Implement cookie consent #16178
Implement cookie consent #16178
Conversation
tsteur
added
the
Pull Request WIP
|
build js |
|
fyi @Findus23 |
tsteur
added
Needs Review
| */ | ||
| this.enableCookies = function () { |
There was a problem hiding this comment.
the method enableCookies was twice in js/piwik.js because of some merge I suppose.
| @@ -7754,6 +7814,7 @@ if (typeof window.Piwik !== 'object') { | |||
|
|
|||
| deleteCookie(CONSENT_COOKIE_NAME, configCookiePath, configCookieDomain); | |||
| setCookie(CONSENT_REMOVED_COOKIE_NAME, new Date().getTime(), thirtyYears, configCookiePath, configCookieDomain, configCookieIsSecure); | |||
| this.forgetCookieConsentGiven(); | |||
There was a problem hiding this comment.
So if a user gives cookie consent, but removes tracking consent that means we forget all types of consent?
There was a problem hiding this comment.
The interaction between tracking consent and cookie consent is confusing to me. Are users expected to use both always? Or sometimes just tracking consent? They seem like they could be completely separate, but some of the tracking consent methods affect cookie consent. Should they be kept completely separate?
There was a problem hiding this comment.
@diosmosis it's either - or. You only use one of them.
If you remove tracking consent, then you indirectly also remove the cookie consent since you basically don't want to be tracked anymore no cookies should be set anymore.
So people use either cookie consent or tracking consent.
Tracking consent basically includes cookie consent and when removing consent, we're no longer allowed to set cookies. The cookies are then also no longer needed since we no longer track them anyway.
Generally, if you want more accurate data and get exact unique visitors, new/returning visitors etc then you need cookies. Meaning you need to ask for cookie consent. We still track the user in any case. But only when consent is given we track with cookies, otherwise without.
If you're also tracking personal data (full IP, user ID, etc) then you need to ask for tracking consent. If consent is not given, we're not allowed to track at all thus we're also not allowed to set cookies. If consent is given, we can use cookies.
Does this help?
There was a problem hiding this comment.
So the two main use cases are "require user to opt in to all tracking (which implies allowing cookies)" and "track user anyway, but require user to opt in to storing cookies for more accurate tracking"?
It might be useful to have documentation for "how to build a consent form" or something eventually.
There was a problem hiding this comment.
We have it explained in https://developer.matomo.org/guides/tracking-javascript-guide#asking-for-consent and in Matomo itself in Admin -> Privacy -> Consent. Created a PR for adjusting the docs in https://github.com/matomo-org/developer-documentation/pull/359/files and will also adjust the docs in Matomo directly after the PR is merged.
We'll also be creating a new FAQ as part of #15948 . It's mostly interesting for consent managers but also for people who build their own consent popup.
There was a problem hiding this comment.
Yes those are the two main use cases @diosmosis
* implement cookie consent * rebuilt piwik.js * fix documentation
* implement cookie consent * rebuilt piwik.js * fix documentation
refs #15948
Works the same way as tracking consent. However, you need to change
ConsenttoCookieConsent:_paq.push(['requireConsent']);-->_paq.push(['requireCookieConsent']);_paq.push(['setConsentGiven']);-->_paq.push(['setCookieConsentGiven']);_paq.push(['rememberConsentGiven']);-->_paq.push(['rememberCookieConsentGiven']);_paq.push(['forgetConsentGiven']);-->_paq.push(['forgetCookieConsentGiven']);Renamed
enableCookiesfor consistency tosetCookieConsentGiven. The method was only added last week so that's not an issue.disableCookiesstill exists and won't change meaning it will always disable cookies no matter if consent was given or not.Basically it works the very same way as regular consent see https://developer.matomo.org/guides/tracking-javascript-guide#asking-for-consent
Eg you add
_paq.push(['requireCookieConsent']);to your tracking code and it will keep on tracking but won't set any cookies.Unless you call either
_paq.push(['setCookieConsentGiven'])on every page view or once_paq.push(['rememberCookieConsentGiven']);to store the consent in a cookie.Once consent was revoked, you can call
_paq.push(['forgetCookieConsentGiven']);to remove the existing cookie.documentation in https://github.com/matomo-org/developer-documentation/pull/359/files
Failing tests aren't related to this PR