It looks like matomo needs to run on the same domain as each domain/website in order to be considered a ‘first-party’ tracking solution under GDPR (at least with latest court decisions and press releases form data protections authorities in Germany). Even if all websites are hosted on the same server. Afaik a subdomain is still considered to be the ‘same domain’. How would you go about this?
My approach: I have one shared hosting solution that runs multiple websites (in separate directories and databases) and their domains (mysite-a . com, mysite-b . com, mysite-c . com). In the past I have used one matomo installation (in a separate directory and database) on the subdomain matomo . mysite-a . com to track all sites/domains. I want to keep having one matomo installation instead of 3 separate installations and databases. I therefore created 3 subdomains matomo . mysite-a . com, matomo . mysite-b . com, matomo . mysite-c . com that all point to the same single matomo directory. In matomo all subdomains are set up as a ‘Trusted Matomo Hostname’. Each tracking JS snippet for each domain has the matching subdomain as an URL. So far everything seems to track perfectly. Matomo can be accesed from all subdomains and the opt-out seems to be set for each domain separately (opt-out widget also contains matching subdomain url for each domain).
Im neither sure that this is considered good practice in matomo nor that this is totally GDPR compliant. Any suggestions?
I am doing the same thing since I started using Matomo and haven’t been seeing any major issues with it.
There is just one bug:
Every time you visit Matomo at matomo.somesite.example it sets this URL as the piwikURL in the config. This causes Matomo to use this URL wherever URLs are generated (e.g. in the E-Mail reports) independent on which site this report belongs to.
It would be amazing if somone coud contribute a fix for this for Matomo 4, but as long as you don’t care too much about which URL you see in the sent reports, it should be okay.
I’ve seen this Github issue before but since I only actively (daily) use one Matomo URL this doesn’t bother me that much personally. As long as everything on the visitor’s end is going through the specific subdomain / trusted host.
I also noticed that using the matching subdomain was relevant when generating URLs in the Matomo backend:
Generating the javascript tracking code: Will be generated using the current URL
Generating an opt-out embed: Opt out will be specific to that subdomain and URL has to match the URL of the tracking code
Setting ‘Exclude your visits using a cookie’ cookie: Same as opt-out embed
Being able to set a specific trusted host for each site would solve those inconveniences. It’s in the backlog, so let’s see what happens…
I am working on setting up this same exact type of environment. Do you know if it is possible to configure which trusted hostname gets added to the snippet of a website?