Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GDPR - The data subject right to restriction of processing / The right to withdraw consent #12598

Closed
mattab opened this issue Mar 6, 2018 · 4 comments
Closed

GDPR - The data subject right to restriction of processing / The right to withdraw consent #12598

mattab opened this issue Mar 6, 2018 · 4 comments
Labels
c: Privacy For issues that impact or improve the privacy.

Comments

@mattab
Copy link
Member

mattab commented Mar 6, 2018

Right to restrict processing, at a glance (source / learn more)

  • Individuals have a right to ‘block’ or suppress processing of personal data.
  • When processing is restricted, you are permitted to store the personal data, but not further process it.
  • You can retain just enough information about the individual to ensure that the restriction is respected in future.

Right to object, at a glance (source / learn more):

Individuals have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

We already allow users to opt-out from data collection with the optout iframe.We could have a page for this as well showing the opt out iframe html again etc and explain that Matomo users should embed this into their page.

We could also make sure that if there is the opt out cookie set, then we don’t send tracking requests at all. I think currently they are ignored server side maybe.
@mattab mattab added the c: Privacy For issues that impact or improve the privacy. label Mar 6, 2018
@mattab mattab mentioned this issue Mar 6, 2018
Closed
@tsteur tsteur mentioned this issue Mar 12, 2018
Merged
@mattab
Copy link
Member Author

mattab commented Mar 27, 2018

We could also make sure that if there is the opt out cookie set, then we don’t send tracking requests at all. I think currently they are ignored server side maybe.

Unfortunately because the opt-out cookie is third party, it is not really possible to read it in JS and therefore not send the tracking requests... I'm not sure how we could handle this problem.

@tsteur
Copy link
Member

tsteur commented Mar 27, 2018

There could be couple of things but didn't think too much about it...

  1. If the site that embeds the opt out iframe also embeds the JS tracker, then they could potentially communicate with each other eg using messages or by listening to URL changes on the iframe. This would not be supported in older browsers though and might depend on the security policy set for the website... https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
  2. We could also offer eventually users an upgrade to the opt-out iframe and rather give them some HTML to copy/paste to not having to use an iframe and it would let Matomo users allow the advantage that they wouldn't be opt out on all websites that Matomo hosts but only an individual website
  3. Also directly in piwik.php we should directly check for an opt out cookie and if present stop the request as early as possible to make sure this is respected to avoid problems like there were with QueuedTracking etc and to make sure no data is being processed.

There are also tools like https://github.com/contently/xdomain-cookies but they insert eg an iframe into the page to read cookies cross domain in which a request would be sent again which defeats the purpose...

@mattab
Copy link
Member Author

mattab commented Mar 27, 2018

Interesting!

  1. if i understand correctly, this would be useful for opting out users for the website domain where the opt-out was included, and help not send tracking requests for those.
  2. it would be nice to have as an option the optional ability to have an opt-out on a specific id sites. because it's very valuable to have one opt-out to opt-out of all domains, it should be the default IMO (it's important GDPR compliance & right to withdraw consent to keep it simple and not have like 10 different opt-out). Not sure how do-able it would be to combine both... maybe instead we need the better consent asking tool which could solve any opt-out issue.
  3. 👍

@mattab mattab mentioned this issue Apr 24, 2018
Closed
@mattab
Copy link
Member Author

mattab commented Apr 24, 2018

As we offer opt-out and it is working already, I'm closing this ticket. The subsequent improvement we'll make to opt-out is covered in #12767

@mattab mattab closed this as completed Apr 24, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Privacy For issues that impact or improve the privacy.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsteur @mattab