@mattab opened this Issue on February 4th 2020 Member

The goal of this issue would be to research and document how to use one or more existing Consent Managers tools with Matomo. Currently we only offer a JavaScript-level solution to help implement asking for consent, but it is only basic and technical. From users point of view, it would be great to read one or several user guides explaining how to setup a Consent Manager and ask consent for Matomo data collection.

Why is this important?

In the context of the GDPR privacy regulations, when you are processing personal data, in some cases you will need to ask for your users' consent. To identify whether you need to ask for consent, you need to determine whether your lawful basis for processing personal data is "Consent" or "Legitimate interest", or whether you can avoid collecting personal data altogether.

Consent managers tools

There are quite a few tools out there, for example:

Notes

might also need https://github.com/matomo-org/matomo/issues/13056

@rlankhorst commented on February 6th 2020

For universal compatiblity in WordPress, I would recommend to integrate with the WP Consent API. https://github.com/rlankhorst/wp-consent-level-api/

This is essentially a framework to standardize communication between plugins that manage consent, and plugins that place cookies/track data/statistics in any way. For more detailed info, please checkout the readme on git. I'll briefly explain it below.

It will be released on WordPress as a separate plugin (currently awaiting plugin review), and is expected to get merged into core eventually. Currently Cookiebot, WPMU Dev are actively integrating, we're still talking with other plugins like CAOS, Advanced Ads, etc. Of course, it will really gain traction when it has a lot of installs, but to get there we're actively looking for plugins to help us get there.

The way we have implemented it in Complianz GDPR, is that, if we detect a plugin supports it, we fire the "recommended plugin" installer.

In the case of Matomo in combination with Complianz GDPR, it would work as follows:

  • A visitor from the Netherlands visits the website. Complianz GDPR sets the consent level to 'allow' for functional and statistics-anonymous
  • A visitor from the UK visits the website. Complianz GDPR sets the consent level to 'allow' for functional, as it is not allowed to track visitors anonymously in the UK.
  • A visitor from the US visits the website. Because Complianz GDPR has set the consent type to 'opt-out', all consent levels will return true by default.

  • Let's say the site admin has configured Matomo to anonymously track statistics. Because of this setup, Matomo can check the consent for the category 'statistics-anonymous'. For the Netherlands and the US, this will return true immediately. For the UK it will return false until the user has consented explicitly.

When statistics-anonymous returns a true, Matomo can start tracking hits.

If the site admin has configured Matomo to track not anonymously, the consent level that should be checked is 'statistics'.

The consent API has been built to be used both in javascript and in PHP. We've added hooks that can be used to fire the javascript as soon as consent is given, without page reload. A simple example can be found here: https://wpconsentapi.org/

Using the Consent API is the only way to get WordPress plugins to work together in a reliable way. As it stands, you have to build separate integrations for each consent management plugin (in your case), or in our case, as consent management plugin, build an integration for each data tracking plugin (which is actually what we're doing right now). But even then, we can't prevent plugins from placing PHP cookies, so we can't cover everything 100%. The Consent API

Please let me know if you have any questions about this. Would be great to have you on board!

@tsteur commented on February 6th 2020 Member

This is interesting @rlankhorst . Thanks for that. I reckon this could make quite some sense to support it if possible since many compliance tools likely naturally support WordPress maybe. To be looked into though.

Also maybe someone already made that work for us (eg wrote a plugin for complianz etc) so there might be not even much to do. To be checked though.

Powered by GitHub Issue Mirror