@mattab opened this Issue on March 6th 2018 Member

Right to restrict processing, at a glance (source / learn more)

  • Individuals have a right to ‘block’ or suppress processing of personal data.
  • When processing is restricted, you are permitted to store the personal data, but not further process it.
  • You can retain just enough information about the individual to ensure that the restriction is respected in future.

Right to object, at a glance (source / learn more):

Individuals have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

We already allow users to opt-out from data collection with the optout iframe.We could have a page for this as well showing the opt out iframe html again etc and explain that Matomo users should embed this into their page.

We could also make sure that if there is the opt out cookie set, then we don’t send tracking requests at all. I think currently they are ignored server side maybe.

@mattab commented on March 27th 2018 Member

We could also make sure that if there is the opt out cookie set, then we don’t send tracking requests at all. I think currently they are ignored server side maybe.

Unfortunately because the opt-out cookie is third party, it is not really possible to read it in JS and therefore not send the tracking requests... I'm not sure how we could handle this problem.

@tsteur commented on March 27th 2018 Member

There could be couple of things but didn't think too much about it...

1) If the site that embeds the opt out iframe also embeds the JS tracker, then they could potentially communicate with each other eg using messages or by listening to URL changes on the iframe. This would not be supported in older browsers though and might depend on the security policy set for the website... https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
2) We could also offer eventually users an upgrade to the opt-out iframe and rather give them some HTML to copy/paste to not having to use an iframe and it would let Matomo users allow the advantage that they wouldn't be opt out on all websites that Matomo hosts but only an individual website
3) Also directly in piwik.php we should directly check for an opt out cookie and if present stop the request as early as possible to make sure this is respected to avoid problems like there were with QueuedTracking etc and to make sure no data is being processed.

There are also tools like https://github.com/contently/xdomain-cookies but they insert eg an iframe into the page to read cookies cross domain in which a request would be sent again which defeats the purpose...

@mattab commented on March 27th 2018 Member


  1. if i understand correctly, this would be useful for opting out users for the website domain where the opt-out was included, and help not send tracking requests for those.
  2. it would be nice to have as an option the optional ability to have an opt-out on a specific id sites. because it's very valuable to have one opt-out to opt-out of all domains, it should be the default IMO (it's important GDPR compliance & right to withdraw consent to keep it simple and not have like 10 different opt-out). Not sure how do-able it would be to combine both... maybe instead we need the better consent asking tool which could solve any opt-out issue.
  3. :+1:
@mattab commented on April 24th 2018 Member

As we offer opt-out and it is working already, I'm closing this ticket. The subsequent improvement we'll make to opt-out is covered in https://github.com/matomo-org/matomo/issues/12767

This Issue was closed on April 24th 2018
Powered by GitHub Issue Mirror