[nagbava]

About data protection and GDPR, a good thing with Matomo is that, if configured properly, it can be used without requiring to collect the user's consent (since Matomo doesn't use the data for its own purpose). Of course there are less information collected but at least you don't have to display a form as soon as a user enters your website.

The French data protection authority issued a piece of code (JS) which must be used to avoid collecting the user's consent. I don't know about other data protection authorities in the EU but it shouldn't be much different.

[iamacyborg]

> it can be used without requiring to collect the user's consent (since Matomo doesn't use the data for its own purpose)

This is not how the GDPR works. If you are collecting personal data, or if you are dropping analytics cookies on someone's device, you need consent. No ifs or buts.

[nagbava]

You should apply to the CNIL since you seem to know GDPR better than they do. (https://www.cnil.fr/fr/cookies-solutions-pour-les-outils-de-...)

I never said no personal data were collected but, if configure properly, the processing of data falls within the legitimate interest basis.

[iamacyborg]

I believe that page may be out of date, or they've updated their github repo prematurely.

https://github.com/LINCnil/Guide-RGPD-du-developpeur/commit/...

/edit Ignore me. I appear to have misunderstood the changes when I last read this. Sorry

[nagbava]

It is true that an opt-out system must be installed on the website (Matomo gives that piece of code) but - as noted on the github link you posted - that very is different from an opt-in system (which is the standard GDPR requirement).

[lmkg]

GDPR does not require consent. If you use consent, then it must be freely-given, but can often use a different legal basis when processing personal data.

The ePrivacy Directive requires consent for reading or writing from a terminal device. This includes anything with cookies, even if they're not personal data. While the ePD refers to GDPR for its definition of consent, it is a separate piece of legislation and many things that are true about GDPR are not true about ePD (such as being able to invoke Legitimate Interest instead of consent).

[nagbava]

Sure, but when it comes to cookies, consent is almost always required on the GDPR basis (other legal basis are rarely working).

You're right to point to e-privacy, to which consent is central. But the latest draft of its new version states that (art.8): 1.The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: [...] (d)it is necessary for audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or by a third party, or by third parties jointly,on behalf of theone or more providersof the information society service provided that conditions laid down in Article 28, or where applicable Article 26,of Regulation (EU) 2016/679 are met

So Matomo can still do without the user consent (from what I understand, the relation between GDPR and e-privacy is no easy business).

[lmkg]

> when it comes to cookies, consent is almost always required

We are in agreement. It seems I wasn't clear enough in my original post, but this is my overall point. GDPR doesn't require consent, but consent is required because of ePD.

> latest draft of its new version

> So Matomo can still do without the user consent

The new draft is not law yet. It's been 6 months away from passing for several years now. In the meantime, fines are still being issued under the existing law. Google got fined a hundred million euro last month in France, and that fine was very specifically ePD and not GDPR for a variety fo reasons.

[iamacyborg]

> So Matomo can still do without the user consent (from what I understand, the relation between GDPR and e-privacy is no easy business).

It also depends on the jurisdiction. For example the ICO has been clear that using a cookie based analytics tool requires a GDPR level of consent, without exceptions.

[arp242]

This is not how the GDPR works. It lays out several legal basis for the collection of personal information, of which consent is one. There are others as well.

I'd have to re-read it to be sure about analytics cookies, but I don't think it says a whole lot about that off-hand. This the the ePrivacy directive.