I read this: Note: Piwik PRO doesn’t use device fingerprinting. Instead it uses a session ID. A session ID is a more privacy-friendly way to recognize visitor’s sessions.
But on this page:
I read this: Session ID: Our backend tracker creates a hash for each session based on the visitor’s IP address, operating system, browser name, browser version, browser language, enabled browser plugins and salt (random data that is used as an additional component). The tracker uses that hash to recognize events belonging to the same session.
So tracking visitor’s IP address, operating system, browser name, browser version, browser language, enabled browser plugins… that looks like fingerprinting to me but maybe I misunderstood? Can someone please explain why the method PiwikPro uses is not fingerprinting?
There’s no way to recognize returning individuals, but it is fingerprinting an individuals browser the start with?
If I enable Comply with CNIL guidelines I do have GDPR compliance? I can’t see Session logs anymore and no Tracker Debuger but the rest of my reports data stay the same?
Fingerprint does not contain randomized elements. If the user comes back the next day using same workstation and IP address, the hash won’t change. That’s the main difference. I’m not a lawyer, you have to decide yourself or ask lawyer for an opinion if it’s compliant.
Regarding your question - you have GDPR compliance according to French DPA. Unfortunately, other countries haven’t published similar guides yet.
If I enable Comply with CNIL guidelines the only difference in my reports data will be that I can’t see Session Logs anymore and no Tracker Debugger, but the rest of my reports data stay the same?
If I enable Don’t collect visitor’s device data my reports can be a little less accurate? IP address, operating system, browser name, browser version, browser language will still be used but screen resolutions and browser plugins are not used anymore?
More or less yes. There are also other constraints like not merging data (e.g. by using integrations that enrich the reports) and not using raw data APIs.
Yes. Device data is anything that can be gathered via JavaScript, so things like cookies, localStorage or screen resolution. IP address, user agent and browser language are always available since we’re using HTTP protocol.