Can we update the FAQ at https://matomo.org/faq/general/faq_21418/ to mention for example:
Matomo does not use a fingerprint
a config_id is basically valid for up to 30 minutes after the visit ends (unless different visit length is configured)
The config_id always includes a random hash. These randomised "hashes" added to each fingerprint are changed every 24 hours. Meaning the same visitor will have a totally different fingerprint every day and therefore no person or device can be identified across multiple days (unless of course the tracking cookies are enabled). The used hashes for the anonymising are also deleted periodically so there's no way to identify a person over several days. (unless of course the tracking cookies are enabled)
As a result, no cookie consent is needed for this very limited config_id.
Mention how the config_id is different when
create_new_visit_after_midnight=0 or when
Hello! I have been invited by @mattab to post my thoughts on consent requirements here.
I am afraid that all the great data protection conscious work by Matomo does primarily address GDPR. Under GDPR Matomo is pretty perfect and usage of Matomo without consent should be legal as a legitimate interest – under certain circumstances even if cookies are activated.
But – as most of us will be aware – the much more relevant law is the EU ePrivacy Directive of 2002 (since its 2009 update commonly called "Cookie Directive", officially Directive 2002/58/EC).
ePrivacy refers to all kind of data – no matter if personal, personal identifiable or non-personal. ePrivacy does not know legal justifications like legitimate interest, fulfillment of a contract or anything like the other justifications under GDPR.
If Art. 5 para. 3 ePrivacy Directive applies consent is mandatory to proceed.
Art. 5 para. 3 ePrivacy Directive describes one scenario when consent is not required. This is the case if access to the enduser's device is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service". This exemption does not cover analytics because no user or visitor "explicitly requests" to analyze his website or app usage.
The relevant publication regarding this matter is Opinion 09/2014 by the Article 29 Working Party on device fingerprinting. The Opinion states under 7.1: "first-party website analytics through device fingerprinting do not fall under the exemption defined in
CRITERION A or B and consent of the user is required."
From my point of view the ePrivacy legislation is way too far reaching. GDPR is much more flexible and has a much smarter approach. The Working Party seems to share this opinion (at least in 2014). But at present: It is simply the law.
The issue is less about the details of how long data is stored. It is only about whether access to information inside the enduser's device takes place or not.
Dear @mattab, please do not refer to cookies. Cookies are legally irrelevant. Cookies are not mentioned in any law I am aware of. To focus on cookies does not answer the legal questions.
How does JS code gain any information on technical aspects of my device (e.g. screen size) without access to my device? As far as I know most information collected by JS code is not automatically sent to analytics server. No push of information by my device but a pull by JS code.
I am really happy to learn if I am all wrong.
this topic is becoming more and more important. I have some German data protection officers in my projects now in 2021 who refuse to use Matomo in cookie-less mode without consent.
Their justification refers to the word "fingerprint", so the collection of information from the browser as Dave said.
Can you describe please which exact data is determined by the browser in order to create the fingerprint and why do you think that no consent is required?
I think we need more transparency.
@utrautmann: Thanks for picking up the issue. I experience the same as you.
I guess everybody follows on Google's FLoC initiative. But did you see that Google admitted legal challenges by GDPR and most of all ePrivacy for FLoC? https://www.adexchanger.com/platforms/google-will-not-run-floc-origin-tests-in-europe-due-to-gdpr-concerns/
From my point of view it is crucial to understand the difference between GDPR and ePrivacy. GDPR is (almost) no obstacle to web analytics. Under GDPR you can run Matomo as legitimate interest without consent even with cookies active.
The challenge is ePrivacy.
The latest draft for the future ePrivacy Regulation by Portuguese EU presidency presents an option to run statistics without consent. See: https://www.statewatch.org/media/1649/eu-council-e-privacy-presidency-proposal-5008-21.pdf. Or the updated full text at https://data.consilium.europa.eu/doc/document/ST-6087-2021-INIT/en/pdf. Look for Article 6b (1) (e) + (f) and Article 8 (2) (c).
The EDPB has published concerns about the draft ePrivacy Regulation: https://edpb.europa.eu/news/news/2021/european-data-protection-board-46th-plenary-session_de
Most relevant: The law tends to stay theoretical. The real work is done by Mozilla with Firefox or Apple with Safari and most likely by Google with Chrome in future. They control how tracking or analytics takes place in future.
Server-side analytics is no problem. It can't be controlled by browser. And it is not governed by ePrivacy law. But server-side analytics only provides very low level analytics. And server-side analytics is a trip back to the 90ties.
I have to say that I lost a bit the overview both with the new ePrivacy plans and what Google is trying to achieve with their new concepts.
Server-side analytics is no problem
Really? I always thought server-side analytics make things more difficult in other ways as e.g. there is no straight-forward way for people to opt-out.
Also the whole concept of FLoC seems like a really bad idea privacy-wise to me. It solves a few issues, but opens a bag of new ones at the same time. https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea sums up a few important points nicely in my opinion.
If you want to talk more about this I can only invite you to the forum as it is easier for general discussions than github issues. I would also be interested in other peoples opinions and ideas.
I always thought server-side analytics make things more difficult in other ways as e.g. there is no straight-forward way for people to opt-out.
Yes. There is no way to opt-out. But opt-out is not 100percent mandatory. Check Art. 21 (1) GDPR.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
A regular web log should be considered compelling legitimate grounds. The statistics derived by web log data is no personal data. The statistics are anonymous data and GDPR doesn't apply. The web log as raw data needs to be erased after a short period of time. But the statistics can stay.
I can only invite you to the forum as it is easier for general discussions than github issues
Thanks! I don't feel at home enough to start a new discussion in the forum. As soon as somebody did I am happy to throw in my 50 cents.
I transferred the discussion to the forum: https://forum.matomo.org/t/does-device-fingerprinting-require-consent/42869
The situation has been clarified as best as possible in the FAQ at https://matomo.org/faq/general/how-is-the-visitor-config_id-processed/
so I'm closing this now.