matomo
matomo copied to clipboard
matomo-org
[GDPR issue / feature request] CNIL configuration guide for Matomo is not enough for consent exemption, and Matomo does not currently offer paliative options
Direct exchanges with CNIL revealed this morning that the usage of UTMs "cancels" consent exemptions. Therefore it is a very french topic. This is huge news, as customers number one criterion for choosing a web analytics tool in France is consent exemptions. I am currently searching for a solution or asking for features that would help to submit to consent campaign parameters only (just as Piano Analytics does with a "hybrid" consent mode). Note that this point is not directly mentioned within CNIL configuration guide for Matomo (and i am very sorry that all relevant links are in french).
Summary
Workaround ideas :
- send (or don't send) utm parameters within URL (through custom URL) based on consent, cannot change after the hit is sent, add a layer of complexity to tagging, which is not welcome. Would also "pollute" organic data with paid data.
- completely disable UTM tracking, store UTMs within visit-level dimensions if consent is granted and create custom reports. The UTMs can be given after the first pageview of the visit based on an other session cookie if the consent changes but exploiting data will be hard as custom reports are limited to 3 dimensions.
Feature requests :
Add require consent option for specific functionalities instead of all tracking (_paq.push(['requireCookieConsent']);, can also be set within tag manager configuration variable if i am not mistaken) :
- require consent for Heatmaps ;
- require consent for Session recordings ;
- require consent for Heatmaps + Session recordings ;
- require consent for UTM (UTMs needs to be stored within a cookie for it to be interpreted after the first pageview if consent is given later). The exact behaviour when the user denies consent or does not give it still needs to be debated : will the visit be counted as "not set" campaign, direct traffic or something else ?
- require consent for Youtube video tracking, eventually make youtube video impression only not based on Youtube API so the youtube cookie will not be set if the user does not click on the video
- require consent for e-commerce tracking
Of course, consent has to be given through a simple piece of code just as _paq.push(['setConsentGivenHeatmaps']); for example. Wether remembering consent should stay global or be parametrable per functionality needs its own debate.
Also, having a way to know how much visits consented to these features or not (like Piano Analytics does) would be nice.
Your Environment
- Matomo Version: Cloud, mostly.
- PHP Version:
- Server Operating System:
- Additionally installed plugins: Default plugins of the Cloud version.
Thanks @SW-Vincent for raising this topic. I guess @tsteur or @Chardonneaur might be most familiar to discuss this topic.
I tested it @sgiehl and it appears that we cannot exclude utm parameters from the Matomo UI.
Hi,
I've had an other workaround idea from Matomo support.
An example of how this could work: • A visitor arrives on your site using this campaign link: https://example.com/?utm_source=google • The visitor has yet granted consent so you delay tracking the page view until they have either given or rejected consent • If they reject consent, you could use custom JavaScript to remove mtm_* and utm_* URL parameters prior to tracking a page view in Matomo. The code might look similar to this (not thouroughly tested)...
var currentUrl = window.location.href;
// Define the list of wildcard indicators
var wildcardIndicators = ["mtm_", "utm_"];
// Remove parameters with wildcard indicators
wildcardIndicators.forEach(function(indicator) {
var regex = new RegExp("[?&]" + indicator + "[^&]*", "g");
currentUrl = currentUrl.replace(regex, "");
});
// Replace "/&" with "/?" if present in the URL
currentUrl = currentUrl.replace(/\/&/g, '/?');
// Use Matomo tracking code with the modified URL
_paq.push(["setCustomUrl", currentUrl]);
_paq.push(["trackPageView"]);
It looks like it is the best workaround so far, as it is fairly easy to set-up and doesn't make data much harder to access like my second workaround idea would. It could be edited to send anonymised UTMs rather than no UTM at alls in order not to flood organic sources with paid data for visits that did not consent. There are still issues with this workaround : if consent is neither granted nor dedined, the pageview is not sent. The behaviour when consent is given at second pageview or later is not optimal either.
At this point, it looks like Matomo needs new features for control over consent as mentionned in the original post. Luckily, some other tools can serve as an exemple, for exemple Piano Analytics, and Google Consent Mode, that will :
- have an hybrid consend (granular consent rather than binary consent) ;
- can change the tag behaviour after the hit is sent, by sending "consent-updates"
If that may help, here is what looks, in my opinion, a few specifications
- it is striclty necessary to avoid flooding organic data with paid data for users that did not consent. Therefore, visits with UTMs that did not consent needs to be attributed to campaign source anyway.
