@mattab opened this Issue on May 13th 2020 Member

It would be great to write a short FAQ or dev guide about and document this, ie. how to:

  1. enable tracking with cookies disabled
  2. asking for cookie consent
  3. if consent given, activate cookies - requires https://github.com/matomo-org/matomo/issues/13056
@Findus23 commented on May 24th 2020 Member
@Sven74Muc commented on June 18th 2020

#13246 is nearly 2 years old... so I don't see any chance that this gets fixed soon. Shortly they moved it from milestone 4.0 to 4.1
I expect it will be moved later to 4.2, 4.3,...

@tsteur commented on July 2nd 2020 Member

refs https://github.com/matomo-org/matomo/pull/16113 where we add a feature to enable consent

@tsteur commented on July 3rd 2020 Member

Below some text that describes how it can work with Matomo 3.13.7 and also how we could improve this further if we wanted.

How can I still track a visitor without cookies even if they decline the cookie consent?

You can under circumstances track your visitors using Matomo without needing consent by disabling cookies and not tracking personal data (learn more).

If you don't track any personal data, it means you can track any visitor even if you don't have consent yet and also if the user declines or rejects cookie consent by adding the following line to your tracking code:

_paq.push(['disableCookies']);

As soon as a user gives you cookie consent, execute the following JS tracking code once to initialise the cookies for this visitor:

_paq.push(['enableCookies']);

This ensures the same visitor can be idendified as the same visitor in all subsequent visits.

When the user views another page on your website after consent was given, simply no longer disable cookies (_paq.push(['disableCookies']);) as part of your tracking code.

Please note this requires Matomo 3.13.7.

Was thinking of providing an alternative way where you don't need to check the tracking code depending whether consent was given

From Matomo 3.13.7, requireConsent() will disable cookies as well. Meaning we don't set any cookie and we don't send any tracking request unless setConsentGiven is called or at some point previously rememberConsentGiven was called (it stores the given consent in a cookie). This is basically how it works for tracking consent. Above mentioned steps is for cookie consent but it is bit complicated as the tracking code needs to change depending on whether consent was given.

I'm thinking of providing a similar mechanism for cookie consent. It means you don't need to add disableCookies to the tracking code depending on whether you got consent for cookies or not making it easier for the user and increases the chances that it will work with more consent managers.

Basically this involves adding 2 methods and a new cookie:

  • _paq.push(['disableCookies']) // this is basically requireConsent. Cookies won't be disabled if consent was remembered
  • _paq.push(['enableCookies']) // this is basically setConsentGiven
  • _paq.push(['rememberCookieConsentGiven']) // new method, will store given cookie consent in a mtm_cookie_consent cookie
  • _paq.push(['forgetCookieConsentGiven']) // new method, will remove the previously given cookie consent

The regular tracking consent cookie is currently called mtm_consent. We'd need to add another mtm_cookie_consent cookie to store whether consent was given.

I see this working better as I'm thinking consent managers might not always let you configure to use different tracking code depending if you have consent or not.

The diff for the tracking code would roughly look like this and explain it better:

diff --git a/js/piwik.js b/js/piwik.js
index 828334f151..5ae72871b4 100644
--- a/js/piwik.js
+++ b/js/piwik.js
@@ -3033,6 +3033,7 @@ if (typeof window.Piwik !== 'object') {

                 // constants
                 CONSENT_COOKIE_NAME = 'mtm_consent',
+                COOKIE_CONSENT_COOKIE_NAME = 'mtm_cookie_consent',
                 CONSENT_REMOVED_COOKIE_NAME = 'mtm_consent_removed',

                 // Current URL and Referrer URL
@@ -6795,6 +6796,10 @@ if (typeof window.Piwik !== 'object') {
              * Existing cookies will be deleted on the next call to track
              */
             this.disableCookies = function () {
+                if (getCookie(COOKIE_CONSENT_COOKIE_NAME)) {
+                    return;
+                }
+
                 configCookiesDisabled = true;

                 if (configTrackerSiteId) {
@@ -6806,6 +6811,21 @@ if (typeof window.Piwik !== 'object') {
                 return !configCookiesDisabled;
             };

