search

matomo-org / matomo-for-wordpress

Get a fully functioning Matomo Analytics for your WordPress. Star us on Github? +1. Matomo is the leading open alternative to Google Analytics that gives you full control over your data. Privacy is built-in. 100% data ownership, no one else can see your data. We love Pull Requests!
https://matomo.org
GNU General Public License v3.0
120 stars 25 forks source link

Conforming to WP Consent API #311

Open AertHulsebos opened 4 years ago

AertHulsebos commented 4 years ago

Hi! We expect the Consent API to be featured in WP 5.6 as a feature plugin. The end of the year release will feature the plugin to fill the gap between consent and plugins. Please consider conforming to the API. Documentation:

https://wordpress.org/plugins/wp-consent-api/ https://make.wordpress.org/core/2020/04/01/feature-plugin-proposal-wp-consent-api/ https://github.com/rlankhorst/wp-consent-level-api/

Please let me know if we can help,

regards Aert | Complianz.io

tsteur commented 4 years ago

@AertHulsebos cheers for pinging us. two questions:

  1. The doc you sent mostly talks about third parties but using this plugin Matomo wouldn't be a third party. However, it may still set analytics cookies so I suppose we'd still need to implement it?
  2. How do we know if a user has set this up and that we should use this consent API? Is this dependent on wp_get_consent_type() or so?

If I see this right we'd need to build something like this: https://github.com/rlankhorst/consent-api-example-plugin/blob/master/main.js

Depending on the setting in JS we can enable cookies or we keep them disabled.

We wouldn't do anything server side since this would be problematic eg re caching plugins that cache the entire HTML etc.

Internal implementation notes:

tsteur commented 4 years ago

@AertHulsebos any chance you could have a look at the questions above?

rlankhorst commented 4 years ago

Hi @tsteur,

Yes, the third parties are the best know examples, but as consent is required for at least non-anonymous tracking in most countries, and for anonymous tracking in others it applies to Matomo as well.

So in your case you'd need to check only for statistics-anonymous and statistics categories. If a user has configured Matomo anonymously, consent for statistics-anonymous is sufficient. If not, consent level should be 'statistics'. Assuming that with tracking you mean not anonymous statistics, I think this also answers your question regarding tracker.js?

For example, In the Netherlands, Complianz GDPR will set statistics-anonymous to true even before any consent is given, because these can be set without consent. In the UK, consent is necessary for this category as well.

To detect if the consent api is available, in Complianz GDPR I've used a wrapper function in the js file, like the one below. It will return the value from the consent api if available, otherwise return true. 

/**
     * wrapper to check consent for wp consent API. If consent API is not active, return true
     * @param type
     * @return has_consent
     */
    function your_prefix_has_consent(type) {
                var has_consent = true;
        if (typeof wp_has_consent == 'function') {
            has_consent =  wp_has_consent(type);
        }
                return has_consent;
    }

Then you can just check this function 

if (your_prefix_has_consent('statistics-anonymous')){
//do anonymous tracking
}

if (your_prefix_has_consent('statistics')){
//do not anonymous tracking
}