Usage of cookies, Opt-out feature, GDPR-compliance

I have some questions regarding usage of cookies, the opt-out feature, and GDPR compliance.
I would be grateful if you could help me understanding, how Matomo can be GDPR-compliant.

To find out, how the opt-out feature works, I opted-out on matomo.org. Also, on matomo-dot-org (sorry, the form software prevents me from writing more than 2 “links”), there is no cookie-banner shown, so I guess, it should not store cookies for the purpose of user tracking. (Or am I wrong on this?)

What I observed was the following: page-visits still cause a POST Request to “demo-web-dot-matomo-dot-org”, including the cookies “MATOMO_SESSID” and “piwig_ignore”. I guess the latter is to tell matomo on the server, that it should not track this request. But how can the user trust, what Matomo is doing on the server? The website has already sent a lot of “tracking data” to the tracking server, identifying the user with a session ID…
I read a lot of documentation on Matomo. It mostly tells about the features, how a user can opt-out. But I could not find any technical information, how this works. With the observed behavior, I doubt that it is really GDPR-compliant.

So my questions are:

• Is there some documentation that shows how this features (mainly the Opt-Out process, and the cookie-consent options described here: developer.matomo.org/guides/tracking-consent) work technically? What cookies are set if the user opts-out or does not opt-out, and if he gives or denies consent to use cookies (when using the ‘requireCookieConsent’ feature), and for what purpose?
• Especially: What is the MATOMO_SESSID used for, does its usage need Consent from a user via cookie-banner, and if so, how can it be disabled in case the user denies consent?
• Was there any review by a lawyer, who confirmed that the processes suggested to make Matomo GDPR-compliant, are sufficient?

Thanks in advance

Hi,

matomo.org doesn’t use cookies for tracking (similar to when you would add _paq.push(['disableCookies']); to the tracking code), so there should be no cookies apart from the ones you mention.

The opt-out iFrame simply sets a piwik_ignore cookies on the domain of the Matomo server (not the domain of the tracked website).

This means all sites tracked by that instance are ignored, but also means that the Tracking code on your website can’t read the piwik_ignore cookie and therefore sends the tracking request anyway (containing the ignore cookie).
The Matomo server drops all requests that contain the ignore cookie and doesn’t store any data of them (you can check the source code[1]).

Now to the question of “What is MATOMO_SESSID”? This cookie has nothing to do with tracking, but is used e.g. for storing the login in Matomo. Now you might be arguing that it should not be set if a user only visits the opt-out iframe, but that would open them up to CrossSiteRequestForgery attacks (allowing other websites to modify the opt-out status without the user noticing). Therefore it should not matter related to GDPR.

Now if you are not really satisfied with that situation, there is an alternative:

You can use the _paq.push(['optUserOut']); function to create a opt-out form as explained here:

https://developer.matomo.org/guides/tracking-javascript-guide#optional-creating-a-custom-opt-out-form

As this JS runs on your website, it will create a opt-out cookie on your site (so it only opts out for this one site), but this also means that you don’t use cookies from other domains and it should not send any tracking data if the cookie is found.

Not directly, but the only lawyer that can say this for sure is one specialized in privacy law and hired to directly look at a specific website. That said, there are some hints that the process used by Matomo might be right. Most importantly, Matomo is used by the websites of a lot of data privacy commisions of European countries. Some of them even explicitly recommend the usage of Matomo recommend the usage of Matomo (the blog-post is pre GDPR, but still linked in some places). Also NGOs like noyb.eu that work hard on GDPR enforcement are using Matomo.

[1] Now the question is: How can you trust the server that it actually runs this software and hasn’t modified it? And the answer is: You can’t! There is no way to know what a server does with the data (not only with Matomo, but every software). That’s why privacy laws are important as they force website owners to follow privacy practises.