- the first session hit can be send before consent informations are sent and therefore it is visit-level data, that will be stored on not based on the value of consent at the last action of the visit. Note that consent updates are not hits but does have to update the value of consent like a non-interactionnal event would
- (facultative) being able to combine the existence of utm and referrer into pseudo sources like "anonymised paid search" would be a plus, but it would require a discussion with CNIL.
- Just like for Piano Analytics, it would be nice to know the proportion of users that consented. Maybe a consent-report would be a great thing.
Additionnally, it is quite common for customers to want to track the consent of other platforms within Matomo, which is consent-exempted. It would be nice, if a consent report is created, to have a table for Matomo features consent and a table for external consent.
@caddoo @ronak-innocraft one consideration for our implementation of the feature consents:
it is strictly necessary to avoid flooding organic data with paid data for users that did not consent. Therefore, visits with UTMs that did not consent needs to be attributed to campaign source anyway.
With our phase 1 approach, I don't think we would be able to do this, as we simply discard the campaign params. Perhaps for phase 2 or 3 we could consider whether we can send/track replacement anonymised information that the visit/action was for a campaign (just not the details). Just a thought.
With our phase 1 approach, I don't think we would be able to do this, as we simply discard the campaign params. Perhaps for phase 2 or 3 we could consider whether we can send/track replacement anonymised information that the visit/action was for a campaign (just not the details). Just a thought.
Since Matomo can detect parameters like GCLID, indicating when hovering visits in visit log things like "This visit came from Google with a clic ID", wouldn't it be possible to do the same with "This visit came from XXX with a campaign parameter" ?
This would also be the perfect chance to consider these visits (visits with clic IDs for instance are already identified within Matomo, but again if this is possible for clic IDs it is possible for UTMs and other parameters) as campaign visits ?
With our phase 1 approach, I don't think we would be able to do this, as we simply discard the campaign params. Perhaps for phase 2 or 3 we could consider whether we can send/track replacement anonymised information that the visit/action was for a campaign (just not the details). Just a thought.
Since Matomo can detect parameters like GCLID, indicating when hovering visits in visit log things like "This visit came from Google with a clic ID", wouldn't it be possible to do the same with "This visit came from XXX with a campaign parameter" ?
This would also be the perfect chance to consider these visits (visits with clic IDs for instance are already identified within Matomo, but again if this is possible for clic IDs it is possible for UTMs and other parameters) as campaign visits ?
As far as I know, it can identify that because it has the data. If we remove the campaign parameters before the tracking request is sent (when user doesn't give consent for campaign tracking), we won't have that data and can't display that information.
Yet, if i am not mistaken, visits with a gclid parameters will count as a visit with a gclid parameter without displaying the gclid parameter within page reports.
What i am certain of is that I have a few examples of Matomo accounts where gclid parameter is explicitly set as excluded, and yet i can see sessions with a gclid parameters within visit log while the gclid parameters is ignored within page reports.
Yes, because the parameter gets to Matomo with the URL even if it's then not counted. The approach we're taking with the campaign params is that those won't even be sent to Matomo unless consent is given.
Is there a reason it wont be sent to Matomo at all ?
While campaign parameters are defined within the first pageview hit of the visit, the consent itself will likely be given afterwards (at best during the first page view but after the pageview hit, eventually on an other page of the visit).
Trafic source is a visit level dimension that have the specificity of being defined based on the first page of the visit (because of either campaign parameters or referrer), but since its scope is the whole session, it has to rely on the last consent value of the session, just as any visit-level custom dimension would.
@michalkleiner @sgiehl i am not sure, any reasons why this ticket gets closed?
I guess because our internal issue was resolved. Matomo 5.1.0 will include a new tracker method to disabled processing / forwarding of campaign parameters. In addition our guides / faqs will be updated afaik. @caddoo might be able to say more.
Good catch, the FAQ was just updated to show we support preventing tracking of campaign parameters: https://matomo.org/faq/how-to/how-do-i-configure-matomo-without-tracking-consent-for-french-visitors-cnil-exemption/
The developer docs are here:
https://developer.matomo.org/api-reference/tracking-javascript
(search for disableCampaignParameters)