Privacy Implications of Custom Dimensions
While Custom Dimensions do not inherently contain personal data, it is very easy to configure dimensions that do. For this reason, you should take some time to consider the privacy implications of any dimension that you decide to track.
With the Visit scope especially, it is easy to associate personal data with actions that people take on your site. For example, you might collect someone’s job role or the company they work for in a dimension. However, if you have not given explicit warning that this personal data is being collected for analytics purposes then your usage may not be compliant with international privacy regulations.
While some information may not seem like it could identify a user at first glance, when combined with other information it could become quite revealing. For example, if you are tracking both Job Role and Company dimensions on the Visit scope and only one person holds that role in the company, it will be pretty obvious who your analytics are referencing even if you don’t have their name.
Or if you collect User Type associated with the Visit scope but you only have one customer of a specific product, again, it will be pretty clear who that user is even without a User ID.
There is nothing wrong with collecting this personal data, however, you will typically need to seek consent from the user and document the fact it is being done within your privacy policy. You can review Matomo’s privacy documentation for more information on managing your website’s data collection practices.