Hi, I’m trying to find out if it’s somehow possible to update userIds. We are thinking of a setup where we generate the userId sent to matomo based on a combination of the userId and a hashed version of the password (different from what’s stored in the database, so it’s only known in the frontend). This ID would be generated on each login and kept in the frontend.
The idea is that this way we can have a stable ID for the user without having any way to de-anonymize the ID ourself, making it a truly anonymous ID rather than a pseudononymous ID (the latter is still considered personal data under GDPR).
One obvious drawback of this approach is that the ID changes every time the user changes their password. This may be acceptable, as it’s likely fairly rare and also gives users a way to reset their tracking identifier, but I was wondering if it is somehow possible to change or merge the userId at the time of the password reset (we would have both passwords, so we can generate both IDs and send a request to matomo requesting the change, similar to when a user logs in and their visit becomes associated with the user).
Aside from that, feel free to share any thoughts on the approach if there are any obvious problems or a better way of doing that.
Interesting approach! We’ve so far found a model for creating an anonymous User ID which cant be connected to a user, but can be used if the user wants to be forgotten or wants to which data we’ve collected.
The question is if we, in the case that user wants to be forgotten, can rename the User ID to a non-unique textstring (Eg “Forgotten User”), or if we have to delete all the data for this user?
Not really.
Indeed, the new user ID you store will define a user forever (except when changing the password), then it can still be considered as pseudonym… For example if you knows bob visited your website last Monday at 9:14, you’ll be able to know, looking in the visits log, that his pseudonimized ID is for example cpc-qxe (I used a “+1” salt). Then you’ll be able to track his whole life on your website (filtering on his userID)…
Anonymization means you will never be able to identify some data. Look at what is done on the IP. When you anonymize it, you remove the last bits. Then several users will have the same. It becomes impossible to identify the user. ever.
When Matomo uses visitor ID in the most privacy manner (without cookie, etc.), then it melts some user data (in fact browser, IP, system info) with salt that change every one or 2 days… Then if the user comes one week after, it won’t be possible to identify him as returning user.