Will Opt-Out delete persistent cookies?

nicolai_parlog · 2014-06-07 07:01:36 UTC

Hi!

I’m struggling with Piwik’s Opt-Out feature and the cookies it is placing. I was under the impression that when piwik_ignore is set, tracking stops so _pk_id… and _pk_ses… become useless and are deleted. Is this correct?
Because it is not what I observe. Not only are the two tracking cookies not deleted - they are actually recreated when I delete them manually and refresh the page even though the ignore-cookie exists.

Since I’m new to Piwik I assume, I’m doing something wrong. My guess is, it has to do with the domains. The tracked site is hosted under blog.example.org, and Piwik under piwik.example.org. Accordingly the tracking cookies are placed under the former, the ignmore cokkie unde the latter subdomain. If this is the problem, how can I fix it?

Thanks in advance and Kudos for creating such an awesome tool!
Nicolai

matthieu · 2014-06-09 00:13:07 UTC

If you have the piwik_ignore cookie, the request will still be sent over to Piwik, but it will be ignored.

(because the Piwik ignore cookie is a third party cookie. It can only be read by the piwik server)

Piwik also creates first party cookies in the javascript tracker, the cookie list is: What are the cookies created by Piwik JavaScript Tracking client? - Analytics Platform - Matomo
These cookies are still created when the piwik_ignore cookie is there, but they won’t be used.

If you want to disable all cookies, see: How do I disable all cookies for a visitor? - Analytics Platform - Matomo - See also: When cookies are disabled by a visitor, how does it impact Piwik reports accuracy? - Analytics Platform - Matomo

nicolai_parlog · 2014-06-12 13:25:14 UTC

Hi Matt,

I’m not too internet-savy so I’ll try to repeat what you said in my own words to make sure I understood.

The JS tracker code runs inside my site’s code, so it can only access cookies from that (sub)domain. It can hence not check the existence of the ingore cookie (which is placed in the Piwik server’s (sub)domain). Because of that it can not decide whether someone opted out and has to place the tracking cookies.
These cookies are then sent over to the Piwik server which also accesses the cookies filed under its own (sub)domain and has thus access to all cookies and can make the correct decision.

This sounds like it must be like this for technical reasons. But I’m sure you can see, why it is a little problematic when it comes to privacy. First, you still have all the information you need for tracking. It would probably be very easy to manipulate my local Piwik instance to forgoe the check and track someone even though she opted out.
Second, it is hard to explain to users. And if you don’t, they might stumble upon those tracking cookies and think you’re inoring that they opted out.

Can you see any way to remedy this situation? Maybe just for the case that the tracked site and the piwik server are under the same (sub)domain? If so, I would happily create a ticket.

Thanks again
Nicolai

matthieu · 2014-06-13 03:49:23 UTC

Yes you are correct. I also think this is bad practise and would like better solution. Unfortunately I cannot think of any way, to create a cookie that excludes you from ALL websites in the Piwik at once. If you or anyone has some thoughts then Im very interested