New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Matomo Analytics without consent needs opt-out-improvement to become GDPR-compliant for this use case #16812
Comments
Hi, I don't have time right now to answer extensively, but want to add two quick notes: #14402: MATOMO_SESSID is needed to avoid CSRF which would allow other websites to opt-in or opt-out of the tracking without the user noticing which I think is far worse for privacy than a cookie that doesn't do any tracking. If you suggest that Matomo should not store any cookies at all for a visitor, then how should Matomo remember that this specific user has opt out of the tracking? |
Is it possible to reliably avoid the setting of "_pk_id" and "_pk_sess"-Cookies in cookie-less mode? The use of "MATOMO_SESSID" for security reasons and "mtm_consent/mtm_consent_removed"-cookies to save the opt-in/-out state of user's consent can be viewed as essential (which means that no cookie banner is needed), if there is no way to avoid them technically. I've changed our request above. Thank you for your quick feedback! |
@LfD-Nds Just FYI, we have released Matomo 4.0.0 shortly, which also brings some improvements towards cookieless tracking. |
BTW even in the 3.14 release this might be already fixed. Regarding the opt out this is a duplicate of #16791 and explained in #16791 (comment) that it is an essential cookie. @LfD-Nds any chance you can update to the latest 3.X and check if it's fixed there for you or otherwise to the latest Matomo 4? (Matomo 4 is a staged release so it might be a few days until it becomes available) |
Yes, we will check/update and report the results here. Thank you all for your helpfull replies! |
Great @LfD-Nds I will close this issue for now but we're more than happy to reopen if anything needs doing. |
Hello everyone,
In Matomo 3.13.6 or newer it should be possible to operate the Matomo analytics solution without cookies (https://matomo.org/faq/new-to-piwik/how-do-i-use-matomo-analytics-without-consent-or-cookie-banner/).
As you already mentioned in the FAQs (https://matomo.org/faq/general/faq_157/) there is an issue with cookies, created despite the use of _paq.push(['disableCookies']) in following use cases:
Using the standard iframe opt-out method on our site we can confirm, that wenn users change their opt-out in our Privacy-Page, where the Matomo opt-out is embedded, following cookies are being created:
This issue means, that there is currently no GDPR-compliant way to operate Matomo without cookies, because the opt-out option is a "must" as visitors should be able to change their opt-in for analytics any/multiple times. "_pk_id" and "_pk_sess"-Cookies require a cookie-banner as they are not essential for the website operation in terms of Art. 6.1(f) GDPR. The use of "MATOMO_SESSID" for security reasons and "mtm_consent/mtm_consent_removed"-cookies to save the opt-in/-out state of user's consent can be viewed as essential, if there is no way to avoid them technically.
We had unfortunately to remove Matomo from our site, because the cooke-less operation is the only option for us.
Is there a possiblity that this issue will be solved and wenn (especially the setting "_pk_id" and "_pk_sess"-Cookies)?
The cookie-less operation of Matomo is important for public entities and all website owners, who do not make e-commerce or other business with the need for high accuracy of reports. Which means, that the issue is actually concerning a very large group of users.
The text was updated successfully, but these errors were encountered: