Somaire
Cookieless Tracking & Consent Mode V2: Matomo, GA4 server-side, open-source CMP
TL;DR: in 2025, secure your measurement with a “granular consent + cookieless architecture” duo. Update to Consent Mode V2 (ad_user_data, ad_personalization), link your CMP and switch GA4 to an EU server-side container. If you need analytics without a banner, configure Matomo in CNIL exempt mode or strict no-cookie mode — otherwise, request consent.
Definition & 2025 Context
Cookieless tracking = measuring performance by reducing (or eliminating) reliance on cookies, especially third-party ones, and relying on first-party signals, proprietary endpoints, and privacy-respecting attribution models. Consent Mode V2 is Google’s API that adapts tag behavior (reading/writing, pings, modeling) according to user consent within the EEA.
On the browser side, the disappearance of third-party cookies in Chrome follows an adjusted schedule, but the direction is clear: the ecosystem is migrating towards measurement and relevance APIs that are more respectful of privacy. The stakes for brands: data continuity, compliance, speed, and control.
Business & Compliance Challenges
- Continuity of KPIs despite consent refusals and blocking of third-party trackers.
- ePrivacy/GDPR compliance (CNIL in France): prior consent for non-essential trackers, clear information, and management of transfers outside the EU.
- Performance: less JS on the browser side, improved Time to Interactive, better Core Web Vitals.
- Sovereignty & auditability: prioritize first-party data, auditable CMPs, EU endpoints.
Consent Mode V2: what changes (and how to implement it)
Consent Mode was updated at the end of 2023 with two additional signals. In 2024, Google strengthened the requirement to transmit consent for users in the EEA, both for personalization and for certain measurements.
| Signal | Purpose | Impact if denied | Implementation notes |
|---|---|---|---|
ad_storage | Advertising storage (cookies) | No Ads cookies (conversion/remarketing) | Managed by CMP → GTM/gtag |
analytics_storage | Analytical storage | GA4 works without cookies with limited pings/modeling | Affects writing of _ga |
ad_user_data (V2) | Authorization to send user data to Ads systems | Prevents sending certain data to advertising platforms | Critical for Customer Match / Ads measurements |
ad_personalization (V2) | Enables advertising personalization features | No remarketing/personalization | Blocks advertising audiences/segments |
functionality_storage | Essential preferences (e.g. language) | Degraded functionalities | Can be granted by default if strictly necessary |
personalization_storage | Non-advertising personalization | No non-essential UX personalization | Subject to consent |
security_storage | Fraud prevention / security | Risk of security false positives if denied | May fall under strictly necessary |
Official sources: Consent Mode guides and EEA requirements (Google), including the addition of ad_user_data and ad_personalization signals, and verification procedures with Tag Assistant. See: Google Developers (Consent mode overview & setup), Google Support (updates & enforcement), Tag Assistant troubleshooting.
Consent mode – Overview · Set up consent mode (web) · Updates for EEA traffic · Verify & update consent settings (GA4) · Troubleshoot with Tag Assistant
Practical implementation (web)
- Before loading tags: set the default state via
gtag('consent','default', {...})(usually denied except strictly necessary). - Link the CMP: map choices (Analytics, Ads, Personalization) → Consent Mode states, including
ad_user_dataandad_personalization. - Verify with Tag Assistant (consent events, update transitions), and test cases “total refusal,” “analytics only,” “ads + personalization.”
- Log (DPO/IT): keep evidence of CMP version, mapping, and tests.
GA4 server-side: architecture and best practices
Server-side tagging (GTM Server-Side) offloads execution and formatting of measurement requests to a server container (Cloud Run or other). Benefits: data control, reduced JS, resilience to blocking, first-party endpoint (collect.yourdomain.com via CNAME/proxy).
Architecture Checklist (EU)
- Hosting: server container in the EU region (e.g. GCP europe-west), restricted access, secure logs.
- Domain: first-party subdomain (e.g.
metrics.example.com) with TLS. - Consent relay: relay consent states to the server (headers/params) and condition sending to destinations.
- GA4 EU: for the Measurement Protocol, use the regional endpoint
https://region1.google-analytics.com/mp/collect. - Minimization: remove unnecessary IP/UA, mask free fields, limit granularity.
- Observability: enable preview, test flows, monitor errors and latency.
Useful resources: GTM Server-Side (overview, intro, fundamentals), server-side Consent Mode, GA4 Measurement Protocol & EU endpoint.
Server-side GTM – Overview · Introduction · Fundamentals · Consent Mode server-side · GA4 Measurement Protocol
Matomo: exempt mode & no-cookie
The CNIL provides a consent exemption for certain strictly necessary audience measurements, under conditions (limited purposes, lifespan, no retargeting, no provider reuse, etc.). Matomo offers:
- a no-cookie mode (
disableCookies) and enhanced anonymization; - an exempt mode (CNIL configuration guide);
- a consent mode if you extend the purposes (e.g. enrichments, segments).
CNIL & Matomo references: CNIL pages “Audience Measurement” and exemption, note on transfers and proxying, Matomo guides (consent/no-cookie).
CNIL – Audience measurement solutions · CNIL – Measurement & transfers · Matomo – Tracking & consent · Matomo – Disabling cookies
Open-source CMP: Klaro!, Orejime, CookieConsent
A CMP must be accessible, auditable, and interoperable. Open-source options offer transparency and self-hosting:
| CMP | Strengths | Consent Mode Integration | Notes |
|---|---|---|---|
| Klaro! | Open-source, JSON config, purpose groups, multi-language | Integrable via GTM (consent template) and hooks | Free client; optional backend services |
| Orejime | Lightweight, accessibility-focused, easy to style | Custom mapping to gtag/GTM | Active community project |
| CookieConsent (Osano) | MIT license, WP plugin, massive adoption | Integrable with custom events | Open-source version ≠ commercial platform |
For further reading: consult TCF v2.2 (IAB Europe) if you operate TCF advertising partners.
Deployment Playbooks
Playbook 1 — “Essential Measurement” (Matomo exempted)
- Map the “strictly necessary” purposes according to CNIL (traffic, service performance).
- Configure Matomo in exempted mode (IP anonymization, no retargeting, reduced duration) and/or no-cookie.
- Document (register, DPA, policy) and avoid any transfers outside the EU (or mitigate via compliant proxyfication).
- Inform the user (clear cookie policy) and offer an additional opt-out.
Playbook 2 — “GA4 + Ads Mix” (Consent Mode V2 + server-side)
- CMP: define exact categories and map →
ad_storage,analytics_storage,ad_user_data,ad_personalization. - GTM web: set
defaultto denied (except essential), thenupdateafter user action. Test with Tag Assistant. - GTM server-side: 1P subdomain, EU region, consent relay, filtering sensitive parameters.
- GA4: Measurement Protocol via
region1.google-analytics.com/mp/collect, Data Filters rules and minimal retention. - Audit: server-side logs, test plan (total refusal, partial consent, withdrawal), alerts.
Playbook 3 — “Product teams / multi-sites”
- GTM Templates to standardize consent checks and limit on-site code.
- Event library (naming, mandatory params), shared between sites/apps.
- Feature flags to activate new partners behind the appropriate consent.
- Observability: consent status dashboards (rates by country), GA4 modeling rate, server-side health.
Cleaning, tag governance & data quality
A good transition to cookieless comes with a major cleanup:
- Tag inventory: list everything that pulls data (GTM/Gtag, pixels, SDK), remove “zombie” history.
- Streamline: one container per surface, sparing trigger rules, no vendor in “fire and forget” mode.
- Block by default any destination that does not respect the consent status.
- Quality: validate events (schema, cardinality), measure the drift between consented and denied.
- Security: compartmentalize access, avoid secrets in the front-end, encrypt in transit and at rest.
Trends 2025–2026
- Third-party cookies: gradual phase-out in Chrome (Privacy Sandbox timeline): prepare experimentation and measurement plans with and without 3P cookies.
- IP Protection & new protections in browsers: expect fewer passive signals.
- Server-side by default for high-traffic sites: performance, stability, control.
- Strengthened CNIL governance: compliance and transfer control, logging, security.
FAQ
Is Consent Mode V2 “mandatory” in Europe?
If you use Google tags/SDKs for advertising and measurement with EEA users, you must collect consent and transmit signals via Consent Mode. Without this, advertising and measurement features may be disabled or non-functional in accordance with Google policies.
Is GA4 cookieless enough to reconstruct data?
No. GA4 uses modeling when cookies are not available. This is useful for trends, not for individual tracking. Combine server-side, first-party data, and explicit consent when necessary.
Which open-source CMP to choose?
Klaro! if you want a well-documented free client, Orejime if you are looking for a lightweight accessible bundle, CookieConsent if you prioritize simplicity and the ecosystem (including a WordPress plugin). Check TCF compatibility if you need it.
How to avoid transfers outside the EU with GA4?
Use the EU endpoint of the Measurement Protocol, a GTM server in the EU region, minimize/mask data, and document protection measures. The EU endpoint does not exempt from all transfer obligations but reduces technical risks.
Matomo “exempt” vs “consent”: which to choose?
If your need is limited to essential traffic, try the exemption (strictly necessary). As soon as you add marketing purposes, retargeting, or advanced correlations, switch to a mode with clear consent.
Keywords & co-occurrences
Consent Mode V2, cookieless analytics, GA4 server-side, Matomo exempt CNIL, open-source CMP, TCF v2.2, EU region1 endpoint, proxyfication, privacy by design
Useful resources & sources
- Google Developers – Consent mode (overview)
- Google Developers – Set up consent mode
- Google Support – Updates to consent mode for EEA
- Google Support – Verify & update consent (GA4)
- GA4 Measurement Protocol Reference (EU endpoint)
- GTM Server-Side – Overview
- CNIL – Audience measurement tools (exemption)
- CNIL – Audience measurement & transfers
- Matomo – Tracking & consent
- Matomo – Cookie-less mode
- IAB Europe – TCF
- Privacy Sandbox – Third-party cookies update
Conclusion: the right 2025 strategy is neither “all consent” nor “all model,” but an orchestra: Consent Mode V2 + reliable CMP, GA4 server-side in the EU for performance and control, Matomo in exempted or no-cookie mode for essential measurement, all documented and audited. You get more sustainable data, less regulatory exposure, and better loading times.
