@mattab opened this Issue on May 7th 2018 Member

Current behavior

When a user has given their consent, and if the user has already opted-out (via our opt-out iframe), then the requests that were consented are currently not tracked (because of opt-out).

EDIT: We will keep this behavior but we want to make it clear which requests were consented. Then someone could write a plugin or we could add a setting, to change and ignore the opt-out when consent is given (we'll keep it privacy by default in core).

Maybe a solution for this is to

  1. add a &consent=1 to all Tracking API requests that were consented.
  2. Then when checking if user is opted-out, also check that &consent=1 was not set.

(refs https://github.com/matomo-org/matomo/issues/12600 https://github.com/matomo-org/matomo/issues/12767 https://github.com/matomo-org/matomo/issues/12599)

@tsteur commented on May 7th 2018 Member

This makes only sense though when Matomo users are aware to not embed the opt out iframe when using the consent feature. If the Matomo user / website owner is not aware that they are mutually exclusive, then an opted out user would not expect to be tracked.

The safe solution that respects the privacy of users more be to never track when the user has opted out. (This is the current implementation).

@sgiehl commented on June 25th 2018 Member

So should that be changed or not? Or should we make that configurable maybe?

@mattab commented on June 25th 2018 Member

I think we at least need to know when a request was consented (eg. add &consent=1), this would be useful to prove that the request had indeed consent enabled.

Regarding whether to track users who have given consent + User opted-out earlier. I'd be fine keeping current behavior as this should be a rare case and therefore not very important either way.

@mattab commented on June 25th 2018 Member

Or should we make that configurable maybe?

Possibly, can you think of a practical way to make it customisable?

@mattab commented on June 28th 2018 Member

edited the title and description:

We will keep this behavior but we want to make it clear which requests were consented. Then someone could write a plugin or we could add a setting, to change and ignore the opt-out when consent is given (we'll keep it privacy by default in core).

Powered by GitHub Issue Mirror