@tsteur opened this Issue on September 1st 2020 Member

See the guide in https://developer.matomo.org/guides/tracking-javascript-guide#optional-creating-a-custom-opt-out-form

It suggests to call _paq.push(['optUserOut']); when a user wants to opt out. This would set the mtm_consent_removed cookie and is generally fine.

It suggests to call _paq.push(['forgetUserOptOut']); when a user wants to opt back in. What this does is remove the previously set mtm_consent_removed and then sets the mtm_consent cookie. This is generally OK. However, it becomes a problem as soon as someone was to actually switch from "not asking to consent and offering opt out" to a proper cookie consent. Suddenly, the people that opted back in using the custom opt out would be assumed to have consent given. However, this is not the case because they likely would have only seen a small opt out message. People don't give consent for tracking in the same way as a proper consent screen would require (specific, informed, ...)

The solution be likely quite easy. Instead of setting the cookie for consent given it should only remove a previously set mtm_consent_removed cookie:

            this.forgetUserOptOut = function () {

This way, should you ever change the legal basis for tracking users, then you don't run into any issues and users would be properly asked for consent.

This Issue was closed on September 2nd 2020
Powered by GitHub Issue Mirror