[nagbava]

It is true that an opt-out system must be installed on the website (Matomo gives that piece of code) but - as noted on the github link you posted - that very is different from an opt-in system (which is the standard GDPR requirement).

[lmkg]

GDPR does not require consent. If you use consent, then it must be freely-given, but can often use a different legal basis when processing personal data.

The ePrivacy Directive requires consent for reading or writing from a terminal device. This includes anything with cookies, even if they're not personal data. While the ePD refers to GDPR for its definition of consent, it is a separate piece of legislation and many things that are true about GDPR are not true about ePD (such as being able to invoke Legitimate Interest instead of consent).

[nagbava]

Sure, but when it comes to cookies, consent is almost always required on the GDPR basis (other legal basis are rarely working).

You're right to point to e-privacy, to which consent is central. But the latest draft of its new version states that (art.8): 1.The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: [...] (d)it is necessary for audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or by a third party, or by third parties jointly,on behalf of theone or more providersof the information society service provided that conditions laid down in Article 28, or where applicable Article 26,of Regulation (EU) 2016/679 are met

So Matomo can still do without the user consent (from what I understand, the relation between GDPR and e-privacy is no easy business).

[lmkg]

> when it comes to cookies, consent is almost always required

We are in agreement. It seems I wasn't clear enough in my original post, but this is my overall point. GDPR doesn't require consent, but consent is required because of ePD.

> latest draft of its new version

> So Matomo can still do without the user consent

The new draft is not law yet. It's been 6 months away from passing for several years now. In the meantime, fines are still being issued under the existing law. Google got fined a hundred million euro last month in France, and that fine was very specifically ePD and not GDPR for a variety fo reasons.

[iamacyborg]

> So Matomo can still do without the user consent (from what I understand, the relation between GDPR and e-privacy is no easy business).

It also depends on the jurisdiction. For example the ICO has been clear that using a cookie based analytics tool requires a GDPR level of consent, without exceptions.