Remove completely our cookie banner

What is the need / problem ?

Thanks to Matomo, this is actually possible!!

There is a lot of confusion saying GPDR is about cookie banner, and our current implementation of the cookie banner is actually a bit based on this missconception.

So: what does the law say? Here is a translation of this page:

The management of a website or application almost always requires the use of statistics on traffic and/or performance.
Some audience measurement tracers (this includes Matomo!) may be exempted from consent.

The condition for being able to use audience measurement tracers without consent is to ensure that they are strictly necessary for the provision of an online communication service at the express request of the user, in accordance with article 82 of the French Data Protection Act.

In order to limit itself to what is strictly necessary for the provision of the service, the CNIL stresses that these tracers must :

- have a purpose strictly limited to the sole measurement of the audience of the site or application (performance measurement, detection of navigation problems, optimisation of technical performance or ergonomics, estimation of the power of the necessary servers, analysis of the content consulted), for the exclusive account of the publisher ;
- not to allow the global monitoring of the navigation of the person using different applications or browsing on different websites;
- serve only to produce anonymous statistical data;
- not to lead to a cross-checking of the data with other processing operations or to the data being passed on to third parties.

However the law requires:

- users be informed of the implementation of these tracers, for example via the privacy policy of the site or the mobile application ;
- the lifetime of the trackers should be limited to a period that allows a relevant comparison of audiences over time, as is the case for a 13-month period, and that it should not be automatically extended for new visits; This bit is the only one Matomo is not doing by default, but we can manually change this 13-month period
- the information collected through these tracers should be kept for a maximum period of 25 months; all good Matomo is keeping them for 24 months
- the above-mentioned life and retention periods shall be periodically reviewed in order to limit them to the strict necessary.

To conclude: all our cookies currently are strictly necessary! So by default they do not required consent. As for Matomo, we just need to check about the 13-month period aspect, but the rest of the criteria are already met (we don’t store IP addresses entirely). Also I’ve changed this setting:

It was before disabled, so it meant that all users asking their browser to not track them were still tracked. I hope everyone agrees that we do not wish to force anything like this to our users.

Does this mean we don’t need to be transparent about our cookies?

I don’t think so. Also our privacy policy or cookie page should still allow to remove Matomo’s cookie. But these settings could enable us to design a dedicated page for this, instead of a mandatory/violent banner that forces you to accept stuff you don’t understand.

So this proposal is about removing the mandatory banner, not removing our transparency around our :cookie:

Who does it impact? What is the current impact of the problem ?

Every web surfer :slight_smile: I’m mean we are ALL annoyed by cookie banners. Not to mention specifically for OFN our cookie banner is not responsive on some old version of Safari (we never managed to reproduce, but we receive from time to time support request saying they are unable to see the "accept button. The workaround is to flip the iPad horizontally (yes nobody thinks about it…).

It removes also the need to think about “compliance” with existing cookie extensions: [Testing] Identify which cookies extension we can support · Issue #5328 · openfoodfoundation/openfoodnetwork · GitHub

What is the benefit of focusing on this ?

Easier onboarding on the platform, better respect of personal data. Badass open source product.

2 Likes

when doing user testing recently everyone (except 1 person) closed the cookie message without reading it too Users totally get what cookies are and those that want to configure cookies tend to know how to by now.

I very much like the idea! Strongly dislike those banners…

Does this apply to France only? I saw it is a French law which you have linked in your post.

On the GDPR website regarding cookies it seems very clear that only strictly necessary cookies do not require the users’ consent:

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

  • Receive users’ consent before you use any cookies except strictly necessary cookies.

According to their definition, Matomo cookies are not strictly necessary but statistics cookies:

  • Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
  • Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
  • Statistics cookies — Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. This includes cookies from third-party analytics services as long as the cookies are for the exclusive use of the owner of the website visited.
  • Marketing cookies — These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers. These are persistent cookies and almost always of third-party provenance.

I hope I am wrong and you are right, so we can dump the banner …

@konrad it’s not French specific, it was just easier for me to access documents in French. Also what is interesting in the French versions is that the high authority protecting personal data in FR (CNIL - which is the authority applying EU GDPR in FR) is giving a “how to” use Matomo in order to not have to display the banner :slight_smile: So it’s not my interpretation, it’s clearly explained in official documents.

So if we apply those rules, we turn our statistic cookies into strickly necessary cookies. :boom:

I’ve checked this also with the lawyer who is currently handling FR privacy policy :slight_smile:

Once this moves into inception, we can double check with other EU authorities.

2 Likes

Note: the banner can already be disabled in super admin, so the only work remaining here would be to check for the 13month period cookie. Maybe this can be a papercut :heart_eyes:

The cookie policy link can be added manually in the footer of the platform.