About data protection and GDPR, a good thing with Matomo is that, if configured properly, it can be used without requiring to collect the user's consent (since Matomo doesn't use the data for its own purpose). Of course there are less information collected but at least you don't have to display a form as soon as a user enters your website.
The French data protection authority issued a piece of code (JS) which must be used to avoid collecting the user's consent. I don't know about other data protection authorities in the EU but it shouldn't be much different.
> it can be used without requiring to collect the user's consent (since Matomo doesn't use the data for its own purpose)
This is not how the GDPR works. If you are collecting personal data, or if you are dropping analytics cookies on someone's device, you need consent. No ifs or buts.
It is true that an opt-out system must be installed on the website (Matomo gives that piece of code) but - as noted on the github link you posted - that very is different from an opt-in system (which is the standard GDPR requirement).
GDPR does not require consent. If you use consent, then it must be freely-given, but can often use a different legal basis when processing personal data.
The ePrivacy Directive requires consent for reading or writing from a terminal device. This includes anything with cookies, even if they're not personal data. While the ePD refers to GDPR for its definition of consent, it is a separate piece of legislation and many things that are true about GDPR are not true about ePD (such as being able to invoke Legitimate Interest instead of consent).
Sure, but when it comes to cookies, consent is almost always required on the GDPR basis (other legal basis are rarely working).
You're right to point to e-privacy, to which consent is central. But the latest draft of its new version states that (art.8):
1.The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:
[...]
(d)it is necessary for audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or by a third party, or by third parties jointly,on behalf of theone or more providersof the information society service provided that conditions laid down in Article 28, or where applicable Article 26,of Regulation (EU) 2016/679 are met
So Matomo can still do without the user consent (from what I understand, the relation between GDPR and e-privacy is no easy business).
> when it comes to cookies, consent is almost always required
We are in agreement. It seems I wasn't clear enough in my original post, but this is my overall point. GDPR doesn't require consent, but consent is required because of ePD.
> latest draft of its new version
> So Matomo can still do without the user consent
The new draft is not law yet. It's been 6 months away from passing for several years now. In the meantime, fines are still being issued under the existing law. Google got fined a hundred million euro last month in France, and that fine was very specifically ePD and not GDPR for a variety fo reasons.
> So Matomo can still do without the user consent (from what I understand, the relation between GDPR and e-privacy is no easy business).
It also depends on the jurisdiction. For example the ICO has been clear that using a cookie based analytics tool requires a GDPR level of consent, without exceptions.
This is not how the GDPR works. It lays out several legal basis for the collection of personal information, of which consent is one. There are others as well.
I'd have to re-read it to be sure about analytics cookies, but I don't think it says a whole lot about that off-hand. This the the ePrivacy directive.
Simple question about these (great) posters : whats their legal statuts regarding IP ? Possible use for commercial purpose ? Obligation to mention the source ? I'd love to use them for presentation about security.
Any link to information about that would be very welcome too.
"The U.S. government asserts that it can still hold the copyright to those works in other countries."
Going a little further I read : "the U.S. Government may obtain protection in other countries depending on the treatment of government works by the national copyright law of the particular country." (from the CENDI FAQ), which is adequate with private international law.
The French data protection authority issued a piece of code (JS) which must be used to avoid collecting the user's consent. I don't know about other data protection authorities in the EU but it shouldn't be much different.