Deprecate Do-Not-Track Support

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!

https://matomo.org/

GNU General Public License v3.0

19.9k stars 2.65k forks source link

Deprecate Do-Not-Track Support #20011

Closed sgiehl closed 1 year ago

sgiehl commented 2 years ago

Summary

Matomo currently supports the Do-Not-Track-Header that was introduced by some browser years ago. The option to exclude visitors sending this header is even enabled by default.

In 2019 W3C closed the group that was working on the DNT standard and though this is meanwhile deprecated.

Safari removed the support for DNT for privacy reasons shorty after that in version 12.1.

In matter of GDPR the DNT header does also not need to be respected.

We should there no longer enabled the DNT option by default in Matomo and add a useful information explaining why this feature now is deprecated and might be removed in an upcoming major release if more browsers drop the support.

tsteur commented 1 year ago

Do we already have an issue to remove the DNT feature in Matomo 6?

Findus23 commented 1 year ago

@tsteur That's https://github.com/matomo-org/matomo/issues/20012, right?

tsteur commented 1 year ago

Awesome, sorry didn't notice it when I searched. I searched for everything but DNT :)

MatomoForumNotifications commented 1 year ago

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/discrepancy-between-backend-database-and-matomo-tracking/52038/17

mpdude commented 1 year ago

In matter of GDPR the DNT header does also not need to be respected.

@sgiehl Could you please explain how you come to this conclusion? My data protection officer takes a different stance on this.

sgiehl commented 1 year ago

Actually I can't remember and I can't give any legal advice. But from a logically point of view it doesn't make sense to respect a technology that is abandoned. Safari does not even support it anymore, and some browsers are always sending the DNT header without even giving the user the choice to disable it.

Anyway, at least in Germany there seem to be judgments that say something in terms of DNT: https://cybernews.com/tech/germany-court-bans-linkedin-from-ignoring-browser-do-not-track/

From my understanding I think this might depend on the data you are tracking and how you do it. If you are not tracking personal data at all you should be allowed to track anyone without consent (even when ignoring DNT). If you are tracking personal data you may need consent anyway, and if the user gives consent, DNT imho doesn't need to be respected anymore. But I'm really not deep enough in GDPR to say something reliable.

Maybe @tsteur has more insights on that.

tsteur commented 1 year ago

I don't really have any insights on it but the recent court ruling suggests we still need to support this feature. I believe the majority of browsers also still has this feature. For example the most recent Chrome version still has this feature.