@mattab opened this Issue on January 10th 2020 Member

Question from user:

As our website is purely informative and when we gather people's data in some website forms, we ask for consent, the rest is purely informative. Therefore, If we choose Matomo but still want to accomplish with GDPR regulation do we need to show any informative popup box to the people that simply navigate in our website? I'm thinking to insert a privacy policy popup in a corner available for people to click to be enough.

Our existing pages should answer this information, for example: https://matomo.org/blog/2018/04/how-to-make-matomo-gdpr-compliant-in-12-steps/

However our recommendations may not be still accurate. As discussed internally (cc @tsteur ) something that page misses, or maybe needs to be mentioned is that it has become quite clear that if they use cookies, they have to tell people that in some popup and ask if it’s ok… So we may need users to inform re cookies and if they say no, then use Matomo with cookies disabled, otherwise we can track in Matomo with cookies enabled if they agree.

Resources:

So maybe people may be required to at least show the annoying cookie banner/popup?

Note: another point to think about is that, our server-side fingerprint may also count as personal data like cookies do, and require a banner to explain this as well?

@tassoman commented on January 13th 2020 Contributor

As far I can remember european GDPR needs visitor aknowledgement before any action on the website, including setting cookies or personalized content provisioning.

So if the user continue navigating without consent should be a "no" :x: if they accept the policy cookie can be set :o: . So in my opinion, without consent fingerprinting shouldn't be done.

https://gdpr.eu/eu-gdpr-personal-data/

Any information that can lead to either the direct or indirect identification of an individual will likely be considered personal data under the GDPR.

@mattab commented on January 20th 2020 Member

When tracking Heatmaps and Session recordings without tracking any personal data, do users also are required to ask for consent? cc @tsteur

@tsteur commented on January 20th 2020 Member

You will for sure need to ask for consent when you use userId or orderId, feature or if you don't anonymize IP as much as possible. Also very very likely when you have a login on your website, if you have an ecommerce store. Potentially also if you have forms on your website (might depend what happens when false data is submitted eg will any private data be shown in the DOM etc). I would argue that you'd also want to anonymise the referrer (eg only record domain), and you of course also want to make sure to never have any personal data in urls or title etc. There might be many more reasons you need to ask consent for.

Powered by GitHub Issue Mirror