@dennisbaaten opened this Issue on May 19th 2019

Currently Matomo places cookies in the visitor's browser, but the server running Matomo can be configured to ignores these cookies when DNT is enabled in the visitor's browser. I'm having doubts about whether this is actually legally permitted from a GDPR perspective.

According to my interpretations of the GDPR, storing a tracking cookie requires a visitor's prior consent. This provides visitors actual control over their own privacy. A statement like: "we place cookies, our server receives them, but we don't use them" is in my opinion not strong enough in this context. This is beyond a visitor's span of control. I think it would be good if Matomo had a config setting for disabling the actual placing of cookies when DNT is detected.

A legally correct workaround would be to have a cookie consent button on the website, but that is actually what I'm trying to prevent.

@tsteur commented on May 20th 2019 Member

Using the JS tracker you can

1) disable cookies which also deletes cookies
2) require consent which also deletes cookies etc

see https://developer.matomo.org/api-reference/tracking-javascript and eg in Admin => Privacy => Consent page.

You should be able to implement any behaviour you want with it. Eg disable cookies when DNT is enabled.

Not sure if anything else needs to be done here? Should be all possible.

This Issue was closed on May 20th 2019
Powered by GitHub Issue Mirror