rememberConsentGiven should not load cookies if requireCookieConsent is set

[9joshua]

Using requireCookieConsent has no affect if you also required and then allow tracking consent...

If tracking consent is given (regardless of previously requiring cookie consent) cookies are loaded on the browser.

As an example, if you delete your cookies and run this in the browser console you will see cookies reappear in the browser...

_paq.push(['requireCookieConsent']);
_paq.push(['requireConsent']);
_paq.push(['rememberConsentGiven']);

Currently, the only workaround is to require cookie consent immediately after remembering tracking consent...

_paq.push(['rememberConsentGiven']);
_paq.push(['forgetCookieConsentGiven']);

rememberConsentGiven appears to overstep its bounds by ignoring requireCookieConsent. Fixing this would also require changing the behaviour of the Tag Manager when selecting "Require cookie consent" and "Require tracking consent". Currently these options cannot be selected independent of each other because selecting one option automatically hides the other...

Ideally, both options should be selectable and the behaviour of these options should match what is suggested above.

Use case: A user wants to allow a visitor to grant tracking consent only - without cookies.

[sgiehl]

@9joshua You may need to use setConsentGiven instead of rememberConsentGiven. The latter one is meant to store that state, so it automatically assumes cookie consent was given as well. setConsentGiven has an optional parameter, that can be set to false, which will disable assuming cookie consent was given as well.

[9joshua]

Thank you @sgiehl

window._paq.push(['setConsentGiven', 0]); does allow tracking while blocking cookies, but does not persist when the page is reloaded.

Perhaps there should also be a parameter to indicate cookie permission with rememberConsentGiven ?

[sgiehl]

@9joshua The purpose of using rememberConsentGiven is actually to somehow store that consent was given. That only works with cookies, so we automatically assume that cookies are allowed. Can't see any value in having an additional parameter to indicate cookie permission. Calling the method without cookie permission would then actually do the same as setConsentGiven(0), wouldn't it?

[heurteph-ei]

Hi all, If I am not wrong, GDPR makes a difference with tracking cookies (that need consent) and technical cookies, that is needed for website to work. In my opinion, the cookie that stores consents (on tracking, on tracking using cookie etc.) does not need consent (but user must be informed of the use of technical cookie). @Chardonneaur, Ô GDPR master, what do you think?

[9joshua]

The problem with _paq.push(['setConsentGiven', 0]); is that this is not remembered. The next time the page loads nothing will be tracked unless it is called again. This doesn't work well with some consent managers where there is a one-off consent event.

For example:

1. Visitor grants tracking but not cookie consent via the consent manager
2. _paq.push(['setConsentGiven', 0]); and tracking works as expected on the current page
3. The visitor moves to the next page and tracking is blocked or they have to give consent on every page

It should be possible to set a cookie that instructs Matomo to allow tracking but not cookies. This cookie would not hold personal information.

[michalkleiner]

Should it be a cookie? Can we use local storage perhaps, would it have any benefits over cookies? When I decline cookies I would expect no cookies to be set, even the ones to remember I declined cookies.

[sgiehl]

We can't use local storage as this might not work on all browsers. In legal terms I would also doubt that there is a big difference between using local storage and cookies. Otherwise no one would use cookies anymore and store what ever needed in local storage without asking for consent at all...