Session ID and GDPR?

Hello,

On this page:

I read this:
Note: Piwik PRO doesn’t use device fingerprinting. Instead it uses a session ID. A session ID is a more privacy-friendly way to recognize visitor’s sessions.

But on this page:

I read this:
Session ID: Our backend tracker creates a hash for each session based on the visitor’s IP address, operating system, browser name, browser version, browser language, enabled browser plugins and salt (random data that is used as an additional component). The tracker uses that hash to recognize events belonging to the same session.

So tracking visitor’s IP address, operating system, browser name, browser version, browser language, enabled browser plugins… that looks like fingerprinting to me but maybe I misunderstood? Can someone please explain why the method PiwikPro uses is not fingerprinting?

And is my website GDPR compliance when I:

  • turn ON Use a session ID
  • turn OFF Use visitor cookies
  • turn OFF Ask visitors for consent

Thanks a lot for the help :slightly_smiling_face:

Alwin

Hi. The biggest difference is a random salt that practically resets the session ID after 30 min, so there’s no way to recognize returning individuals.

As for your question, we always recommend setting up consent when the data is not anonymized.

See also this guide from the French CNIL that allows gathering aggregated data without asking for consent under certain conditions: How to make your website compliant with CNIL | Piwik PRO help center

There’s no way to recognize returning individuals, but it is fingerprinting an individuals browser the start with?

  • If I enable Comply with CNIL guidelines I do have GDPR compliance? I can’t see Session logs anymore and no Tracker Debuger but the rest of my reports data stay the same?

Fingerprint does not contain randomized elements. If the user comes back the next day using same workstation and IP address, the hash won’t change. That’s the main difference. I’m not a lawyer, you have to decide yourself or ask lawyer for an opinion if it’s compliant.

Regarding your question - you have GDPR compliance according to French DPA. Unfortunately, other countries haven’t published similar guides yet.

Thanks kuba for your fast replies :grinning:

  • If I enable Comply with CNIL guidelines the only difference in my reports data will be that I can’t see Session Logs anymore and no Tracker Debugger, but the rest of my reports data stay the same?

  • If I enable Don’t collect visitor’s device data my reports can be a little less accurate? IP address, operating system, browser name, browser version, browser language will still be used but screen resolutions and browser plugins are not used anymore?

  1. More or less yes. There are also other constraints like not merging data (e.g. by using integrations that enrich the reports) and not using raw data APIs.
  2. Yes. Device data is anything that can be gathered via JavaScript, so things like cookies, localStorage or screen resolution. IP address, user agent and browser language are always available since we’re using HTTP protocol.