I have some questions regarding usage of cookies, the opt-out feature, and GDPR compliance.
I would be grateful if you could help me understanding, how Matomo can be GDPR-compliant.
To find out, how the opt-out feature works, I opted-out on matomo.org. Also, on matomo-dot-org (sorry, the form software prevents me from writing more than 2 “links”), there is no cookie-banner shown, so I guess, it should not store cookies for the purpose of user tracking. (Or am I wrong on this?)
What I observed was the following: page-visits still cause a POST Request to “demo-web-dot-matomo-dot-org”, including the cookies “MATOMO_SESSID” and “piwig_ignore”. I guess the latter is to tell matomo on the server, that it should not track this request. But how can the user trust, what Matomo is doing on the server? The website has already sent a lot of “tracking data” to the tracking server, identifying the user with a session ID…
I read a lot of documentation on Matomo. It mostly tells about the features, how a user can opt-out. But I could not find any technical information, how this works. With the observed behavior, I doubt that it is really GDPR-compliant.
So my questions are:
- Especially: What is the MATOMO_SESSID used for, does its usage need Consent from a user via cookie-banner, and if so, how can it be disabled in case the user denies consent?
- Was there any review by a lawyer, who confirmed that the processes suggested to make Matomo GDPR-compliant, are sufficient?
Thanks in advance