Run one multi-domain GDPR compliant matomo on multiple subdomains simultaneously

It looks like matomo needs to run on the same domain as each domain/website in order to be considered a ‘first-party’ tracking solution under GDPR (at least with latest court decisions and press releases form data protections authorities in Germany). Even if all websites are hosted on the same server. Afaik a subdomain is still considered to be the ‘same domain’. How would you go about this?

My approach: I have one shared hosting solution that runs multiple websites (in separate directories and databases) and their domains (mysite-a . com, mysite-b . com, mysite-c . com). In the past I have used one matomo installation (in a separate directory and database) on the subdomain matomo . mysite-a . com to track all sites/domains. I want to keep having one matomo installation instead of 3 separate installations and databases. I therefore created 3 subdomains matomo . mysite-a . com, matomo . mysite-b . com, matomo . mysite-c . com that all point to the same single matomo directory. In matomo all subdomains are set up as a ‘Trusted Matomo Hostname’. Each tracking JS snippet for each domain has the matching subdomain as an URL. So far everything seems to track perfectly. Matomo can be accesed from all subdomains and the opt-out seems to be set for each domain separately (opt-out widget also contains matching subdomain url for each domain).

Im neither sure that this is considered good practice in matomo nor that this is totally GDPR compliant. Any suggestions?

Hi,

I am doing the same thing since I started using Matomo and haven’t been seeing any major issues with it.

There is just one bug:
Every time you visit Matomo at matomo.somesite.example it sets this URL as the piwikURL in the config. This causes Matomo to use this URL wherever URLs are generated (e.g. in the E-Mail reports) independent on which site this report belongs to.

It would be amazing if somone coud contribute a fix for this for Matomo 4, but as long as you don’t care too much about which URL you see in the sent reports, it should be okay.

Hi Lukas, thanks for the reassurance :wink:

I’ve seen this Github issue before but since I only actively (daily) use one Matomo URL this doesn’t bother me that much personally. As long as everything on the visitor’s end is going through the specific subdomain / trusted host.

I also noticed that using the matching subdomain was relevant when generating URLs in the Matomo backend:

  • Generating the javascript tracking code: Will be generated using the current URL
  • Generating an opt-out embed: Opt out will be specific to that subdomain and URL has to match the URL of the tracking code
  • Setting ‘Exclude your visits using a cookie’ cookie: Same as opt-out embed

Being able to set a specific trusted host for each site would solve those inconveniences. It’s in the backlog, so let’s see what happens…