Hello everyone,
In Matomo 3.13.6 or newer it should be possible to operate the Matomo analytics solution without cookies (https://matomo.org/faq/new-to-piwik/how-do-i-use-matomo-analytics-without-consent-or-cookie-banner/).
As you already mentioned in the FAQs (https://matomo.org/faq/general/faq_157/) there is an issue with cookies, created despite the use of _paq.push(['disableCookies']) in following use cases:
Using the standard iframe opt-out method on our site we can confirm, that wenn users change their opt-out in our Privacy-Page, where the Matomo opt-out is embedded, following cookies are being created:
This issue means, that there is currently no GDPR-compliant way to operate Matomo without cookies, because the opt-out option is a "must" as visitors should be able to change their opt-in for analytics any/multiple times. "_pk_id" and "_pk_sess"-Cookies require a cookie-banner as they are not essential for the website operation in terms of Art. 6.1(f) GDPR. The use of "MATOMO_SESSID" for security reasons and "mtm_consent/mtm_consent_removed"-cookies to save the opt-in/-out state of user's consent can be viewed as essential, if there is no way to avoid them technically.
We had unfortunately to remove Matomo from our site, because the cooke-less operation is the only option for us.
Is there a possiblity that this issue will be solved and wenn (especially the setting "_pk_id" and "_pk_sess"-Cookies)?
The cookie-less operation of Matomo is important for public entities and all website owners, who do not make e-commerce or other business with the need for high accuracy of reports. Which means, that the issue is actually concerning a very large group of users.
Hi,
I don't have time right now to answer extensively, but want to add two quick notes:
https://github.com/matomo-org/matomo/issues/14402: MATOMO_SESSID is needed to avoid CSRF which would allow other websites to opt-in or opt-out of the tracking without the user noticing which I think is far worse for privacy than a cookie that doesn't do any tracking.
If you suggest that Matomo should not store any cookies at all for a visitor, then how should Matomo remember that this specific user has opt out of the tracking?
(I am genuinely interested what others think would be the privacy-wise ideal solution on handling user opt-out/opt-in and remembering it without allowing to track users this way. I personally don't see any solution that is possible at all (independent of Matomo) that would work better than what is possible right now).
Is it possible to reliably avoid the setting of "_pk_id" and "_pk_sess"-Cookies in cookie-less mode?
The use of "MATOMO_SESSID" for security reasons and "mtm_consent/mtm_consent_removed"-cookies to save the opt-in/-out state of user's consent can be viewed as essential (which means that no cookie banner is needed), if there is no way to avoid them technically. I've changed our request above. Thank you for your quick feedback!
@LfD-Nds Just FYI, we have released Matomo 4.0.0 shortly, which also brings some improvements towards cookieless tracking.
I've just checked that and if disableCookies
is called for the tracker, there should not be any _pk_id
or _pk_sess
cookie.
The MATOMO_SESSID
cookie is still set by the opt-out for the reasons @Findus23 mentioned.
BTW even in the 3.14 release this might be already fixed. Regarding the opt out this is a duplicate of https://github.com/matomo-org/matomo/issues/16791 and explained in https://github.com/matomo-org/matomo/issues/16791#issuecomment-733284878 that it is an essential cookie.
@LfD-Nds any chance you can update to the latest 3.X and check if it's fixed there for you or otherwise to the latest Matomo 4? (Matomo 4 is a staged release so it might be a few days until it becomes available)
Yes, we will check/update and report the results here. Thank you all for your helpfull replies!
Great @LfD-Nds I will close this issue for now but we're more than happy to reopen if anything needs doing.
Couldn't there be a server-side flag to opt out every user of cookies entirely, which would render this cookie unnecessary?
I've enabled "Force Tracking Without Cookies"
But I still see the MATOMO_SESSID
. Why is it needed in this case?