Important note: this blog post has been written by digital analysts, not lawyers. The purpose of this article is to show you an example of a privacy notice for Matomo under GDPR. This work comes from our interpretation of the UK privacy commission: ICO. It cannot be considered as professional legal advice. So as GDPR, this information is subject to change. We strongly advise you to have a look at the different privacy authorities in order to have up to date information.
A basic rule of thumb is that if you are not processing personal data, then you do not need to show any privacy notice. But if you are doing so, such as processing full IP addresses, then a privacy notice is required at the time of the data collection. Please note that personal data may also be hidden, for example, in page titles or page URLs.
In this blog post, we will define what a privacy notice is according to GDPR and how to write it if you are using Matomo and you are processing personal data.
What is a privacy notice under GDPR?
One of the most important rights that a data subject has under GDPR, is the right to be informed about the collection and use of their personal data.
Here is what ICO is saying about the privacy notice:
“You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.”
“When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data.”
Note that a privacy notice is different from a privacy policy.
The privacy notice has to include:
- the reasons why you are processing the personal data
- for how long
- who the different parties you are going to share them with are
So whatever lawful basis you are using (explicit consent or legitimate interest), you need to have a privacy notice if you collect personal data.
What does this privacy notice look like?
ICO is providing best practices in order to display the information:
- a layered approach
- dashboards
- just-in-time notices
- icons
- mobile and smart device functionalities
Once more, it really depends on the data you are processing with Matomo. If you wish to track personal data on the entire website, you will probably have an upper or footer privacy notice such as:
If you wish to process specific data, you could also insert just-in-time notices such as:
What is the information you need to disclose to the final user?
To us, there are two things to distinguish between the privacy notice and the privacy policy.
According to ICO, the privacy notice needs to include the 3 following elements:
- the reasons why you are processing the personal data
- for how long
- who are the different parties you are going to share them with
But you also need to inform them about:
- The name and contact details of your organisation.
- The name and contact details of your representative (if applicable).
- The contact details of your data protection officer (if applicable).
- The purposes of the processing.
- The lawful basis for the processing.
- The legitimate interests for the processing (if applicable).
- The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
- The recipients or categories of recipients of the personal data.
- The details of transfers of the personal data to any third countries or international organisations (if applicable).
- The retention periods for the personal data.
- The rights available to individuals in respect of the processing.
- The right to withdraw consent (if applicable).
- The right to lodge a complaint with a supervisory authority.
- The source of the personal data (if the personal data is not obtained from the individual it relates to).
- The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
- The details of the existence of automated decision-making, including profiling (if applicable).
Pretty long, don’t you think? In order to reduce it, you can either adopt a layered approach where your “pop-up” window will act as a drop down menu. Or from what we understood, page 5 of this document provided by ICO, a privacy notice can link to a more detailed document, such as a privacy policy page.
Examples
Let’s take the example of a website which tracks the non-anonymised full IP address, and using User ID functionality to keep track of logged-in users. Under GDPR, the owner of the website will have to choose either to process personal data based on “Legitimate interests” or on “Consent”. Here is how it will look like:
Example of a privacy notice under GDPR Legitimate interests
This site uses Matomo to analyze traffic and help us to improve your user experience.
We process your email address and IP address and cookies are stored on your browser for 13 months. This data is only processed by us and our web hosting platform. Please read our Privacy Policy to learn more.
Example of a privacy notice under GDPR Consent
This site uses Matomo to analyze traffic and help us to improve your user experience.
We process your email address and IP address and cookies are stored on your browser for 13 months. This data is only processed by us and our web hosting platform.
[Accept] or [Opt-out]
Please read our Privacy Policy to learn more.
Once that information is provided to the user, you can then link it to your privacy policy where you will provide more details about it. Soon we will issue a blog post dealing with how to write a privacy policy page for Matomo.