Recherche avancée

Sur d’autres sites (3062)

• How should I write my privacy notice for Matomo Analytics under GDPR ?

  24 avril 2018, par InnoCraft

  Important note : this blog post has been written by digital analysts, not lawyers. The purpose of this article is to show you an example of a privacy notice for Matomo under GDPR. This work comes from our interpretation of the UK privacy commission : ICO. It cannot be considered as professional legal advice. So as GDPR, this information is subject to change. We strongly advise you to have a look at the different privacy authorities in order to have up to date information.

  A basic rule of thumb is that if you are not processing personal data, then you do not need to show any privacy notice. But if you are doing so, such as processing full IP addresses, then a privacy notice is required at the time of the data collection. Please note that personal data may also be hidden, for example, in page titles or page URLs.

  In this blog post, we will define what a privacy notice is according to GDPR and how to write it if you are using Matomo and you are processing personal data.

  What is a privacy notice under GDPR ?

  One of the most important rights that a data subject has under GDPR, is the right to be informed about the collection and use of their personal data.

  Here is what ICO is saying about the privacy notice :

  “You must provide individuals with information including : your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.”

  “When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data.”

  Note that a privacy notice is different from a privacy policy.

  The privacy notice has to include :

  • the reasons why you are processing the personal data
  • for how long
  • who the different parties you are going to share them with are

  So whatever lawful basis you are using (explicit consent or legitimate interest), you need to have a privacy notice if you collect personal data.

  What does this privacy notice look like ?

  ICO is providing best practices in order to display the information :

  • a layered approach
  • dashboards
  • just-in-time notices
  • icons
  • mobile and smart device functionalities

  Once more, it really depends on the data you are processing with Matomo. If you wish to track personal data on the entire website, you will probably have an upper or footer privacy notice such as :

  

  If you wish to process specific data, you could also insert just-in-time notices such as :

  

  What is the information you need to disclose to the final user ?

  To us, there are two things to distinguish between the privacy notice and the privacy policy.

  According to ICO, the privacy notice needs to include the 3 following elements :

  • the reasons why you are processing the personal data
  • for how long
  • who are the different parties you are going to share them with

  But you also need to inform them about :

  • The name and contact details of your organisation.
  • The name and contact details of your representative (if applicable).
  • The contact details of your data protection officer (if applicable).
  • The purposes of the processing.
  • The lawful basis for the processing.
  • The legitimate interests for the processing (if applicable).
  • The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
  • The recipients or categories of recipients of the personal data.
  • The details of transfers of the personal data to any third countries or international organisations (if applicable).
  • The retention periods for the personal data.
  • The rights available to individuals in respect of the processing.
  • The right to withdraw consent (if applicable).
  • The right to lodge a complaint with a supervisory authority.
  • The source of the personal data (if the personal data is not obtained from the individual it relates to).
  • The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
  • The details of the existence of automated decision-making, including profiling (if applicable).

  Pretty long, don’t you think ? In order to reduce it, you can either adopt a layered approach where your “pop-up” window will act as a drop down menu. Or from what we understood, page 5 of this document provided by ICO, a privacy notice can link to a more detailed document, such as a privacy policy page.

  Examples

  Let’s take the example of a website which tracks the non-anonymised full IP address, and using User ID functionality to keep track of logged-in users. Under GDPR, the owner of the website will have to choose either to process personal data based on “Legitimate interests” or on “Consent”. Here is how it will look like :

  Example of a privacy notice under GDPR Legitimate interests

  This site uses Matomo to analyze traffic and help us to improve your user experience.

  We process your email address and IP address and cookies are stored on your browser for 13 months. This data is only processed by us and our web hosting platform. Please read our Privacy Policy to learn more.

  Example of a privacy notice under GDPR Consent

  This site uses Matomo to analyze traffic and help us to improve your user experience.

  We process your email address and IP address and cookies are stored on your browser for 13 months. This data is only processed by us and our web hosting platform.

