@mattab opened this Issue on September 1st 2020 Member

Can we update the FAQ at https://matomo.org/faq/general/faq_21418/ to mention for example:

  • Matomo does not use a fingerprint

  • a config_id is basically valid for up to 30 minutes after the visit ends (unless different visit length is configured)

  • The config_id always includes a random hash. These randomised "hashes" added to each fingerprint are changed every 24 hours. Meaning the same visitor will have a totally different fingerprint every day and therefore no person or device can be identified across multiple days (unless of course the tracking cookies are enabled). The used hashes for the anonymising are also deleted periodically so there's no way to identify a person over several days. (unless of course the tracking cookies are enabled)

  • As a result, no cookie consent is needed for this very limited config_id.

  • Mention how the config_id is different when create_new_visit_after_midnight=0 or when enable_fingerprinting_across_websites=1

From #15886 #13655

@Daten-David commented on December 9th 2020

Hello! I have been invited by @mattab to post my thoughts on consent requirements here.

I am afraid that all the great data protection conscious work by Matomo does primarily address GDPR. Under GDPR Matomo is pretty perfect and usage of Matomo without consent should be legal as a legitimate interest – under certain circumstances even if cookies are activated.

But – as most of us will be aware – the much more relevant law is the EU ePrivacy Directive of 2002 (since its 2009 update commonly called "Cookie Directive", officially Directive 2002/58/EC).

ePrivacy refers to all kind of data – no matter if personal, personal identifiable or non-personal. ePrivacy does not know legal justifications like legitimate interest, fulfillment of a contract or anything like the other justifications under GDPR.

If Art. 5 para. 3 ePrivacy Directive applies consent is mandatory to proceed.

This law does not refer to cookies. It refers to "the gaining of access to information already stored, in the terminal equipment of a subscriber or user". The most relevant question is whether Javascript Tracking means gaining access to information already stored in the enduser's device.

Art. 5 para. 3 ePrivacy Directive describes one scenario when consent is not required. This is the case if access to the enduser's device is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service". This exemption does not cover analytics because no user or visitor "explicitly requests" to analyze his website or app usage.

The relevant publication regarding this matter is Opinion 09/2014 by the Article 29 Working Party on device fingerprinting. The Opinion states under 7.1: "first-party website analytics through device fingerprinting do not fall under the exemption defined in
CRITERION A or B and consent of the user is required.

So I guess any kind of Javascript analytics requires (previous) consent and means to withdraw consent later.

From my point of view the ePrivacy legislation is way too far reaching. GDPR is much more flexible and has a much smarter approach. The Working Party seems to share this opinion (at least in 2014). But at present: It is simply the law.

The issue is less about the details of how long data is stored. It is only about whether access to information inside the enduser's device takes place or not.

If Matomo shares my thoughts the advice to users should be that consent is always required if Javascript analytics is active.

@mattab commented on December 9th 2020 Member

whether Javascript Tracking means gaining access to information already stored in the enduser's device.

fyi: JavaScript tracking does not mean gaining access to the device info: in particular if you use Matomo in cookie-less mode, then the JS code will not access nor create the tracking cookies at all.

@Daten-David commented on December 9th 2020

Dear @mattab, please do not refer to cookies. Cookies are legally irrelevant. Cookies are not mentioned in any law I am aware of. To focus on cookies does not answer the legal questions.

How does JS code gain any information on technical aspects of my device (e.g. screen size) without access to my device? As far as I know most information collected by JS code is not automatically sent to analytics server. No push of information by my device but a pull by JS code.

Please check Opinion 09/2014 of the Article 29 Working Party. This is where I take all my knowledge from. At which point describes the Opinion Javascript analytics in a way different to the process by Matomo? Why does the Opinion state that Javascript analytics without cookies requires consent?

I am really happy to learn if I am all wrong.

@utrautmann commented on March 25th 2021

Hello @mattab
this topic is becoming more and more important. I have some German data protection officers in my projects now in 2021 who refuse to use Matomo in cookie-less mode without consent.
Their justification refers to the word "fingerprint", so the collection of information from the browser as Dave said.

Can you describe please which exact data is determined by the browser in order to create the fingerprint and why do you think that no consent is required?
I actually thought that with the cookie-less variant, the fingerprint would not be created with Javascript and would be created at the server (with the http header informations of the client).
I think we need more transparency.

@Daten-David commented on March 25th 2021

@utrautmann: Thanks for picking up the issue. I experience the same as you.

I guess everybody follows on Google's FLoC initiative. But did you see that Google admitted legal challenges by GDPR and most of all ePrivacy for FLoC? https://www.adexchanger.com/platforms/google-will-not-run-floc-origin-tests-in-europe-due-to-gdpr-concerns/

From my point of view it is crucial to understand the difference between GDPR and ePrivacy. GDPR is (almost) no obstacle to web analytics. Under GDPR you can run Matomo as legitimate interest without consent even with cookies active.

The challenge is ePrivacy.

The latest draft for the future ePrivacy Regulation by Portuguese EU presidency presents an option to run statistics without consent. See: https://www.statewatch.org/media/1649/eu-council-e-privacy-presidency-proposal-5008-21.pdf. Or the updated full text at https://data.consilium.europa.eu/doc/document/ST-6087-2021-INIT/en/pdf. Look for Article 6b (1) (e) + (f) and Article 8 (2) (c).

The EDPB has published concerns about the draft ePrivacy Regulation: https://edpb.europa.eu/news/news/2021/european-data-protection-board-46th-plenary-session_de

Most relevant: The law tends to stay theoretical. The real work is done by Mozilla with Firefox or Apple with Safari and most likely by Google with Chrome in future. They control how tracking or analytics takes place in future.

Server-side analytics is no problem. It can't be controlled by browser. And it is not governed by ePrivacy law. But server-side analytics only provides very low level analytics. And server-side analytics is a trip back to the 90ties.

@Findus23 commented on March 25th 2021 Member

I have to say that I lost a bit the overview both with the new ePrivacy plans and what Google is trying to achieve with their new concepts.

Server-side analytics is no problem

Really? I always thought server-side analytics make things more difficult in other ways as e.g. there is no straight-forward way for people to opt-out.

Also the whole concept of FLoC seems like a really bad idea privacy-wise to me. It solves a few issues, but opens a bag of new ones at the same time. https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea sums up a few important points nicely in my opinion.

If you want to talk more about this I can only invite you to the forum as it is easier for general discussions than github issues. I would also be interested in other peoples opinions and ideas.

@Daten-David commented on March 25th 2021

I always thought server-side analytics make things more difficult in other ways as e.g. there is no straight-forward way for people to opt-out.

Yes. There is no way to opt-out. But opt-out is not 100percent mandatory. Check Art. 21 (1) GDPR.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

A regular web log should be considered compelling legitimate grounds. The statistics derived by web log data is no personal data. The statistics are anonymous data and GDPR doesn't apply. The web log as raw data needs to be erased after a short period of time. But the statistics can stay.

I can only invite you to the forum as it is easier for general discussions than github issues

Thanks! I don't feel at home enough to start a new discussion in the forum. As soon as somebody did I am happy to throw in my 50 cents.

@Daten-David commented on August 18th 2021
@mattab commented on September 8th 2021 Member

The situation has been clarified as best as possible in the FAQ at https://matomo.org/faq/general/how-is-the-visitor-config_id-processed/
so I'm closing this now.

@mattab commented on December 14th 2021 Member

@Daten-David FYI the discussion may continue in #18448 and https://github.com/matomo-org/matomo/issues/15425

This Issue was closed on September 8th 2021
Powered by GitHub Issue Mirror