Can we update the FAQ at https://matomo.org/faq/general/faq_21418/ to mention for example:
The fingerprint always includes a random hash. These randomised "hashes" added to each fingerprint are changed every 24 hours. Meaning the same visitor will have a totally different fingerprint every day and therefore no person or device can be identified across multiple days (unless of course the tracking cookies are enabled). The used hashes for the anonymising are also deleted periodically so there's no way to identify a person over several days. (unless of course the tracking cookies are enabled)
For now added a simple sentence to the FAQ under
How is the visitor fingerprint processed?
- the fingerprint is only valid for 24 hours maximum and is then rotated, meaning the same unique visitor will have a different fingerprint the next day. The fingerprint randomly changes and is anonymised every 24 hours.
but maybe this can be improved or clarified a bit (see issue description above)
Hello! I have been invited by @mattab to post my thoughts on consent requirements here.
I am afraid that all the great data protection conscious work by Matomo does primarily address GDPR. Under GDPR Matomo is pretty perfect and usage of Matomo without consent should be legal as a legitimate interest – under certain circumstances even if cookies are activated.
But – as most of us will be aware – the much more relevant law is the EU ePrivacy Directive of 2002 (since its 2009 update commonly called "Cookie Directive", officially Directive 2002/58/EC).
ePrivacy refers to all kind of data – no matter if personal, personal identifiable or non-personal. ePrivacy does not know legal justifications like legitimate interest, fulfillment of a contract or anything like the other justifications under GDPR.
If Art. 5 para. 3 ePrivacy Directive applies consent is mandatory to proceed.
Art. 5 para. 3 ePrivacy Directive describes one scenario when consent is not required. This is the case if access to the enduser's device is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service". This exemption does not cover analytics because no user or visitor "explicitly requests" to analyze his website or app usage.
The relevant publication regarding this matter is Opinion 09/2014 by the Article 29 Working Party on device fingerprinting. The Opinion states under 7.1: "first-party website analytics through device fingerprinting do not fall under the exemption defined in
CRITERION A or B and consent of the user is required."
From my point of view the ePrivacy legislation is way too far reaching. GDPR is much more flexible and has a much smarter approach. The Working Party seems to share this opinion (at least in 2014). But at present: It is simply the law.
The issue is less about the details of how long data is stored. It is only about whether access to information inside the enduser's device takes place or not.
Dear @mattab, please do not refer to cookies. Cookies are legally irrelevant. Cookies are not mentioned in any law I am aware of. To focus on cookies does not answer the legal questions.
How does JS code gain any information on technical aspects of my device (e.g. screen size) without access to my device? As far as I know most information collected by JS code is not automatically sent to analytics server. No push of information by my device but a pull by JS code.
I am really happy to learn if I am all wrong.