Privacy considerations for personal data in analytics

One of the biggest privacy concerns for analytics data is the ability for anyone to connect the online activity with individual people. A vast industry has grown around the collection and exploitation of that personal data for profit. Matomo stands out in the field of analytics as a privacy-focused solution that provides full control over how such Personally Identifiable Information (PII) is collected, processed and stored.

What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII) is any information that can be used to identify an individual. This could be as simple as a username or email address, or it could be something like a credit card number that can be linked to an individual. More specifically, PII is a classification of specific personal data defined in the US privacy law.

Laws in Europe are even broader than the US. All PII is considered personal data, but many things not covered by US law are also covered by privacy laws within the EU. For example, even seemingly innocent details such as an automatically generated Ecommerce order ID, or IP address are considered personal data. If they can ultimately be traced back to an individual user, then it should be considered personal data.

As a privacy concerned analytics user, your goal should be to collect and process as little PII and personal data as possible, while ensuring you have enough data to make analysis effective. Whenever you do collect PII or personal data, you want to ensure it is stored safely and securely. You can find a more comprehensive comparison of the two major privacy classifications and what they include here.

Often website users are happy to share data where it provides a clear benefit. Privacy isn’t an all or nothing matter. It is possible that users will be happy to share personal information for some reasons but not others. For example, a user might be comfortable sharing their email address as part of a support request, but not agree to their email being linked with their analytics data or uploaded to advertising networks. 

For this reason, it is generally good practice – and often a legal requirement – to gain consent from a user before collecting and processing their personal data. The type of consent required and method of implementation is likely to depend on the types of personal data you are collecting, and also how you plan on using it.

Informed consent is a process for educating and providing options to your users in relation to the tracking of their personal and analytics data. The first step towards gaining informed consent on the web is a well-documented privacy policy. A privacy policy should describe the types of data you collect and the tools you use to do so. While your website provides mechanisms for opting in or out or tracking. You can read the Matomo Privacy Policy here, and you are welcome to use it as the basis for creating your own.

Often, you will also need users to provide freely given and specific consent to the use of their personal data. While cookie consent has been one of the most common areas of focus in recent years, it is not the only tracking method. Matomo offers two forms of consent:

  • Tracking Consent: With this method, nothing is tracked by Matomo until the user has consented. This offers the highest level of privacy to users, but will likely result in missing or inaccurate tracking data for website owners.

  • Cookie Consent: This method prevents tracking cookies from being set until consent is gained. Cookies enhance collected tracking data, however, less specific data will still be collected before cookie consent has been provided.

When it comes to actually requesting consent from the user, there are many third-party consent tools available depending on your specific website requirements. Whichever solution you choose; Matomo provides built-in JavaScript functions for enabling and disabling both forms of tracking based on a user’s consent choices. You can learn how to integrate with consent tools here and in Matomo’s developer documentation.

Previous FAQ: Personal data Matomo analytics collects and why