Hi there,

we would like to use matomo and are in the testing phase in the cookie-less mode and ideally with no prior consent. We experienced issues with the CMP so that the data observed is way too small.

But here comes the question:
a) Which data exactly does the cookie-less tracking store and process?
b) For how long are these data stored?

I understood some bits and bobs, but couldnt find a comprehensive view on this. I also discovered that the screen resolution might be an issue in terms of GDPR and can be turned off. Based on this an additional question:
How does turning off screen resolution impact on data quality and accuracy? Any suggestions would be much appreciated.

Regards,
Marc

The ones you decide to track. Using Matomo you can decide if you track userID (that is non compliant with RGPD with noconsent), page views (compliant), etc
You can decide to keep the full user IPs (non compliant), or just anonymized IPs (compliant)
Check on:

The time you decide.You can manage this in the Matomo console…

It might… depending on the Country. France is OK for collect, Germany is not. It can be turned off.

It depends on what you wants to track… Just for user journey, you don’t need this. But if you want to check the design o your site is the best for most users, then not having this value can be a problem.

@RonanChardonneau, do you see anything else?

Hi, well I think the sentence you used is explaining it all, France is ok for collect not Germany. So it is France focused, you have to stay within the scope defined by CNIL where screen resolution is ok.
To me cookie less is about losing those data: https://matomo.org/faq/general/faq_156/
dealing with b) you decide, according to the law they indicate you a threshold 25 months for France https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies-solutions-pour-les-outils-de-mesure-daudience

Ok, thanks. This information is very useful.
If I do the setup as pointed out in the PDF, then matomo does not process any personal information, right?

But which information is metomo processing to obtain the hash? Or is proprietary information?

Right.

Client side, Matomo will create a visitor ID with hashing personal information (IP, screen resolution, browser, etc.) and some salt that change every 1 or 2 days (and that we can’t access). Then it becomes not-personal information, because it is impossible to identify any user from this visitor ID.

@cs_matomo
What is considered “personal information” depends on the country you operate in. The browser signature (resolution, plugins) is considered personal data in Germany, so you have to switch that off if you don’t have consent. It is also a very dynamic field, and new laws and court decisions on how to interpret these laws come at incredible speed. You have to adapt to that.
Daniel

My goodness. This topic is highly complex, tehcnically and regulatory. While i have now a guide to follow CNIL, I would now need a guide to follow German laws. How do I turn off all personal data according to German law?

And also one thing that I do not get. Let’s say, the screen resolution is personal data. But arent they not deleted straight after a hash has been calculated? And isnt that hash non-personal?

Im sorry to ask so many questions, but Im not getting my head around it.

@cs_matomo,
You can have a look at this looooonnng post (feature request):

Phew, that’s complicated but equally comprehensive. Let me get one thing straight, to see, if I understand properly.

This is how cookie-less tracking works:

1. matomo recognises
a) IP
b) screen resolution
c) browser
d) browser settings etc
e) etc…

2. matomo processes the information to obtain an anomymous hash

3. matomo deletes data
a) IP
b) screen resolution
c) browser
d) browser settings etc
e) etc…

Is this about right? And if yes, when are the IP, resolution,. etc deleted? Is it immediately or after a few days?

I think this would help to come to a decision!

Cheers,
Marc

PS: This support is ace.

The 3rd step is not right.
For visitor ID generation, it is not really destroyed, as the information is not sent to Matomo server, it stays only client-side (pure JavaScript calculation).
The IP is gathered, potentially used (eg for geolocation), then truncated before being stored in the database, following the privacy configuration.
For other parameters, if you choose to track them, Matomo will do, if you choose to not track, Matomo won’t.

Im sorry, but I dont quite get it. The JavaScript stores the IP and other data on the server but nobody has access to it?

As JavaScript is a client-side technology (for Matomo) then it doesn’t store anything… It just sends some information to Matomo server. The visitor ID is calculated client-side (in the browser: Firefox, Chrome, etc).
Also, for the whole IP (not truncated), even if PHP uses it for some calculations (eg. geolocalisation), it is never stored anywhere (except if you configure Matomo to do so).

Ok, i rectify:

1. matomo runs a script on the client side

2. Script collects
a) IP
b) screen resolution
c) browser
d) browser settings etc
e) etc…

3. Script calculates from that an anomymous hash called visitor ID

4. script returns visitor ID to matomo

5. script stores visitor ID at the client-site (firefox, Chrome, other)

Right?

Disagree point 5.
In my understanding, Matomo script will keep the visitor ID for all events in the same page, but will calculate visitor ID on each page refresh. As the salt used by Matomo (to hash the Visitor ID) changes every 1 or 2 days, the user is anonymized. And nothing is stored in the browser (in order to be RGPD compliant)

Ok, i rectify:

1. matomo runs a script on the client side

2. Script collects
a) IP
b) screen resolution
c) browser
d) browser settings etc
e) etc…
every time a page is loaded or other events

3. Script calculates from that an anomymous hash called visitor ID
every time a page is loaded or other events

4. script returns visitor ID to matomo
every time a page is loaded or other events

5. matomo stores visitor ID for 48 hours

That means:

• nothing is stored at the client-side
• visitor ID as a hash stored for 48hrs only on matomo
• it is debateable whether visitor ID is actually personalised data as we cannot go from matomo to the identification of a specific person

That’s not totally true:
Matomo will store this until you decide to delete it (through Privacy administration).
The 48 hours is the life time of the salt used by the JavaScript to generate the visitor ID.

The rest seems OK

OK, the salt stays with the client. How does that work without a cookie?

I imagine the salt is sent by the server, then forgotten after 48 hours… But after some little analysis on my side, I think I am wrong…
@innocraft do yo confirm?

Ok, i rectify II:

1. matomo runs a script on the client side

2. Script collects
a) IP
b) screen resolution
c) browser
d) browser settings etc
e) etc…
f) salt
every time a page is loaded or other events

3. Script calculates from that an anomymous hash called visitor ID
every time a page is loaded or other events

4. script returns visitor ID to matomo
every time a page is loaded or other events

5. matomo stores visitor ID in line with privacy settings
Found at "Regularly delete old raw data - Delete logs older than (days)

• in my case currently set to 1000 days; maybe I can get it down to 90 days without harming data quality.

6. Salt at client-side changes after 48hrs - tbc

That means:

• nothing is stored at the client-side, besides the salt for 48hrs
• visitor ID as a hash stored in matomo as long as the privacy settings allow
• it is debateable whether visitor ID is actually personalised data as we cannot go from matomo to the identification of a specific person
• The visitor ID becomes completely useless in back-tracking after the period set by matomo, as the hash will be deleted.