What is the need / problem ?
Thanks to Matomo, this is actually possible!!
There is a lot of confusion saying GPDR is about cookie banner, and our current implementation of the cookie banner is actually a bit based on this missconception.
So: what does the law say? Here is a translation of this page:
The management of a website or application almost always requires the use of statistics on traffic and/or performance.
Some audience measurement tracers (this includes Matomo!) may be exempted from consent.
The condition for being able to use audience measurement tracers without consent is to ensure that they are strictly necessary for the provision of an online communication service at the express request of the user, in accordance with article 82 of the French Data Protection Act.
In order to limit itself to what is strictly necessary for the provision of the service, the CNIL stresses that these tracers must :
- have a purpose strictly limited to the sole measurement of the audience of the site or application (performance measurement, detection of navigation problems, optimisation of technical performance or ergonomics, estimation of the power of the necessary servers, analysis of the content consulted), for the exclusive account of the publisher ;
- not to allow the global monitoring of the navigation of the person using different applications or browsing on different websites;
- serve only to produce anonymous statistical data;
- not to lead to a cross-checking of the data with other processing operations or to the data being passed on to third parties.
However the law requires:
- the lifetime of the trackers should be limited to a period that allows a relevant comparison of audiences over time, as is the case for a 13-month period, and that it should not be automatically extended for new visits; This bit is the only one Matomo is not doing by default, but we can manually change this 13-month period
- the information collected through these tracers should be kept for a maximum period of 25 months; all good Matomo is keeping them for 24 months
- the above-mentioned life and retention periods shall be periodically reviewed in order to limit them to the strict necessary.
To conclude: all our cookies currently are strictly necessary! So by default they do not required consent. As for Matomo, we just need to check about the 13-month period aspect, but the rest of the criteria are already met (we don’t store IP addresses entirely). Also I’ve changed this setting:
It was before disabled, so it meant that all users asking their browser to not track them were still tracked. I hope everyone agrees that we do not wish to force anything like this to our users.
Does this mean we don’t need to be transparent about our cookies?
So this proposal is about removing the mandatory banner, not removing our transparency around our
Who does it impact? What is the current impact of the problem ?
Every web surfer I’m mean we are ALL annoyed by cookie banners. Not to mention specifically for OFN our cookie banner is not responsive on some old version of Safari (we never managed to reproduce, but we receive from time to time support request saying they are unable to see the "accept button. The workaround is to flip the iPad horizontally (yes nobody thinks about it…).
It removes also the need to think about “compliance” with existing cookie extensions: [Testing] Identify which cookies extension we can support · Issue #5328 · openfoodfoundation/openfoodnetwork · GitHub
What is the benefit of focusing on this ?
Easier onboarding on the platform, better respect of personal data. Badass open source product.