  [Accept] or [Opt-out]

  Please read our Privacy Policy to learn more.

  Once that information is provided to the user, you can then link it to your privacy policy where you will provide more details about it. Soon we will issue a blog post dealing with how to write a privacy policy page for Matomo.

  The post How should I write my privacy notice for Matomo Analytics under GDPR ? appeared first on Analytics Platform - Matomo.

• French CNIL recommends Piwik : the only analytics tool that does not require Cookie Consent

  29 octobre 2014, par Matthieu Aubry — Press Releases

  There has been recent and important changes in France regarding data privacy and the use of cookies. This blog post will introduce you to these changes and explain how you make your website compliant.

  Cookie Consent in the data freedom law

  Since the adoption of the EU Directive 2009/136/EC “Telecom Package”, Internet users must be informed and provide their prior consent to the storage of cookies on their computer. The use of cookies for advertising, analytics and social share buttons require the user’s consent :

  It is necessary to inform users of the presence, purpose and duration of the cookies placed in their browsers, and the means at their disposal to oppose it.

  What is a cookie ?

  Cookies are tracers placed on Internet users’ hard drives by the web hosts of the visited website. They allow the website to identify a single user across multiple visits with a unique identifier. Cookies may be used for various purposes : building up a shopping cart, storing a website’s language settings, or targeting advertising by monitoring the user’s web-browsing.

  Which cookies are exempt from the Cookie Consent rule ?

  France has exempted certain cookies from the cookie consent rule : for those cookies that are strictly necessary to offer the service sought after by the user you do not need to ask consent to user. Examples of such cookies are :

  • the shopping cart cookie,
  • authentication cookies,
  • short lived session cookies,
  • load balancer cookies,
  • certain first party analytics (such as Piwik cookies),
  • persistent cookies for interface personalisation.

  Asking users for consent for Analytics (tracking) Cookies

  For all cookies that are not exempted from the Cookie Consent then you will need to :

  • obtain consent from web users before placing or reading cookies and similar technologies,
  • clearly inform web users of the different purposes for which the cookies and similar technologies will be used,
  • propose a real choice to web users between accepting or refusing cookies and similar technologies.

  You don’t need Cookie Consent with Piwik

  The excellent news is that there is a way to bypass the Cookie Consent banner on your website :

  If you are using another analytics solution other than Piwik then you will need to ask users for consent. If you do not want to ask for consent then download and install Piwik or signup to Piwik Cloud to get started.

  If you are already using Piwik you need to do two simple things : (1) anonymise visitor IP addresses (at least two bytes) and (2) include the opt-out iframe solution in your website (learn more).

  Note that these recommendations currently only apply in France, but because the law is European we can expect similar findings in other European countries.

  CNIL recommends Piwik

  We are proud that the CNIL has identified Piwik as the only tool that respects all privacy requirements set by the European Telecom law.

  

  About the CNIL

  The CNIL is an independent administrative body that operates in accordance with the French data protection legislation. The CNIL has been entrusted with the general duty to inform people of the rights that the data protection legislation allows them.

  The role and responsabilities of the CNIL are :

  • to protect citizens and their data
  • to regulate and control processing of personal data
  • to inspect the security of data processing systems and applications, and impose penalties

  Piwik and Privacy

  At Piwik we love Privacy – our open analytics platform comes with built-in Privacy.

  Future of Privacy at Piwik

  Piwik is already the leader when it comes to respecting user privacy but we plan to continue improving privacy within the open analytics platform. For more information and specific ideas see Privacy enhancing issues in our issue tracker.

  References

  Learn more in these articles in French [fr] or English :

  • [fr] Sites web, cookies et autres traceurs
  • [fr] Comment me mettre en conformité avec la recommandation “Cookies” de la CNIL ?
  • [fr] Recommandation sur les cookies : obligations pour les responsables de sites ?
  • CNIL Starts Controlling Cookie Settings in October 2014
  • CNIL recommends Piwik for compliance with data protection laws

  Contact

  To learn more about Piwik, please visit piwik.org,

  Get in touch with the Piwik team : Contact information,

  For professional support contact Piwik PRO.

