matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.94k stars 2.66k forks source link

Feature request: improve documentation on reading user consent state #17169

Open unikitty37 opened 3 years ago

unikitty37 commented 3 years ago

The guide at https://developer.matomo.org/guides/tracking-consent shows how to set and forget the user consent settings, but step 2 (asking for consent through your privacy notice) doesn't go into much detail on how to read the consent settings; the linked article in that section is more about the wording of the notice than implementation details.

Specifically, if we imagine the user's consent as having three states: granted, denied, or undefined (the default state), and we only want to display the privacy notice if it is set to undefined, the documentation is very light on details there.

I assume some combination of hasRememberedConsent() and getRememberedConsent() will do the trick, but it's not really clear how to get from that to "user has definitely given consent", "user has definitely refused consent", or "user has not answered either way".

It doesn't help that typing either of those function names into the documentation search box returns no results — the only thing about consent is the page at https://developer.matomo.org/guides/tracking-consent which doesn't document the specific calls in any great detail.

Specifically, it does not find https://developer.matomo.org/api-reference/tracking-javascript#managing-consent, which gives a bit more detail, but is still unclear on how to tell the difference between "user refused consent" and "user has not answered the question yet".

(If the documentation already exists, it's a bit pointless if the search can't find it 😁 )

The documentation should really make it clear how to tell the difference so developers under time pressure don't simply implement it as "if user has not consented, display the consent dialog until they do", which is not the sort of behaviour that should be encouraged…

Ideally, getRememberedConsent() would return the time the question was answered, regardless of whether consent was granted or denied, so a truthy value would indicate the question has been answered. But that would probably be a breaking change now.

By the way, I did look at https://developer.matomo.org/guides/core-team-workflow#submitting-a-feature-request per the contributing guidelines, but many of the links in there point to piwik.org and are now dead…

tsteur commented 3 years ago

Hi @unikitty37 thanks for creating this issue. From what I see by looking at the code it's actually not possible to do yet. You can only find out if consent was given or not pretty much. I guess the idea was that a user would manage this as part of their consent tool or custom consent implementation.

With eg hasRememberedConsent you can find out if the user has given you consent but you can't find out if the user has denied the consent or never given consent. If you do call forgetConsentGiven when a user declines consent, then it be technically doable to implement such a feature though.

We're basically setting a cookie like mtm_consent_removed (when forgetConsentGiven was called) and we set a mtm_cookie_consent cookie when consent was granted (by calling rememberConsentGiven). If neither of them exist then the user hasn't made any decision yet.

There's no tracker method to get this information somewhat easily though unfortunately.