Open mattab opened 4 years ago
As far I can remember european GDPR needs visitor aknowledgement before any action on the website, including setting cookies or personalized content provisioning.
So if the user continue navigating without consent should be a "no" :x: if they accept the policy cookie can be set :o: . So in my opinion, without consent fingerprinting shouldn't be done.
https://gdpr.eu/eu-gdpr-personal-data/
Any information that can lead to either the direct or indirect identification of an individual will likely be considered personal data under the GDPR.
When tracking Heatmaps and Session recordings without tracking any personal data, do users also are required to ask for consent? cc @tsteur
You will for sure need to ask for consent when you use userId or orderId, feature or if you don't anonymize IP as much as possible. Also very very likely when you have a login on your website, if you have an ecommerce store. Potentially also if you have forms on your website (might depend what happens when false data is submitted eg will any private data be shown in the DOM etc). I would argue that you'd also want to anonymise the referrer (eg only record domain), and you of course also want to make sure to never have any personal data in urls or title etc. There might be many more reasons you need to ask consent for.
Question from user:
Our existing pages should answer this information, for example: https://matomo.org/blog/2018/04/how-to-make-matomo-gdpr-compliant-in-12-steps/
However our recommendations may not be still accurate. As discussed internally (cc @tsteur ) something that page misses, or maybe needs to be mentioned is that it has become quite clear that if they use cookies, they have to tell people that in some popup and ask if it’s ok… So we may need users to inform re cookies and if they say
no
, then use Matomo with cookies disabled, otherwise we can track in Matomo with cookies enabled if they agree.Resources:
So maybe people may be required to at least show the annoying cookie banner/popup?
Note: another point to think about is that, our server-side fingerprint may also count as personal data like cookies do, and require a banner to explain this as well?