@mattab opened this Issue on April 24th 2018 Member

Currently, when a user opts-out of tracking, the requests will be ignored by the Tracking API, but the requests are still sent anyway. For better privacy, we should try not to send the requests at all, after a user has opted out.

This was discussed in https://github.com/matomo-org/matomo/issues/12598#issuecomment-376413660:

Unfortunately because the opt-out cookie is third party, it is not really possible to read it in JS and therefore not send the tracking requests... I'm not sure how we could handle this problem.

There could be couple of things but didn't think too much about it...

  • If the site that embeds the opt out iframe also embeds the JS tracker, then they could potentially communicate with each other eg using messages or by listening to URL changes on the iframe. This would not be supported in older browsers though and might depend on the security policy set for the website... https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
  • We could also offer eventually users an upgrade to the opt-out iframe and rather give them some HTML to copy/paste to not having to use an iframe and it would let Matomo users allow the advantage that they wouldn't be opt out on all websites that Matomo hosts but only an individual website
  • Also directly in piwik.php we should directly check for an opt out cookie and if present stop the request as early as possible to make sure this is respected to avoid problems like there were with QueuedTracking etc and to make sure no data is being processed.

There are also tools like https://github.com/contently/xdomain-cookies but they insert eg an iframe into the page to read cookies cross domain in which a request would be sent again which defeats the purpose...

Note:

it would let Matomo users allow the advantage that they wouldn't be opt out on all websites that Matomo hosts but only an individual website

it is also a big strength that we do opt-out across all websites on the Matomo instance at once, so would be great to keep this functionality.

refs #12600

@mattab commented on June 28th 2018 Member

Fixing this issue would also solve a problematic behavior currently in Matomo:

  • if replaying tracking requests using standard web servers logs, these don't include third party cookies by default. Therefore any opted-out requests, would lose its 3rd party cookie in the log, and the lines would be replayed as if they were not opted-out. See this FAQ for when this could be an issue: https://piwik.org/faq/log-analytics-tool/faq_19221/
Powered by GitHub Issue Mirror