+            this.forgetCookieConsentGiven = function () {
+                deleteCookie(COOKIE_CONSENT_COOKIE_NAME, configCookiePath, configCookieDomain);
+            };
+
+            this.rememberCookieConsentGiven = function (hoursToExpire) {
+                if (hoursToExpire) {
+                    hoursToExpire = hoursToExpire * 60 * 60 * 1000;
+                } else {
+                    hoursToExpire = 30 * 365 * 24 * 60 * 60 * 1000;
+                }
+                this.enableCookies();
+                var now = new Date().getTime();
+                setCookie(COOKIE_CONSENT_COOKIE_NAME, now, hoursToExpire, configCookiePath, configCookieDomain, configCookieIsSecure);
+            };
+
             /**
              * Enables cookies if they were disabled previously
              */
@@ -7732,6 +7752,7 @@ if (typeof window.Piwik !== 'object') {

                 deleteCookie(CONSENT_COOKIE_NAME, configCookiePath, configCookieDomain);
                 setCookie(CONSENT_REMOVED_COOKIE_NAME, new Date().getTime(), thirtyYears, configCookiePath, configCookieDomain, configCookieIsSecure);
+                this.forgetCookieConsentGiven();
                 this.requireConsent();
             };

I could add this but also don't want to add something that may not be really needed or provide too many ways of doing things etc.

This new guide be basically for cookie consent add _paq.push(['disableCookies']); and when the user clicks on the consent button exec once rememberCookieConsentGiven.

Are there any thoughts? The idea is basically to make it more convenient if people need only cookie consent.

@Findus23 @mattab

@tsteur commented on July 6th 2020 Member

Implemented this new flow in https://github.com/matomo-org/matomo/pull/16178 and adjusted https://github.com/matomo-org/developer-documentation/pull/359/files . It simply makes a lot of sense for both tracking and cookie consent to behave the same

@tsteur commented on July 6th 2020 Member

Wrote FAQ in https://matomo.org/wp-admin/post.php?post=41717&action=edit&lang=en

I guess in general in the future we maybe want to recommend using requireCookieConsent over disableCookies (which always keeps cookies disabled).

We'd probably also want to link from https://matomo.org/faq/new-to-piwik/how-do-i-use-matomo-analytics-without-consent-or-cookie-banner/ to the new FAQ

And need to document the new mtm_cookie_consent cookie (done)

Once https://github.com/matomo-org/matomo/pull/16178 is merged I'll adjust the privacy opt out page in Matomo itself as part of Matomo 4 (to avoid merge conflicts) (done in https://github.com/matomo-org/matomo/pull/16188)

@tsteur commented on July 7th 2020 Member

@mattab created FAQ in https://matomo.org/wp-admin/post.php?post=41717&action=edit&lang=en if you want to have a look and then we should be able to close this issue

@mattab commented on July 10th 2020 Member

It simply makes a lot of sense for both tracking and cookie consent to behave the same

Yes, this is much easier this way! it's a great solution and the guide at https://developer.matomo.org/guides/tracking-consent is quite clear.

@tsteur slightly tweaked the FAQ and published at https://matomo.org/faq/new-to-piwik/how-can-i-still-track-a-visitor-without-cookies-even-if-they-decline-the-cookie-consent/

renamed to:

How do I track a visitor without cookies when they have not given consent for tracking cookies?

added a link on: https://matomo.org/faq/new-to-piwik/how-do-i-use-matomo-analytics-without-consent-or-cookie-banner/:

To avoid the analytics cookie consent banner, follow the steps in How do I track a visitor without cookies when they do not give consent for tracking cookies?. (alternatively, if you are not planning to ask for cookie consent in the future, you can also disable all analytics cookies for all visitors)

we can close the issue as it seems all done :+1:

This Issue was closed on July 10th 2020
Powered by GitHub Issue Mirror