Cookieless Tracking compatibility with EU "cookie directive" 5(3)

Hi! We have been planning on using Matomo’s “cookieless tracking” feature to avoid all non-essential cookies and instead use anonymous user config_id’s to let Matomo collect anonymous statistics. This config_id is generated by Matomo through a set of information: anonymous IP-address, device type, OS, web browser, and screen resolution.

Matomo argues that no consent banner is needed with this setting, as long as an opt-out option is provided somewhere on the web page. This seems to be true in accordance with GDPR, since none of this information is personal data.

However, we have stumbled on the so-called EU “cookie directive” (https://edps.europa.eu/sites/default/files/publication/dir_2009_136_en.pdf), which says:

“[…] the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing” 5(3)

We are left in doubt about whether the information captured to generate the user config_id falls under the definition marked in bold above. Because if so, doesn’t that mean that we cannot merely rely on the opt-out option, but in fact need to ask for consent in the first place?

Has anyone any experience with this puzzle? Or can anyone help us out with some clarification?

Thanks in advance!

Hello,

In my opinion, as you don’t access any information already stored, in the terminal equipment of a subscriber or user (eg. cookie), then you don’t need ask for user consent…

1 Like

You can disable “BrowserFeatureDetection” (https://matomo.org/faq/how-to/how-do-i-disable-browser-feature-detection-completely/) to not read any data that is stored on the device.

2 Likes

Thank you for this quick and helpful reply!