search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.83k stars 2.64k forks source link

If we choose Matomo but still want to accomplish GDPR compliance, do we need to show any informative popup box to the people that simply navigate in our website? #15369

Open mattab opened 4 years ago

mattab commented 4 years ago

Question from user:

As our website is purely informative and when we gather people's data in some website forms, we ask for consent, the rest is purely informative. Therefore, If we choose Matomo but still want to accomplish with GDPR regulation do we need to show any informative popup box to the people that simply navigate in our website? I'm thinking to insert a privacy policy popup in a corner available for people to click to be enough.

Our existing pages should answer this information, for example: https://matomo.org/blog/2018/04/how-to-make-matomo-gdpr-compliant-in-12-steps/

However our recommendations may not be still accurate. As discussed internally (cc @tsteur ) something that page misses, or maybe needs to be mentioned is that it has become quite clear that if they use cookies, they have to tell people that in some popup and ask if it’s ok… So we may need users to inform re cookies and if they say no, then use Matomo with cookies disabled, otherwise we can track in Matomo with cookies enabled if they agree.

Resources:

So maybe people may be required to at least show the annoying cookie banner/popup?

Note: another point to think about is that, our server-side fingerprint may also count as personal data like cookies do, and require a banner to explain this as well?

tassoman commented 4 years ago

As far I can remember european GDPR needs visitor aknowledgement before any action on the website, including setting cookies or personalized content provisioning.

So if the user continue navigating without consent should be a "no" :x: if they accept the policy cookie can be set :o: . So in my opinion, without consent fingerprinting shouldn't be done.

https://gdpr.eu/eu-gdpr-personal-data/

Any information that can lead to either the direct or indirect identification of an individual will likely be considered personal data under the GDPR.

mattab commented 4 years ago

When tracking Heatmaps and Session recordings without tracking any personal data, do users also are required to ask for consent? cc @tsteur

tsteur commented 4 years ago

You will for sure need to ask for consent when you use userId or orderId, feature or if you don't anonymize IP as much as possible. Also very very likely when you have a login on your website, if you have an ecommerce store. Potentially also if you have forms on your website (might depend what happens when false data is submitted eg will any private data be shown in the DOM etc). I would argue that you'd also want to anonymise the referrer (eg only record domain), and you of course also want to make sure to never have any personal data in urls or title etc. There might be many more reasons you need to ask consent for.