Question from Data Protection Officer

Hi there,

we would like to use matomo and are in the testing phase in the cookie-less mode and ideally with no prior consent. We experienced issues with the CMP so that the data observed is way too small.

But here comes the question:
a) Which data exactly does the cookie-less tracking store and process?
b) For how long are these data stored?

I understood some bits and bobs, but couldnt find a comprehensive view on this. I also discovered that the screen resolution might be an issue in terms of GDPR and can be turned off. Based on this an additional question:
How does turning off screen resolution impact on data quality and accuracy? Any suggestions would be much appreciated.

Regards,
Marc

The ones you decide to track. Using Matomo you can decide if you track userID (that is non compliant with RGPD with noconsent), page views (compliant), etc
You can decide to keep the full user IPs (non compliant), or just anonymized IPs (compliant)
Check on:

The time you decide.You can manage this in the Matomo console…

It might… depending on the Country. France is OK for collect, Germany is not. It can be turned off.

It depends on what you wants to track… Just for user journey, you don’t need this. But if you want to check the design o your site is the best for most users, then not having this value can be a problem.

@RonanChardonneau, do you see anything else?

Hi, well I think the sentence you used is explaining it all, France is ok for collect not Germany. So it is France focused, you have to stay within the scope defined by CNIL where screen resolution is ok.
To me cookie less is about losing those data: https://matomo.org/faq/general/faq_156/
dealing with b) you decide, according to the law they indicate you a threshold 25 months for France https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies-solutions-pour-les-outils-de-mesure-daudience

Ok, thanks. This information is very useful.
If I do the setup as pointed out in the PDF, then matomo does not process any personal information, right?

But which information is metomo processing to obtain the hash? Or is proprietary information?

:heavy_check_mark: Right.

Client side, Matomo will create a visitor ID with hashing personal information (IP, screen resolution, browser, etc.) and some salt that change every 1 or 2 days (and that we can’t access). Then it becomes not-personal information, because it is impossible to identify any user from this visitor ID.

@cs_matomo
What is considered “personal information” depends on the country you operate in. The browser signature (resolution, plugins) is considered personal data in Germany, so you have to switch that off if you don’t have consent. It is also a very dynamic field, and new laws and court decisions on how to interpret these laws come at incredible speed. You have to adapt to that.
Daniel

My goodness. This topic is highly complex, tehcnically and regulatory. While i have now a guide to follow CNIL, I would now need a guide to follow German laws. How do I turn off all personal data according to German law?

And also one thing that I do not get. Let’s say, the screen resolution is personal data. But arent they not deleted straight after a hash has been calculated? And isnt that hash non-personal?

Im sorry to ask so many questions, but Im not getting my head around it.

@cs_matomo,
You can have a look at this looooonnng post (feature request):

Phew, that’s complicated but equally comprehensive. Let me get one thing straight, to see, if I understand properly.

This is how cookie-less tracking works:

1. matomo recognises
a) IP
b) screen resolution
c) browser
d) browser settings etc
e) etc…

2. matomo processes the information to obtain an anomymous hash

3. matomo deletes data
a) IP
b) screen resolution
c) browser
d) browser settings etc
e) etc…

Is this about right? And if yes, when are the IP, resolution,. etc deleted? Is it immediately or after a few days?

I think this would help to come to a decision! :slight_smile:

Cheers,
Marc

PS: This support is ace.

The 3rd step is not right.
For visitor ID generation, it is not really destroyed, as the information is not sent to Matomo server, it stays only client-side (pure JavaScript calculation).
The IP is gathered, potentially used (eg for geolocation), then truncated before being stored in the database, following the privacy configuration.
For other parameters, if you choose to track them, Matomo will do, if you choose to not track, Matomo won’t.

Im sorry, but I dont quite get it. The JavaScript stores the IP and other data on the server but nobody has access to it?

As JavaScript is a client-side technology (for Matomo) then it doesn’t store anything… It just sends some information to Matomo server. The visitor ID is calculated client-side (in the browser: Firefox, Chrome, etc).
Also, for the whole IP (not truncated), even if PHP uses it for some calculations (eg. geolocalisation), it is never stored anywhere (except if you configure Matomo to do so).

Ok, i rectify:

1. matomo runs a script on the client side

2. Script collects
a) IP
b) screen resolution
c) browser
d) browser settings etc
e) etc…

3. Script calculates from that an anomymous hash called visitor ID

4. script returns visitor ID to matomo

5. script stores visitor ID at the client-site (firefox, Chrome, other)

Right?