• French CNIL recommends Piwik : the only analytics tool that does not require Cookie Consent

  29 octobre 2014, par Matthieu Aubry — Press Releases

  There has been recent and important changes in France regarding data privacy and the use of cookies. This blog post will introduce you to these changes and explain how you make your website compliant.

  Cookie Consent in the data freedom law

  Since the adoption of the EU Directive 2009/136/EC “Telecom Package”, Internet users must be informed and provide their prior consent to the storage of cookies on their computer. The use of cookies for advertising, analytics and social share buttons require the user’s consent :

  It is necessary to inform users of the presence, purpose and duration of the cookies placed in their browsers, and the means at their disposal to oppose it.

  What is a cookie ?

  Cookies are tracers placed on Internet users’ hard drives by the web hosts of the visited website. They allow the website to identify a single user across multiple visits with a unique identifier. Cookies may be used for various purposes : building up a shopping cart, storing a website’s language settings, or targeting advertising by monitoring the user’s web-browsing.

  Which cookies are exempt from the Cookie Consent rule ?

  France has exempted certain cookies from the cookie consent rule : for those cookies that are strictly necessary to offer the service sought after by the user you do not need to ask consent to user. Examples of such cookies are :

  • the shopping cart cookie,
  • authentication cookies,
  • short lived session cookies,
  • load balancer cookies,
  • certain first party analytics (such as Piwik cookies),
  • persistent cookies for interface personalisation.

  Asking users for consent for Analytics (tracking) Cookies

  For all cookies that are not exempted from the Cookie Consent then you will need to :

  • obtain consent from web users before placing or reading cookies and similar technologies,
  • clearly inform web users of the different purposes for which the cookies and similar technologies will be used,
  • propose a real choice to web users between accepting or refusing cookies and similar technologies.

  You don’t need Cookie Consent with Piwik

  The excellent news is that there is a way to bypass the Cookie Consent banner on your website :

  If you are using another analytics solution other than Piwik then you will need to ask users for consent. If you do not want to ask for consent then download and install Piwik or signup to Piwik Cloud to get started.

  If you are already using Piwik you need to do two simple things : (1) anonymise visitor IP addresses (at least two bytes) and (2) include the opt-out iframe solution in your website (learn more).

  Note that these recommendations currently only apply in France, but because the law is European we can expect similar findings in other European countries.

  CNIL recommends Piwik

  We are proud that the CNIL has identified Piwik as the only tool that respects all privacy requirements set by the European Telecom law.

  

  About the CNIL

  The CNIL is an independent administrative body that operates in accordance with the French data protection legislation. The CNIL has been entrusted with the general duty to inform people of the rights that the data protection legislation allows them.

  The role and responsabilities of the CNIL are :

  • to protect citizens and their data
  • to regulate and control processing of personal data
  • to inspect the security of data processing systems and applications, and impose penalties

  Piwik and Privacy

  At Piwik we love Privacy – our open analytics platform comes with built-in Privacy.

  Future of Privacy at Piwik

  Piwik is already the leader when it comes to respecting user privacy but we plan to continue improving privacy within the open analytics platform. For more information and specific ideas see Privacy enhancing issues in our issue tracker.

  References

  Learn more in these articles in French [fr] or English :

  • [fr] Sites web, cookies et autres traceurs
  • [fr] Comment me mettre en conformité avec la recommandation “Cookies” de la CNIL ?
  • [fr] Recommandation sur les cookies : obligations pour les responsables de sites ?
  • CNIL Starts Controlling Cookie Settings in October 2014
  • CNIL recommends Piwik for compliance with data protection laws

  Contact

  To learn more about Piwik, please visit piwik.org,

  Get in touch with the Piwik team : Contact information,

  For professional support contact Piwik PRO.