How to exercise user rights in Matomo
To be compliant with GDPR, a data subject can exercise the different rights below:
- Right to be informed
- Right of access
- Right to erasure
- Right to rectification
- Right to data portability
- Right to object
- Right to withdraw consent
1 – Right to be informed
If you are processing personal data, you need to inform users at the point of the data collection with a clear privacy notice.
This privacy notice needs to include at a minimum:
- the reasons why you are processing the personal data
- for how long
- who the different parties you are going to share them with are
- a completed privacy policy page.
Learn more in our detailed article How to write a privacy notice for GDPR.
2 – Right of access
Check the identity of the data subject first
If a visitor asks you to get access to her or his personal data, you have the responsibility to check her/his identity.
In order to check her or his identity you could for example see if the email address from the request match the one registered by Matomo (in the case you are using the User ID feature to process email addresses). For this you can use the GDPR feature described below.
Note that if you anonymize the personal data, then you cannot search for a data subject as it is not a personal data anymore.
How to exercise the right of access in Matomo
A brand-new feature has been developed in order to fulfill such data subject access requests, you will find it within Administration → Privacy → GDPR tools:
Once there, based on the information provided by the data subject, you will be able to search all the data you are processing about this data subject in particular:
And get all the information associated with the data subject (visits, time of the visits, actions performed on the website, ecommerce orders etc.)
After you have verified each visit that belongs to the data subject you want to export the data for, click on “EXPORT SELECTED VISITS” to pull out the data.
This will download a file with all the necessary data which you can send the data subject by email. If you are using the User ID with an email address and you search the data subject by “User ID = email address”, make sure to only send any exported information to the same email address that you looked up the data for.
3 – Right to erasure
In order to delete information of a given user, you will have to follow this procedure:
- Click on administration (the wheel logo at the top right of Matomo’s backend)
- Click on “GDPR tools” under the Privacy category
- Search for a data subject:
- Once selected, click on DELETE SELECTED VISITS:
- Inform the data subject that you have properly deleted their personal data and ask for confirmation that they received your message.
4 – Right to rectification
If you are presented with a request to rectify the data of a data subject, we recommend you to use the right to erasure instead. If for a specific reason you really need to exercise this right and you self host your Matomo, the only way is to access the Matomo database. To do so, you will need to understand how the Matomo database is working.
5 – Right to data portability
A user has the right to ask to get a copy of their personal data. Please check first their identity as described in “2 – Right to access”.
In order to exercise the following right:
- Click on administration (the wheel logo at the top right of Matomo’s backend)
- Click on “GDPR tools” under the Privacy category
- Search for a data subject:
- Once found click on EXPORT SELECTED VISITS:
- Send the data to the data subject if you are sure about their identity and ask them to confirm that they received it.
6 – Right to object
This right applies only if you are processing based on legitimate interests lawful basis.
A user has to be able to object to the processing of their personal data. You can easily offer this feature by including our opt-out feature.
It consists of an iFrame that you can insert on a web page where users would expect to find it, most likely in your privacy policy page.
To access this feature:
- Click on administration (the wheel logo at the top right of Matomo’s backend)
- Click on “Users Opt-out” under the Privacy category
- Tweak the HTML code according to your website (learn more)
- Copy/Paste it on your website where users expect to see it (for example, the privacy policy page)
- Test that it is properly working
7 – Right to withdraw consent
This right applies only if you are processing personal data based on consent and using the Matomo consent feature.
Under GDPR, if a user gave you her/his consent, you have to provide them a way to withdraw it.
In order to remove her/his consent the user needs to perform a specific action, for example: clicking on a button « I do not want to be tracked anymore ».
Learn more about how to setup the Matomo consent feature. You can also click on Administration (the wheel logo at the top right of Matomo’s backend), and then click on “Asking for consent” under the Privacy section.