DGPR - Do I collect personal data?

(Milos Sramek) #1

we do not collect names or emails - our visitors even cannot log to the page. But still, it is not clear to me if we collect personal data or not.

According to the article The new GDPR data protection… IP addresses, cookies and UserID are personal data.

This is our situation:

IP addresses: We anonymize IP addresses, but we still want to estimate user location with decent precision by setting the option Also use the Anonymized IP addresses when enriching visits. to No . As I understand this option, full IP will be used for geolocation. Do we collect then personal data from the point of view of GDPR in this case? Is this full IP address then stored in the database? Is stored, then we probably collect personal data from the point of view of GDPR.

Cookies: We want to track visitors so that we know what do they read and how much time do they spent with us. Some cookies are used in this case. Should these be regarded as personal data? We do not use any other cookies.

UserID: I understand UserID as an identifier of a user registered on the web page. So in our case this should not be relevant.

Do you think that in this case would it be OK not to ask visitors for consent?
Thank you for your opinion!

(Lukas Winkler) #2


GDPR is a really important topic and I hope we can get a larger discussion about it here on the forum.

First things first:
Matomo is probably the closest to being GDPR out of the box of all analytics soft wares. It is therefore even used on the websites of multiple European National Privacy Agencies (and even the website containing the official legal text of GDPR)

@ChardonneauR has spent a lot of time researching in the last weeks, so he can help more than me.

My opinions:

You can configure this insiside of Matomo.

Not if Anonymized IP is enabled.

In my opinion if you are using UserID, you are really likely to store personal data.

I have asked exactly this question (and more) to the Austrian Data Protection Authority who are using Matomo on their website without asking for consent (and not even mentioning it somewhere on their website or provide an opt-out) without much success. (They aren’t allowed to answer any questions)

So if you have a little time to spend, write to or call the Data Protection Authority in your country, maybe they are more helpful than the Austrian.

(Milos Sramek) #3

Dear Thomas,
thank you for your answer. The reference to the Austrian Data Protection Authority was very useful for me, since I had the possibility to check the list of cookies they use and compare it with our list. They use those as we do (_pk_id and _pk ses) plus a few more. So I think that we also need not to ask for explicit consent.

I was probably not precise enough when mentioning the UserID - I in fact wanted to ask about the identifier which is stored in the _ph_id cookie. It is clear to me now.

Inspired by your suggestion I’ve checked also web pages of Slovak and Czech data protection authorities. The Slovak one does not seem to track anything, while the Czech one uses a few cookies with “GA” inside. But still they do not ask for consent, so some cookies are obviously allowed without consent :smile:
thanks again