@mattab opened this Issue on September 1st 2020 Member

Can we update the FAQ at https://matomo.org/faq/general/faq_21418/ to mention for example:

  • A fingerprint is basically valid for up to 30 minutes after the visit ends (unless different visit length is configured)
  • The fingerprint always includes a random hash. These randomised "hashes" added to each fingerprint are changed every 24 hours. Meaning the same visitor will have a totally different fingerprint every day and therefore no person or device can be identified across multiple days (unless of course the tracking cookies are enabled). The used hashes for the anonymising are also deleted periodically so there's no way to identify a person over several days. (unless of course the tracking cookies are enabled)

  • As a result, no cookie consent is needed for this very limited fingerprint.
  • Mention how the fingerprint is different when create_new_visit_after_midnight=0 or when enable_fingerprinting_across_websites=1

From #15886 #13655

@mattab commented on December 8th 2020 Member

For now added a simple sentence to the FAQ under How is the visitor fingerprint processed?

  • the fingerprint is only valid for 24 hours maximum and is then rotated, meaning the same unique visitor will have a different fingerprint the next day. The fingerprint randomly changes and is anonymised every 24 hours.

but maybe this can be improved or clarified a bit (see issue description above)

@Daten-David commented on December 9th 2020

Hello! I have been invited by @mattab to post my thoughts on consent requirements here.

I am afraid that all the great data protection conscious work by Matomo does primarily address GDPR. Under GDPR Matomo is pretty perfect and usage of Matomo without consent should be legal as a legitimate interest – under certain circumstances even if cookies are activated.

But – as most of us will be aware – the much more relevant law is the EU ePrivacy Directive of 2002 (since its 2009 update commonly called "Cookie Directive", officially Directive 2002/58/EC).

ePrivacy refers to all kind of data – no matter if personal, personal identifiable or non-personal. ePrivacy does not know legal justifications like legitimate interest, fulfillment of a contract or anything like the other justifications under GDPR.

If Art. 5 para. 3 ePrivacy Directive applies consent is mandatory to proceed.

This law does not refer to cookies. It refers to "the gaining of access to information already stored, in the terminal equipment of a subscriber or user". The most relevant question is whether Javascript Tracking means gaining access to information already stored in the enduser's device.

Art. 5 para. 3 ePrivacy Directive describes one scenario when consent is not required. This is the case if access to the enduser's device is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service". This exemption does not cover analytics because no user or visitor "explicitly requests" to analyze his website or app usage.

The relevant publication regarding this matter is Opinion 09/2014 by the Article 29 Working Party on device fingerprinting. The Opinion states under 7.1: "first-party website analytics through device fingerprinting do not fall under the exemption defined in
CRITERION A or B and consent of the user is required.

So I guess any kind of Javascript analytics requires (previous) consent and means to withdraw consent later.

From my point of view the ePrivacy legislation is way too far reaching. GDPR is much more flexible and has a much smarter approach. The Working Party seems to share this opinion (at least in 2014). But at present: It is simply the law.

The issue is less about the details of how long data is stored. It is only about whether access to information inside the enduser's device takes place or not.

If Matomo shares my thoughts the advice to users should be that consent is always required if Javascript analytics is active.

@mattab commented on December 9th 2020 Member

whether Javascript Tracking means gaining access to information already stored in the enduser's device.

fyi: JavaScript tracking does not mean gaining access to the device info: in particular if you use Matomo in cookie-less mode, then the JS code will not access nor create the tracking cookies at all.

@Daten-David commented on December 9th 2020

Dear @mattab, please do not refer to cookies. Cookies are legally irrelevant. Cookies are not mentioned in any law I am aware of. To focus on cookies does not answer the legal questions.

How does JS code gain any information on technical aspects of my device (e.g. screen size) without access to my device? As far as I know most information collected by JS code is not automatically sent to analytics server. No push of information by my device but a pull by JS code.

Please check Opinion 09/2014 of the Article 29 Working Party. This is where I take all my knowledge from. At which point describes the Opinion Javascript analytics in a way different to the process by Matomo? Why does the Opinion state that Javascript analytics without cookies requires consent?

I am really happy to learn if I am all wrong.

Powered by GitHub Issue Mirror