The General Data Protection Regulation (EU) 2016/679, also referred to as RGPD in French, Datenschutz-Grundverordnung, DS-GVO in German, is fast-approaching. It is now less than 30 days until GDPR applies to most businesses around the world on 25th May 2018. If you haven’t heard of this new regulation yet, I recommend you check out our GDPR guide which we continue to expand regularly to get you up to speed with it.
GDPR compliance in Matomo
We are currently adding several new features to Matomo to get you GDPR ready. You will have for example the possibility to delete and export data for data subjects, delete and anonymize previously tracked data, anonymize the IP address and location, ask for consent, and more. A beta version with these features is already available. We will release more blog posts and user guides about these features soon and just recently published a post on how to avoid collecting personal information in the first place soon.
If you are still using Piwik, we highly recommend you update to a recent version of Matomo as all versions of Piwik will NOT be GDPR compliant.
GDPR compliance for premium features
InnoCraft, the company of the makers of Matomo, are offering various premium features for your self-hosted Matomo so you can be sure to make the right decisions and continuously grow your business. These features are also available on the cloud-hosted version of Matomo.
If you are now wondering how GDPR applies to these features, you will be happy to hear that none of them collect any personal information except for possibly Heatmaps & Session Recording and the WooCommerce integration. All of them also support all the new upcoming GDPR features like the possibility to export and delete data. It is important that you update your Matomo Premium Features to the latest version to use these features.
Making Heatmaps & Session Recording GDPR compliant
We have added several new features to make it easy for you to be GDPR compliant and in many cases you might not even have to do anything. Some of the changes include:
- Keystrokes (text entered into form fields) are no longer captured by default.
- You may enable the capturing of keystrokes, and all keystrokes will be anonymized by default.
- You may whitelist certain form fields to be recorded in plain text. However, fields that likely contain personal or sensitive information like passwords, phone numbers, addresses, credit card details, names, email addresses, and more will be always anonymized to protect user privacy. (this has always been the case but we have now included many more fields).
How personal information may still be recorded
Nevertheless, Heatmaps and Session Recordings may still record personal or sensitive information if you show them as part of the regular website as plain text (and not as part of a form field). The below example shows an email address for a paypal account as well as a name and VAT information as a regular content.
To anonymize such information, simply add a
data-matomo-mask attribute to your website:
You can read more about this in the developer guide “Masking content on your website”.
The WooCommerce integration may record an Order ID when a customer purchases something on your shop. As the Order ID is an identifier which could be linked with your shop to identify an individual, it may be considered as personal information. Matomo now offers an option to automatically anonymize this Order ID so it is no longer considered as personal information. To enable this feature, log in to your Matomo and go to “Administration => Anonymize Data”.
GDPR compliance for third party plugins on the Matomo Marketplace
The Matomo Marketplace currently features over 80 free plugins. Over 50 of them are compatible with the latest Matomo 3.X version and most of them should support Matomo’s new GDPR features out of the box. If you are concerned by GDPR and are not sure if a third party plugin stores any personal information, we highly recommend you ask the developer of this plugin about the compliance.
You can find a link to the plugin’s issue tracker by going to a plugin page and then clicking on “Github” on the bottom right.
If you are a plugin developer, please read our developer guide “GDPR & How do I make my Matomo plugin compliant”.