Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If we choose Matomo but still want to accomplish GDPR compliance, do we need to show any informative popup box to the people that simply navigate in our website? #15369

Open
mattab opened this issue Jan 10, 2020 · 3 comments
Open

If we choose Matomo but still want to accomplish GDPR compliance, do we need to show any informative popup box to the people that simply navigate in our website? #15369

mattab opened this issue Jan 10, 2020 · 3 comments
Labels
c: Privacy For issues that impact or improve the privacy. RFC Indicates the issue is a request for comments where the author is looking for feedback.
Milestone
For Prioritization

Comments

@mattab
Copy link
Member

mattab commented Jan 10, 2020

Question from user:

As our website is purely informative and when we gather people's data in some website forms, we ask for consent, the rest is purely informative. Therefore, If we choose Matomo but still want to accomplish with GDPR regulation do we need to show any informative popup box to the people that simply navigate in our website? I'm thinking to insert a privacy policy popup in a corner available for people to click to be enough.

Our existing pages should answer this information, for example: https://matomo.org/blog/2018/04/how-to-make-matomo-gdpr-compliant-in-12-steps/

However our recommendations may not be still accurate. As discussed internally (cc @tsteur ) something that page misses, or maybe needs to be mentioned is that it has become quite clear that if they use cookies, they have to tell people that in some popup and ask if it’s ok… So we may need users to inform re cookies and if they say no, then use Matomo with cookies disabled, otherwise we can track in Matomo with cookies enabled if they agree.

Resources:

So maybe people may be required to at least show the annoying cookie banner/popup?

Note: another point to think about is that, our server-side fingerprint may also count as personal data like cookies do, and require a banner to explain this as well?
@mattab mattab added c: Privacy For issues that impact or improve the privacy. RFC Indicates the issue is a request for comments where the author is looking for feedback. labels Jan 10, 2020
@mattab mattab changed the title If we choose Matomo but still want to accomplish with GDPR regulation do we need to show any informative popup box to the people that simply navigate in our website? If we choose Matomo but still want to accomplish GDPR compliance, do we need to show any informative popup box to the people that simply navigate in our website? Jan 10, 2020
@tassoman
Copy link
Contributor

As far I can remember european GDPR needs visitor aknowledgement before any action on the website, including setting cookies or personalized content provisioning.

So if the user continue navigating without consent should be a "no" ❌ if they accept the policy cookie can be set ⭕ . So in my opinion, without consent fingerprinting shouldn't be done.

https://gdpr.eu/eu-gdpr-personal-data/

Any information that can lead to either the direct or indirect identification of an individual will likely be considered personal data under the GDPR.

@mattab
Copy link
Member Author

mattab commented Jan 20, 2020

When tracking Heatmaps and Session recordings without tracking any personal data, do users also are required to ask for consent? cc @tsteur

@tsteur
Copy link
Member

tsteur commented Jan 20, 2020

You will for sure need to ask for consent when you use userId or orderId, feature or if you don't anonymize IP as much as possible. Also very very likely when you have a login on your website, if you have an ecommerce store. Potentially also if you have forms on your website (might depend what happens when false data is submitted eg will any private data be shown in the DOM etc). I would argue that you'd also want to anonymise the referrer (eg only record domain), and you of course also want to make sure to never have any personal data in urls or title etc. There might be many more reasons you need to ask consent for.

@mattab mattab mentioned this issue Feb 5, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Privacy For issues that impact or improve the privacy. RFC Indicates the issue is a request for comments where the author is looking for feedback.
Projects
None yet
Milestone
For Prioritization
Development

No branches or pull requests
4 participants
@tassoman @tsteur @mattab @innocraft-automation