Hi Matomo team,
According to https://matomo.org/faq/general/faq_21418/ we have a feature to enable the fingerprinting across several websites. However we don't have one in order to disable it.
That's a concern in terms of privacy.
Hi. I raised this issue.
Our website takes a fingerprint of your system’s setup, to imperfectly distinguish between visitors to our site.
My lawyer sent me this page to look at: The GDPR and Browser Fingerprinting: How It Changes the Game for the Sneakiest Web Trackers.
I know that Matomo is serious about privacy. Lacking any way to disable the fingerprinting, I've decided to forgo it for tracking hits to my website (but I am planning to use it to track analytics for my games, as I feel that Unity Analytics processes way too much information.)
Thank you for considering this issue.
We're wondering whether fingerprinting in Matomo could be considered personal data... Knowing that our fingerprint is quite imprecise and sometimes recognises multiple people as one: https://github.com/matomo-org/matomo/issues/13528
You’ll struggle to find fingerprinting explicitly mentioned in the GDPR—but that’s because the EU has learned from earlier data protection laws and the current ePrivacy Directive to remain technologically neutral.
Apart from non-binding recitals (like Recital 30, discussing cookies), the GDPR avoids calling out specific technologies or giving exhaustive lists and examples. Instead, it provides general rules that the drafters felt should be neutral, flexible, and keep up with technological development beyond fingerprinting and cookies.
Thus, when several information elements are combined (especially unique identifiers such as your set of system fonts) across websites (e.g. for the purposes of behavioral advertising), fingerprinting constitutes the processing of personal data and must comply with GDPR.
In Matomo by default we seed the fingerprint with a different seed across websites, so that a same user will have a different fingerprint when they're tracked in multiple websites in the same Matomo. The visitor will also have a different fingerprint in different Matomo instances. So no "cross websites tracking" is possible (unless the
enable_fingerprinting_across_websites flag is activated on purpose - which we don't even document publicly).
it will be interesting to review the ePrivacy regulation draft to check on the current status of fingerprinting: https://github.com/matomo-org/matomo/issues/15425
I think what would help is eg to randomly generate a visitor ID in the client that is valid for only max 30 minutes (visit duration) and on every page view or event the ID is extended for another 30 minutes. There will still be a cookie but only for 30 minutes, and it won't be possible to identify a visitor since it would change on every new visit.
You won’t get unique visitors data (or new vs returning data) etc but many wouldn’t even need it. Many segments and most reports would still be meaningful. I reckon that could be a start?