I found a previous post here [forum.piwik.org] on that subject, however it looks like it is more a hack than a standard feature.
Let me first explain the context.
It is quite clear now that the recent changes in the Telecom package at the EU level require a clear consent from the user each time we want to set a cookie which is not necessary for providing the service. Obviously everything is in how the "necessary for providing the service" is understood! And unfortunatly it was understood differently by the Member States.
As said in the above mentionned post, the Data protection authority in the UK has a narrow view where cookies for statistics purpose are not allowed whithout the user consent. As a live example, check out the http://www.ico.gov.uk/ . It first displays a top banner asking for allowing cookies and only set GA's cookies if you acknowledge by checking the button.
In France, the french authority is following the ICO in her recent http://www.cnil.fr/la-cnil/actu-cnil/article/article/ce-que-le-paquet-telecom-change-pour-les-cookies/ while at the same time the french law is not as restrictive!
I think that Piwik is already doing great for privacy but it's time to go ahead and address the cookie issue either by providing :
- a simple way for asking for the user consent before sending the cookies, that is to say an opt-in (like what is actuelly done for the opt-out or do-not-track);
- or a way to get the statistics done whithout sending any cookie.
Are those features already in Piwik or are they new features that we should add?
This is not available but could be built as a third party plugin.
I won't feel comfortable adding it toCore because this is not an acceptable solution. Piwik data stays on each company's server and therefore Piwik is NOT an issue privacy wise. This is not the case with other tools because users are tracked across websites to the same server (eg. google analytics).
From the EU and some data protections authorities including the ICO, CNIL, and for sure others, the "privacy paradigm" about cookies has shifted. For those organizations even primary cookies are no longer welcome on the user computer unless the user has given an explicit consent or the cookies are strictly necessary to provide the service. In the narrow view, examples of those cookies are "session cookies" for e-commerce.
In this paradigm shift the criteria of the data processed by the website owner is simply not adequate. The question now concerns the collection of those data. If data are collected about the user, and statistics are such collected data, then the user must be inform and give his/her consent otherwise in some juridictions we won't be compliant anymore. Please read this statement from the ICO http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf .
Hence, what's up now? For the time being and unless some technical solutions find their way in software like Piwik (and I strongly hope they will) we have the solution of staying unlawful, that is to say, staying doing statistics with cookies whitout the user consent or stop doing statistics at all, that is to say, stop using Piwik because from a legal point of view, in some juridictions, it's (too) risky!
So here comes the challenge, implementing an "opt-in" with the risk that users never give their consent which will lead to wrong statistics and the ICO clearly said that they already experience this or finding an other way to make the statistics! I would love to help in this area unfortunatly my knowledge of how things are done under the hood is not enough so I and obviously many others rely on you for staying compliant.
Thanks for reading, best,
Edited 1 time(s). Last edit at 11/07/2011 08:49AM by CILz.
The Future of Privacy Forum has issued a small article about the CNIL (the french data protection authority) and its recent guidance on cookies: http://www.futureofprivacy.org/2011/11/09/french-dpa-issues-guidance-for-cookie-disclosures-specific-consents-required-for-specific-cookie-functions/ .
In a statement jointly issued 3 days ago by EU-Justice Commissioner Viviane Reding and German Consumer Protection Minister Ilse Aigner about the upcoming revision of the EU Data protection directive you can read «[...] we believe that consumers must be more empowered than they are today. Users should be in control of their data. This is why in our view, EU law should require that consumers give their explicit consent before their data are used.». Find the full statement here: http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/762&format=HTML&aged=0&language=EN&guiLanguage=en .
This give you an overview of the trends in the upcoming EU data protection regulation.
Sounds interesting, but I think piwik belongs to the case of "necessary data collection". Analytics is 100% part of the website software stack and is necessary. Especially when data is collected by the website only. This is NOT the same when google or other companies gather data about millions of people and can correlate across several websites.
Piwik web analytics is required for the website to work, if users want to opt out, the only way would be to use "No script" extension in FF for example. Of course we highly recommend all piwik users to anonymize the IP.
I understand that those trends in privacy protection are «hard» to understand from a developper point of view. However this is the reality and what I previously called a «paradigm shift»!
If you have some spare time, please read this statement found in a document issued by the ICO:
«This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website. »
The full document is here http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf
Hence, the question now is not if the statistics are done by Google or by the website owner with Piwik, it's all about the data collection about the users. You have to change your mind and take the user point of view, not only the website owner one! I know that statistics are necessary for some economic models however for the user, statistics are not necessary at all to view a page and browse a website. Hence I think you're wrong saying «Analytics is 100% part of the website software stack and is necessary». Technically speaking statistics are not required to deliver the service. If I shut off Piwik on one of my blog, users are still able to access it, read it or comment on it! However, I, as the website owner, will be blind and if I'm using ads I won't be able to justify the price anymore! Yes I know that.
Indeed I would prefer to make a new option in piwik to fully disable all tracking cookies, enabled by the super user. Having users opt-in to analytics is wrong in many ways. It should be the webmaster choice to set cookies or not, Piwik would rely on IP + heuristics to detect unique visitors and would still work OK. Some reports however would not be set correctly, and some data will be more inacurrate (attribution to keywords used in a past visit that are saved in cookie only).
So, we could make a "Piwik no cookies option" in the settings maybe? This would require a change in the piwik.js disableCookies() for example, and it could also disable Piwik reports that won't work?
Your last proposal sounds like a very good step forward inline with what Piwik has done to be privacy friendly so far! I fully agree with that new option to give the webmaster the ability to disable all tracking cookies if he/she needs to be compliant with his/her local regulation or if he/she is a privacy advocate.
It will alaways remain the webmaster's decision to be compliant or not. That says, as an analytics tool with privacy in mind, Piwik must give him/her the choice as simply as possible.
And yes, we must make the webmaster aware that if he/she decides to remove all tracking cookies, some reports won't be available anymore because they won't be accurate. However having fewer accurate reports is far better than no reports at all!
From my experience with Piwik, this new option could sit well in the «Privacy» tab on top of the list. And this new option is still consistent with the opt-out, because even if there is no tracking cookie there are statistics which collect data about the user, so he/she can still wants not to be followed. And yes, so far, it's fully legal to set a cookie to remember the user's privacy choice.
To my knowledge, Piwik will be the first analytics tool with as many options to protect privacy and the first one to give the webmaster the ability to be compliant with the EU cookies regulation right out of the box!
I think it's great that a ticket for a "disable cookies" option has been created (and planned for 1.8) but looking at the ticket it only talks about removing existing cookies and hiding reports that rely on cookies.
What feels as if it's missing is the implementation of non-cookie based alternative way of "tracking" visitors. Matt mentioned "IP" and "heuristics", but it would be better is Piwik had the option to make use of a browser footprint (rather than cookies or just IP address).
The Panopticlick project from the EFF is useful example of this.