privacy. It is that their business models are fundamentally incompatible with the principles emerging from these regulations. When an analytics platform is owned by an advertising company, the incentives are always weighted toward data collection, retention, and cross-referencing. The anonymization controls, the opt-out mechanisms, the consent prompts, all of these are layered on top of a system designed to maximize data acquisition, not minimize it.
Google Analytics is the clearest example. It is free to use because the aggregate intelligence gathered across millions of deployments feeds back into advertising products. Under the EU Digital Omnibus proposal’s likely consent exemption framework, this model is explicitly excluded. The exemption under consideration would require that the analytics provider does not reuse the data for its own purposes. A platform whose parent company generates the bulk of its revenue from targeted advertising cannot credibly make that claim.
This is not a hypothetical legal risk. European data protection authorities have already issued rulings against the use of Google Analytics in Austria, France, Italy, and Denmark, citing concerns about data transfers to the United States and inadequate protections for EU user data. The regulatory trajectory has been consistent and increasingly assertive. The 2026 changes accelerate rather than reverse it.
For organizations that have remained on these platforms out of inertia, familiarity, or cost concerns, the window to act proactively is narrowing. Waiting for a formal enforcement action is no longer a reasonable strategy.
The Criteria That Matter
Before evaluating specific alternatives, it helps to understand what the new regulatory landscape actually requires of a compliant analytics setup. The criteria emerging from the Digital Omnibus proposal, the CNIL framework, and the PECR updates point to the same essential characteristics. A privacy-compliant analytics tool should meet all of the following:
- Data must be collected by and for the website controller, not aggregated or pooled across multiple clients by the provider.
- The analytics provider must not reuse, monetize, or cross-reference the data for any purpose beyond delivering the analytics service.
- Users must be clearly and comprehensively informed about the tracking that takes place.
- Users must have a meaningful and accessible way to opt out, and that opt-out must be respected without degradation of service.
- Data must not be combined with external datasets, advertising profiles, or third-party behavioral data.
- Where consent exemptions are invoked, the use must be strictly statistical in nature, not commercial or advertising-related.
These criteria are not aspirational. They are the conditions being written into law. The platforms that meet them natively, not through workarounds or privacy add-ons bolted onto surveillance-oriented infrastructure, are the ones that will remain viable as enforcement tightens. Two platforms stand out: Matomo and Umami.
Matomo: Comprehensive, Configurable, and Compliance-Ready
Matomo is an open-source analytics platform available both as a self-hosted installation and as a managed cloud service. It offers a comprehensive feature set comparable to enterprise analytics tools, with full data ownership and no third-party data sharing. Matomo Cloud is hosted on EU infrastructure, and data is never shared across clients or used by Matomo for its own purposes. It is particularly well-suited for organizations that need rich analytics capabilities, including funnel analysis, session recording, heatmaps, A/B testing, and custom reporting, without compromising on privacy compliance.
Matomo has been privacy-focused since its origins as Piwik over fifteen years ago, and that heritage shapes how the platform is designed at every level. Unlike tools that have added privacy features in response to regulatory pressure, Matomo was built on the premise that an organization’s analytics data belongs entirely to that organization. The platform does not access, share, or benefit commercially from the data it processes on your behalf.
The distinction between Matomo’s cloud and self-hosted deployments is worth understanding. With Matomo On-Premise, your data never leaves your own infrastructure. There is no third-party involvement whatsoever, which satisfies even the most stringent interpretations of data sovereignty requirements. With Matomo Cloud, the platform operates on dedicated EU infrastructure and maintains complete separation between clients. As Matomo themselves describe it, tracking is entirely isolated and analytics data is never reused by Matomo for its own purposes. Both deployment models align directly with the requirements emerging from the Digital Omnibus proposal and the CNIL’s updated framework.
For French organizations specifically, Matomo has long held recognition from the CNIL as a privacy-compliant analytics solution. Under the new self-assessment framework, the company has committed to publishing detailed compliance documentation in early 2026 to support organizations in demonstrating that compliance in a verifiable and auditable way. This kind of proactive regulatory engagement is exactly what the new framework is designed to encourage, and it gives Matomo users a significant practical advantage when facing an audit or regulatory inquiry.
Matomo also offers flexible consent configuration, including cookieless tracking modes that can be deployed without a consent banner under the appropriate regulatory conditions. This matters because consent banner fatigue is real: studies consistently show that a significant proportion of users decline analytics consent when given the option, which creates material gaps in the audience data available to site operators. A legally compliant cookieless configuration removes that friction entirely.
