Cookie-less tracking sounds like an attractive idea to have a good user experience on your website while still being able to gather valuable user data. Matomo offers such as feature and from a technical point of view, it's simply a matter of adding a line into the matomo script. This sets a cookie to prevent using cookies on your website.
Wait, what? Matomo sets cookies to prevent tracking?
Yes, it does. This example is a great example that not all cookies are the same and by no means all cookies should be viewed as data-collecting tracking monsters. Matomo sets a cookie called _pk_testcookie that is used exclusively to store the information as to whether the browser used has already prohibited the setting of cookies in the browser settings or not. It is also a pure session cookie that is deleted after the browser is closed.
Again, not all cookies are data-gathering tracking monsters. And it's not just cookies that collect data. Since session cookies, which do not otherwise store any further data, do not pose a problem under data protection law, you can safely ignore this cookie.
Is Cookie-less tracking a good idea?
So if you run Matomo without cookies and don't have any other cookies on the website, you don't need a cookie banner, right? The short answer is yes: since June 2020 and Matomo version 3.13.6, you can do this.
The Legal background a of Cookie-less Matomo installation
In its much-discussed judgment of October 1, 2019, the ECJ ruled that active, explicit consent must be obtained for every cookie that is not required for the operation of a website. This must happen BEFORE the cookie in question is set. A succinct cookie banner that informs users that cookies are being set and requires their consent if they continue to use the website is not sufficient. The BGH confirmed this decision for Germany on May 28, 2020.
Most interpretations of these judgments also include tracking cookies, i.e. also the cookies set by Matomo, in this obligation to give consent.
But the question of consent to tracking cookies is made dependent on the type of cookie and, above all, a distinction is made between first and third party cookies.
So far, the data protection authorities in Baden-Württemberg, for example, have come to the conclusion that a self-hosted (!) analytics service (Matomo is explicitly mentioned here as an example), which does not send any data to third parties and only collects anonymous/pseudonymized user data, does not require consent the user requires. The prerequisite for this, however, is that Matomo is operated with “data protection-friendly default settings”.
Now you could argue how "privacy-friendly default settings" are defined. And – with recourse to the ECJ ruling – what cookies are necessary for the operation of a website. Is it "necessary" to analyze visitor behavior on your own website in order to optimize it based on this data? In case of doubt, this question will still occupy one or the other court before we have a generally accepted assessment.
Anonymizing the IP addresses during tracking is basically a must. As seen above, the use of tracking cookies can also be deactivated in Matomo. And since Matomo version 3.13.6 from June 5, 2020, this can finally be interpreted as particularly data protection-friendly - because Matomo has now also made the replacement method of device fingerprinting anonymous and limited it in time. As a result, it cannot be used to track individual users across multiple websites and over time.
What is device fingerprinting?
From a data protection point of view, the European Commission considers fingerprinting and tracking cookies as identical:
Device fingerprinting presents serious data protection concerns for individuals. For example, a number of online services have proposed device fingerprinting as an alternative to HTTP cookies for the purpose of providing analytics or for tracking without the need for consent under Article 5(3).1 This demonstrates that the risks presented by device fingerprinting are not theoretical and research has shown that device fingerprinting is already being exploited. In this Opinion, the Article 29 Working Party (WP29) addresses the topic of device fingerprinting and the applicability of Article 5(3) of the ePrivacy Directive 2002/58/EC, as amended by Directive 2009/136/EC, without prejudice to the provisions of the Data Protection Directive 95/46/EC. The key message of this Opinion is that Article 5(3) of the ePrivacy Directive is applicable to device fingerprinting. This Opinion expands upon the earlier Opinion 04/2012 on Cookie Consent Exemption3 and indicates
to third-parties4 who process device fingerprints which are generated through the gaining of access to or the storing of information on the user’s terminal device that they may only do so with the valid consent of the user (unless an exemption applies).
However, Matomo has now configured its fingerprinting mechanisms in such a way that the data is anonymized and also changed randomly every 24 hours.
So do I need a cookie banner even without cookies?
The term cookie banner can be a bit misleading. If you only refer to (non-functional) cookies, it is clear: no cookies, no banner. However, the topic of device fingerprinting shows that there are also technical methods apart from cookies, for which consent and thus a “cookie” banner – or rather a consent banner – may be required. But that no longer applies to Matomo. At least according to the assessment of Matomo itself, with the change implemented in version 3.13.6, a consent banner is no longer necessary for the use of Matomo in cookie-free operation.
What about Server-side tracking?
Server-side tracking is often presented as alternative tracking method that overcomes the problems with cookie based tracking. But keep in mind that you still have to ask for the consent of users if you use methods like device fingerprinting and do not implement methods to anonymize data according GDPR regulation.
Cookie-less Matomo from an analytics perspective
One question remains: How does cookie-less tracking affect the analytics data? What you often notice when switching to cookie-less tracking is a decrease in repeat visits. This is not surprising, because without cookies it is much more difficult for Matomo to recognize whether a user has been to the site before. As Matomo itself explains, this is still possible in some cases using the IP address or other identifiers, but the information is much less precise.
Other data linked to the recording of recurring visits are also not delivered with cookieless tracking, such as the days since the last visit or the number of visits until conversion with conversion tracking.
In addition, the greatest inaccuracies are found in the assignment of visitor sources to conversion goals or sales. If you use Matomo for conversion statistics, for example to determine whether a newsletter encourages the recipient to buy a product or to take another action defined as a conversion/goal, not using cookies can lead to false results. Because if the purchase does not happen in direct connection with clicking on the newsletter link, but, for example, a few hours later by manually entering the URL again, Matomo can no longer determine without cookies that the visitor came via the newsletter beforehand and that this person may have was the triggering factor.
Away with the banner?
Operating Matomo cookie-free after the renewed data protection adjustments is therefore a very practical solution for tracking - as long as you do not rely on very precise analytics data or use special e-commerce or user ID functions from Matomo, which in turn use Customer data are linked or classified as personal data. Simply deactivate cookies and get rid of the annoying cookie banner. Your users will love it. Get in touch with us and learn how configure a cookie-less and consent-free tracking solution.
Photo by Vyshnavi Bisani on Unsplash
GDPR Compliant Data Collection
Use GDPR compliant tools to collect user data. Stop worrying about legal implications of Google analytics and other similar tools.