How to consult proof of consent

General questions
1

Hello,

I use matomo tracking, with only cookie consent request. IPs are anonymized at level 2 (ex : 15.125.0.0).

My question is, if the user refuses or accepts the deposit of cookies, is it possible to keep track of the choice made by the site user in the matomo interface?

As the data is anonymized, how can we prove the user’s choice?

And how can we recognize the user from his ID if he requests proof of his consent?

Thank you for help or advice

2

Great questions — consent tracking and user identification with tools like Matomo (especially with anonymized data) need to be handled with care to comply with GDPR and similar privacy laws. Let’s walk through your questions step by step:

:mag: 1. Can Matomo Track Whether a User Consented or Refused Cookies?

By default, Matomo does not automatically store the user’s consent choice within its analytics reports.

However:

  • If you’re using Matomo Tag Manager or have integrated Matomo manually, you can track consent choices by sending a custom event or dimension when the user makes a choice.

:white_check_mark: Example: Track Consent Choice via Custom Dimension

You can add a custom dimension (e.g., Consent Given: Yes/No) like this:

js

CopyEdit

// If user accepts cookies
_paq.push(['setCustomDimension', 1, 'Consent', 'Yes']);

// If user refuses cookies
_paq.push(['setCustomDimension', 1, 'Consent', 'No']);

Then, you’ll be able to filter and segment data in the Matomo interface by this custom dimension. But this still doesn’t tie it back to a specific person easily.

:man_detective: 2. How to Prove the User’s Consent Later (GDPR Request)?

This is tricky because you’ve chosen to anonymize IP addresses (which is great for privacy), but it also removes identifiable information.

In GDPR terms:

  • If you can’t identify a user, then GDPR may not apply in full, as the data is not considered “personal” anymore.
  • But if you’re storing a consent record, you need to make sure it’s linked to a user identity (like a session ID, user ID, or pseudonymous key).

:package: Recommended Consent Logging Outside of Matomo

Since Matomo isn’t built to store legal consent records, it’s better to:

  1. Log the consent server-side when the user makes a choice.
  2. Include:
  • Timestamp
  • IP address (if allowed)
  • Consent type (Accepted/Refused)
  • Cookie/session ID (if available)

If anonymization makes user identification impossible, you can’t directly link the analytics data to the consent — but that might be legally acceptable, because you’re not storing personally identifiable data.

:repeat: 3. How Can We Recognize a User from Their ID If They Request Proof of Consent?

You can’t, if you don’t have a way to link the user’s identity (like an email, login, etc.) to the consent choice.

So here are two options:

a) Logged-In Users

  • Store their consent choice in your user database.
  • Then you can retrieve it when they request it.

b) Anonymous Users

  • Assign a unique ID via cookie (like user_consent_id=abc123) and store their choice server-side.
  • If the user shares this ID later, you can find the corresponding consent record.
  • But if they refused cookies, you probably didn’t set the cookie, so there’s no way to recognize them unless done server-side.
3

Yes, Matomo can store consent decisions, but not directly within its core analytics interface. You’ll typically need to manage consent tracking externally—either via a tag manager, consent management platform (CMP), or custom implementation.
Since Matomo anonymizes IPs and doesn’t store personally identifiable info by default, tying a specific consent choice to an individual can be challenging. To comply with GDPR or similar regulations, you might consider storing consent logs separately (e.g., in a secure database) where you associate a consent timestamp with a user’s pseudonymous ID (like a hashed user ID or custom user token), ideally tied to the same identifier you use in Matomo’s user ID feature (if enabled).

4

Thank you @mannyorton and @fatirsahi for your feedback.

I finally found a solution by associating tracking with a CMP such as cookieYes. Even if the data is anonymized, a cookie identifier is available.

This requires, however, that the user asking for proof of his consent does a search on his side to provide the ID number linked to his cookie. And thus allow me to make the link on my side.

Clearly I haven’t had a chance to test this. And although I doubt I’ll ever be asked. I now know I have a solution just in case.