New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement cookie consent #16178
Implement cookie consent #16178
Conversation
build js |
fyi @Findus23 |
*/ | ||
this.enableCookies = function () { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the method enableCookies was twice in js/piwik.js because of some merge I suppose.
@@ -7754,6 +7814,7 @@ if (typeof window.Piwik !== 'object') { | |||
|
|||
deleteCookie(CONSENT_COOKIE_NAME, configCookiePath, configCookieDomain); | |||
setCookie(CONSENT_REMOVED_COOKIE_NAME, new Date().getTime(), thirtyYears, configCookiePath, configCookieDomain, configCookieIsSecure); | |||
this.forgetCookieConsentGiven(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So if a user gives cookie consent, but removes tracking consent that means we forget all types of consent?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The interaction between tracking consent and cookie consent is confusing to me. Are users expected to use both always? Or sometimes just tracking consent? They seem like they could be completely separate, but some of the tracking consent methods affect cookie consent. Should they be kept completely separate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@diosmosis it's either - or. You only use one of them.
If you remove tracking consent, then you indirectly also remove the cookie consent since you basically don't want to be tracked anymore no cookies should be set anymore.
So people use either cookie consent or tracking consent.
Tracking consent basically includes cookie consent and when removing consent, we're no longer allowed to set cookies. The cookies are then also no longer needed since we no longer track them anyway.
Generally, if you want more accurate data and get exact unique visitors, new/returning visitors etc then you need cookies. Meaning you need to ask for cookie consent. We still track the user in any case. But only when consent is given we track with cookies, otherwise without.
If you're also tracking personal data (full IP, user ID, etc) then you need to ask for tracking consent. If consent is not given, we're not allowed to track at all thus we're also not allowed to set cookies. If consent is given, we can use cookies.
Does this help?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the two main use cases are "require user to opt in to all tracking (which implies allowing cookies)" and "track user anyway, but require user to opt in to storing cookies for more accurate tracking"?
It might be useful to have documentation for "how to build a consent form" or something eventually.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have it explained in https://developer.matomo.org/guides/tracking-javascript-guide#asking-for-consent and in Matomo itself in Admin -> Privacy -> Consent
. Created a PR for adjusting the docs in https://github.com/matomo-org/developer-documentation/pull/359/files and will also adjust the docs in Matomo directly after the PR is merged.
We'll also be creating a new FAQ as part of #15948 . It's mostly interesting for consent managers but also for people who build their own consent popup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes those are the two main use cases @diosmosis
* implement cookie consent * rebuilt piwik.js * fix documentation
* implement cookie consent * rebuilt piwik.js * fix documentation
refs #15948
Works the same way as tracking consent. However, you need to change
Consent
toCookieConsent
:_paq.push(['requireConsent']);
-->_paq.push(['requireCookieConsent']);
_paq.push(['setConsentGiven']);
-->_paq.push(['setCookieConsentGiven']);
_paq.push(['rememberConsentGiven']);
-->_paq.push(['rememberCookieConsentGiven']);
_paq.push(['forgetConsentGiven']);
-->_paq.push(['forgetCookieConsentGiven']);
Renamed
enableCookies
for consistency tosetCookieConsentGiven
. The method was only added last week so that's not an issue.disableCookies
still exists and won't change meaning it will always disable cookies no matter if consent was given or not.Basically it works the very same way as regular consent see https://developer.matomo.org/guides/tracking-javascript-guide#asking-for-consent
Eg you add
_paq.push(['requireCookieConsent']);
to your tracking code and it will keep on tracking but won't set any cookies.Unless you call either
_paq.push(['setCookieConsentGiven'])
on every page view or once_paq.push(['rememberCookieConsentGiven']);
to store the consent in a cookie.Once consent was revoked, you can call
_paq.push(['forgetCookieConsentGiven']);
to remove the existing cookie.documentation in https://github.com/matomo-org/developer-documentation/pull/359/files
Failing tests aren't related to this PR