GDPR is a new data protection related regulation in Europe. GDPR stands for General Data Protection Regulation and is known in Germany under Datenschutz-Grundverordnung (DSGVO).
The purpose of this European regulation is to strengthen and unify data protection for all individuals within the European Union. This also includes entities outside Europe willing to do business with European citizens. GDPR is a set of processes you need to follow within your organization to protect the privacy of European citizens.
GDPR will start to apply in May 2018. It is recognized to be dissuasive because of the potential penalty of up to 4% of the yearly turnover, in case of infringement.
Many articles have been written about GDPR including our previous article. Few of them are explaining how it will affect web analytics vendors: this is what this article is about.
Am I really impacted by GDPR if I am a Matomo user?
As Matomo (Piwik) can collect personal data, the answer is yes. Matomo analytics data is impacted by the GDPR.
As GDPR is a general concept, we decided from the official guidelines to assume what will be the potential consequences on the use of Matomo.
There are 2 potential scenarios we can identify:
- 1 – You are collecting personal data with Matomo
- 2 – You are not collecting personal data with Matomo
1 – Personal data collection with Matomo
According to GDPR: IP addresses, cookies, UserID are personal data.
IP addresses are personal data, so you will have to anonymize them unless you receive explicit consent from the visitor. Please view the following article in order to learn: how can I anonymize IP addresses in Matomo?
According to GDPR, cookies are personal data too. But as all cookies are not created equal it may be possible that some need to require user consent whereas other not. Whatever will be the final decision, you can learn about the first-party cookies created by Matomo and how to disable all tracking cookies in Matomo?
User ID, you are impacted if the User ID you assign is specific to an individual or if you can cross the User ID data further and find back the individual personal data.
Any extra personal data you may collect with Matomo, it could be for example: first names, family names, e-mail address… You are able to collect such data using custom dimensions, custom variables…
What are the rules I have to comply with?
By collecting personal data, you will have to respect EU citizens rights, which include:
- The possibility for them to view the data you collected on them
- The possibility to rectify some data concerning them
- The possibility to delete their data when they request about it
As you can imagine, for the first obligation, you will have to export all the data. So if a user is requesting it, you will have to export the data linked to his IP address(es). It can be easily exported as a .csv file for example.
In order to do that, just create a segment according to the IP address of the user who requested it and then export the “Visitor log” report.
If the personal data is not linked with the IP address but other attributes such as User ID or a custom dimension, you can provide the same data export by using the segment function and filtering on the personal data field.
The data edit and deletion process on Matomo is a bit trickier as it currently requires administration system skills. We are planning to develop a new plugin for GDPR compliance (which will be available for free on the Marketplace). This plugin will let you edit and easily delete data of a particular user. Currently you can delete a specific user’s data by accessing the Matomo database and directly delete the different records for this specific user.
2 – You are not collecting personal data with Matomo
Unfortunately it is not because you do not collect personal data that you will not be affected by GDPR.
The details of GDPR are not confirmed yet and could involve in the future with ePrivacy the DoNotTrack setting by default on all browsers.
Yes, you read it well, by default, unless the internet user uncheck this option, Matomo respecting DoNoTrack would not be able to track any user. If one needed to collect data anyway, Matomo Log Analytics and server-side tracking can be considered.
If you need help regarding how to set up your Matomo installation in order to be GDPR compliant:
Do you have a Matomo experience you would like to share with the community? Please share it with us by contacting Matomo core team.