MoritzLost Posted December 11, 2020 Posted December 11, 2020 Cloudflare announced the general availability of their new Web Analytics solution today (even for non-Cloudflare-powered sites): https://blog.cloudflare.com/privacy-first-web-analytics/ I'm quite excited about this, as I've been looking for a solution that's both privacy-friendly, free for personal sites and GDPR compliance. In particular, being able to collect visitor statistics without tracking any personal data is an attractive proposition, since it doesn't require consent even under the GDRP. I looked at various alternatives, but all have their caveats: Google Analytics is out for obvious reasons. Matomo is a solid choice since it can be configured to not set any cookies and anonymize IP addresses. However, it's use of fingerprinting is somewhat dubious, so it's a grey area whether you need consent to use it. A couple smaller alternatives like Netlify Analytics (for Netlify sites) or fathom look good enough, but their pricing isn't really feasible for small personal projects. I have added the Cloudflare tracking script to my tutorial site processwire.dev, for now I'll use it alongside Matomo. Will be interesting to see how their numbers compare to Matomo. What do you all think? Are there better alternatives out there? 8
eydun Posted December 11, 2020 Posted December 11, 2020 Thanks for the info. Plausible is also a nice alternative. 4
horst Posted December 11, 2020 Posted December 11, 2020 4 hours ago, MoritzLost said: Matomo is a solid choice since it can be configured to not set any cookies and anonymize IP addresses. However, it's use of fingerprinting is somewhat dubious, so it's a grey area whether you need consent to use it. According to the bureau of the Datenschutzbeauftragte of NRW, germany: If you (self)host Matomo on the same domain or subdomain with anonymized IPs, you can start to use it without opt-in, regardless if cookie-less or a use with cookies. Only thing you must provide and respect is a opt-out option. Don't know if this is different in other Bundesländer of germany, but I have gotten a written answer with the above content from the NRW-bureau. ? 4
MoritzLost Posted December 11, 2020 Author Posted December 11, 2020 58 minutes ago, horst said: According to the bureau of the Datenschutzbeauftragte of NRW, germany: If you (self)host Matomo on the same domain or subdomain with anonymized IPs, you can start to use it without opt-in, regardless if cookie-less or a use with cookies. Only thing you must provide and respect is a opt-out option. Don't know if this is different in other Bundesländer of germany, but I have gotten a written answer with the above content from the NRW-bureau. ? @horst Hm that's interesting, though I'm not sure if that would be enough for me to call it a day ... I've found that in many cases the Datenschutzbeauftragte don't have a solid grasp on the technologies and what actually constitutes PII, so they basically judge compliance of a tracking mechanism based on whether it sets cookies or not. Even though fingerprinting is much more perversive and there's no real opt-out for that. I'm also fairly certain that using Matomo with cookies requires consent under GDPR – since it allows you to identify returning visitors, you can collect pseudonymous information, which requires consent. I'm surprised the Datenschutzbeauftragte of NRW would make such a blanket statement, and I don't think it would hold up in court (not sure if the written statement would help there, I'm not a lawyer ?). But even without cookies, it's a gray area at best. The reason people jump on the cookie debate while ignoring other mechanisms such as fingerprinting is probably because the legal precent (most notable the EUGH decisions) have mostly been about cookies. So right now there's a grey area regarding fingerprinting. But I think as soon as there's a test case / precedent fingerprinting will be shut down the same way consent-less tracking cookies were shut down. Anyway, regardless of the current legality I think it's a good approach to drop cookies and fingerprinting in favor of referrers to differentiate between visits and page views (as Cloudflare claims they do). Though we'll see how well it works and if it's as privacy-friendly as they claim ? 2
Recommended Posts