Custom opt out screen should not imply tracking consent given #16362
Labels
Bug
For errors / faults / flaws / inconsistencies etc.
c: Privacy
For issues that impact or improve the privacy.
Milestone
See the guide in https://developer.matomo.org/guides/tracking-javascript-guide#optional-creating-a-custom-opt-out-form
It suggests to call
_paq.push(['optUserOut']);
when a user wants to opt out. This would set themtm_consent_removed
cookie and is generally fine.It suggests to call
_paq.push(['forgetUserOptOut']);
when a user wants to opt back in. What this does is remove the previously setmtm_consent_removed
and then sets themtm_consent
cookie. This is generally OK. However, it becomes a problem as soon as someone was to actually switch from "not asking to consent and offering opt out" to a proper cookie consent. Suddenly, the people that opted back in using the custom opt out would be assumed to have consent given. However, this is not the case because they likely would have only seen a small opt out message. People don't give consent for tracking in the same way as a proper consent screen would require (specific, informed, ...)The solution be likely quite easy. Instead of setting the cookie for consent given it should only remove a previously set
mtm_consent_removed
cookie:This way, should you ever change the legal basis for tracking users, then you don't run into any issues and users would be properly asked for consent.
The text was updated successfully, but these errors were encountered: