matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.87k stars 2.65k forks source link

How to ask for consent for Matomo data collection using a Consent Manager #15511

Closed mattab closed 11 months ago

mattab commented 4 years ago

The goal of this issue would be to research and document how to use one or more existing Consent Managers tools with Matomo. Currently we only offer a JavaScript-level solution to help implement asking for consent, but it is only basic and technical. From users point of view, it would be great to read one or several user guides explaining how to setup a Consent Manager and ask consent for Matomo data collection.

Why is this important?

In the context of the GDPR privacy regulations, when you are processing personal data, in some cases you will need to ask for your users' consent. To identify whether you need to ask for consent, you need to determine whether your lawful basis for processing personal data is "Consent" or "Legitimate interest", or whether you can avoid collecting personal data altogether.

Consent managers tools

There are quite a few tools out there, for example:

Notes

might also need https://github.com/matomo-org/matomo/issues/13056

rlankhorst commented 4 years ago

For universal compatiblity in WordPress, I would recommend to integrate with the WP Consent API. https://github.com/rlankhorst/wp-consent-level-api/

This is essentially a framework to standardize communication between plugins that manage consent, and plugins that place cookies/track data/statistics in any way. For more detailed info, please checkout the readme on git. I'll briefly explain it below.

It will be released on WordPress as a separate plugin (currently awaiting plugin review), and is expected to get merged into core eventually. Currently Cookiebot, WPMU Dev are actively integrating, we're still talking with other plugins like CAOS, Advanced Ads, etc. Of course, it will really gain traction when it has a lot of installs, but to get there we're actively looking for plugins to help us get there.

The way we have implemented it in Complianz GDPR, is that, if we detect a plugin supports it, we fire the "recommended plugin" installer.

In the case of Matomo in combination with Complianz GDPR, it would work as follows:

When statistics-anonymous returns a true, Matomo can start tracking hits.

If the site admin has configured Matomo to track not anonymously, the consent level that should be checked is 'statistics'.

The consent API has been built to be used both in javascript and in PHP. We've added hooks that can be used to fire the javascript as soon as consent is given, without page reload. A simple example can be found here: https://wpconsentapi.org/

Using the Consent API is the only way to get WordPress plugins to work together in a reliable way. As it stands, you have to build separate integrations for each consent management plugin (in your case), or in our case, as consent management plugin, build an integration for each data tracking plugin (which is actually what we're doing right now). But even then, we can't prevent plugins from placing PHP cookies, so we can't cover everything 100%. The Consent API

Please let me know if you have any questions about this. Would be great to have you on board!

tsteur commented 4 years ago

This is interesting @rlankhorst . Thanks for that. I reckon this could make quite some sense to support it if possible since many compliance tools likely naturally support WordPress maybe. To be looked into though.

Also maybe someone already made that work for us (eg wrote a plugin for complianz etc) so there might be not even much to do. To be checked though.

mattab commented 4 years ago

Assigning tentatively to 4.3.0. It would be valuable to offer documentation on how to integrate consent managers within Matomo. We'd publish the content on our website. Ideally we'd cover the main tools (and research/signup if they offer affiliate/reseller programs).

rlankhorst commented 4 years ago

@mattab I don't think the WP Consent API is what you call a consent manager: it's nothing more than WordPress standard which allows a plugin which places cookies to communicate with a cookie banner plugin through a standardized interface.

In the case of Matomo, the Matomo WordPress plugin can integrate with the WP Consent API to check if a user has given consent for anonymous statistics or statistics. The advantage for everyone here is that Cookie Banner plugins like Complianz GDPR/CCPA and Cookiebot only have to tell the WP Consent API that consent is given for anonymous statistics/statistics, and Matomo only has to check the WP Consent API, as opposed to building separate integrations for each Cookie Banner plugin separately. In Complianz we currently have ship 60 integrations with plugins and services. The WP Consent API would make this list not necessary anymore.

The WP Consent API is probably going to be added as feature plugin with WordPress 5.6, to be added to core after that.

Starker3 commented 2 years ago

@mattab We can maybe update the issue to link to this guide for Cookiebot: https://support.cookiebot.com/hc/en-us/articles/360017539960-Matomo-deployment It's for setting up consent with Matomo Tag Manager instead of with GTM

atom-box commented 2 years ago

This user likes Complianz

we find in Complianz Plugin a simple integration on Matomo Analytics service for cookie consent. In the wizard it asks for matomo server and ID to settle and it's done. Very useful.

adiladvani97 commented 1 year ago

Here are some popular consent management tools for WordPress:

Securiti: A GDPR and ePrivacy-compliant cookie consent management tool that provides a comprehensive solution for WordPress websites. It scans your site for cookies and creates a cookie declaration that informs your visitors about the types of cookies you use.

Lightweight Cookie Notice: A free plugin that provides a customizable cookie consent banner to your WordPress website. It is fully compliant with GDPR and ePrivacy laws and allows visitors to opt-in or opt-out of cookies.

MT Cookie Consent: A plugin that provides a comprehensive cookie consent solution for WordPress websites. It creates a cookie policy and a cookie banner that complies with GDPR, CCPA, and other privacy regulations.

Cookie Accept: A popular and free plugin that displays a cookie consent banner on your WordPress website. It allows visitors to accept or decline cookies and also includes an option to read your cookie policy.

Privado’s GDPR Cookie Consent: A plugin that provides a variety of features to make your WordPress website compliant with GDPR. It includes a cookie consent banner and also allows you to delete user data, generate privacy policy, and more.

Borlabs Cookie: A plugin that provides a customizable cookie consent banner for your WordPress website. It also includes options to block specific cookies and scripts until visitors give their consent.

These are just a few of the popular consent management tools available for WordPress websites. It's important to choose a tool that fits your specific needs and complies with the relevant privacy regulations.

adiladvani97 commented 1 year ago

Providing consent for Matomo data collection is an important step in protecting user privacy. You can ask for consent by leveraging a Consent Manager. There are many plugins and solutions available that allow you to easily implement cookie consent for Matomo. Some of the popular ones include Securiti, Cookie Consent by Insites, and Cookie Consent Manager. These plugins allow you to easily customize the way you ask for consent and also keep track of user consent. These solutions are great for ensuring that you are compliant with data privacy regulations.

heurteph-ei commented 1 year ago

Hi @mattab I think some documentation about onetrust could be a plus, as I think this is the one I see the most in Matomo forums... Cheers

bx80 commented 1 year ago

As of Matomo 4.13 we now have in-app detection and integration guides for six popular content managers. This issue could perhaps be closed and separate issues created individually for any other consent managers that should also be added.

mattab commented 11 months ago

Acting on @bx80 suggestion, this issue covers a lot of ground, and it's a bit too broad for us to tackle effectively as is. So, we're going to close it for now.

But don't let this stop you! If you've got specific ideas or improvements related to this topic, feel free to open new issues for each one. That way, we can dive into them in more detail.

Also some feedback in https://github.com/matomo-org/matomo/issues/17169