Umami: Lightweight, Open-Source, and Elegantly Simple
Umami is a lightweight, open-source web analytics platform designed for simplicity and privacy by default. It collects no personally identifiable information, uses no cookies, and stores only aggregated, anonymized data. Umami is available as a self-hosted application or through Umami Cloud, and its clean single-dashboard interface makes it highly accessible for teams without dedicated analytics staff. It is particularly well-suited for organizations that need reliable traffic and behavior data with minimal setup overhead, and for those whose primary concern is eliminating compliance risk entirely rather than building out sophisticated analytics workflows.
Where Matomo is feature-rich and highly configurable, Umami takes a deliberately different approach. It is built on the premise that the vast majority of what organizations actually need from web analytics can be delivered through a clean, fast, cookieless tool that collects no personally identifiable information by design. There is no consent banner required, no complex configuration to maintain, and no ongoing compliance reviews to schedule. The data Umami collects is anonymized by default, aggregated, and never transferred to third parties.
This simplicity is not a limitation so much as a deliberate philosophical position. Umami collects page views, referral sources, device types, and basic behavioral metrics. For content-led organizations, publishers, nonprofits, and teams that primarily need to understand traffic patterns and audience sources rather than build complex attribution models, this is often genuinely sufficient. The reduction in data surface area also means there is simply less to worry about from a compliance perspective. A tool that does not collect personal data cannot mishandle it.
Umami is open-source and can be self-hosted with minimal infrastructure requirements. For organizations with the technical capacity to run their own deployment, this provides complete data sovereignty with virtually no ongoing cost. For those who prefer a managed service, Umami Cloud offers a clean hosted option. In either case, the platform is straightforward to deploy, easy for non-technical stakeholders to use, and unambiguously aligned with the direction of European privacy regulation.
It is worth noting that Umami’s approach maps cleanly onto the consent exemption conditions being established across all three regulatory frameworks discussed above. The data is collected by and for the website operator, it is strictly aggregated and statistical in nature, it is not combined with any external datasets, and the provider does not benefit commercially from the data. For organizations seeking the most defensible possible compliance position with the least operational overhead, Umami is a compelling choice.
Choosing Between Them
The choice between Matomo and Umami is not a question of which is more privacy-compliant. Both are genuinely privacy-first platforms, and both are well-positioned for the regulatory environment taking shape in 2026. The decision comes down to what your organization actually needs from analytics, and how much complexity you are willing to manage.
If your analytics program supports conversion rate optimization, multi-channel attribution, A/B testing, detailed user journey analysis, or reporting for stakeholders who need rich segmentation and custom dashboards, Matomo is the right choice. Its feature depth is comparable to enterprise platforms, and its compliance infrastructure, particularly its CNIL documentation and flexible consent configuration, gives compliance teams the specific tools and evidence they need.
If your primary need is reliable traffic data, a clear picture of where your audience comes from, and the ability to answer basic questions about site performance without the overhead of a complex analytics deployment, Umami is elegant, fast, and almost entirely frictionless from a compliance perspective. It removes risk by collecting less in the first place, which is always the cleanest privacy posture available.
Many organizations find that the two tools can coexist. Umami handles day-to-day traffic monitoring and provides a cookieless baseline that is unimpeachably compliant, while Matomo is deployed with appropriate consent mechanisms for deeper behavioral analysis where users have opted in. This layered approach gives teams access to rich data when consent is granted, while maintaining a meaningful and legally defensible analytics baseline for the users who decline.
The Moment to Move Is Now
The regulatory changes arriving in 2026 are not a sudden disruption. They are the culmination of years of legal challenges, enforcement actions, and policy deliberations that have consistently pointed in the same direction. Privacy-first, first-party, purpose-limited analytics is becoming the legal standard across Europe, not merely a best practice for cautious organizations.
As Matomo’s own analysis of these changes makes clear, the platforms that stand to benefit from the emerging regulatory framework are precisely those designed around data ownership and the absence of third-party data monetization. The platforms that face growing legal exposure are those whose business models depend on the opposite. The direction of travel has been clear for some time. What 2026 adds is urgency and specificity.
For organizations still running their analytics through platforms that treat user data as a commercial asset, this is the moment to reassess. The compliance cost of staying on those platforms is rising, the legal risk is increasing, and the alternatives, Matomo and Umami chief among them, are mature, capable, and purpose-built for exactly the environment regulators are creating. The reckoning is here. The question is only how prepared you intend to be.
This article references reporting and analysis from Matomo’s January 2026 post, Privacy regulations are changing in 2026: what analytics teams need to know, which covers the CNIL self-assessment framework, the EU Digital Omnibus initiative, and UK PECR updates in detail.
Let's Connect, We Can Help
|
