Session ID and GDPR?

optipiwik · October 14, 2022, 6:35pm

Hello,

On this page:

I read this:
Note: Piwik PRO doesn’t use device fingerprinting. Instead it uses a session ID. A session ID is a more privacy-friendly way to recognize visitor’s sessions.

But on this page:

I read this:
Session ID: Our backend tracker creates a hash for each session based on the visitor’s IP address, operating system, browser name, browser version, browser language, enabled browser plugins and salt (random data that is used as an additional component). The tracker uses that hash to recognize events belonging to the same session.

So tracking visitor’s IP address, operating system, browser name, browser version, browser language, enabled browser plugins… that looks like fingerprinting to me but maybe I misunderstood? Can someone please explain why the method PiwikPro uses is not fingerprinting?

And is my website GDPR compliance when I:

turn ON Use a session ID
turn OFF Use visitor cookies
turn OFF Ask visitors for consent

Thanks a lot for the help

Alwin

kuba · October 14, 2022, 6:39pm

Hi. The biggest difference is a random salt that practically resets the session ID after 30 min, so there’s no way to recognize returning individuals.

As for your question, we always recommend setting up consent when the data is not anonymized.

See also this guide from the French CNIL that allows gathering aggregated data without asking for consent under certain conditions: How to make your website compliant with CNIL | Piwik PRO help center

optipiwik · October 14, 2022, 6:50pm

There’s no way to recognize returning individuals, but it is fingerprinting an individuals browser the start with?

If I enable Comply with CNIL guidelines I do have GDPR compliance? I can’t see Session logs anymore and no Tracker Debuger but the rest of my reports data stay the same?

kuba · October 14, 2022, 7:02pm

Fingerprint does not contain randomized elements. If the user comes back the next day using same workstation and IP address, the hash won’t change. That’s the main difference. I’m not a lawyer, you have to decide yourself or ask lawyer for an opinion if it’s compliant.

Regarding your question - you have GDPR compliance according to French DPA. Unfortunately, other countries haven’t published similar guides yet.

optipiwik · October 14, 2022, 7:09pm

Thanks kuba for your fast replies

If I enable Comply with CNIL guidelines the only difference in my reports data will be that I can’t see Session Logs anymore and no Tracker Debugger, but the rest of my reports data stay the same?
If I enable Don’t collect visitor’s device data my reports can be a little less accurate? IP address, operating system, browser name, browser version, browser language will still be used but screen resolutions and browser plugins are not used anymore?

kuba · October 14, 2022, 7:23pm

More or less yes. There are also other constraints like not merging data (e.g. by using integrations that enrich the reports) and not using raw data APIs.
Yes. Device data is anything that can be gathered via JavaScript, so things like cookies, localStorage or screen resolution. IP address, user agent and browser language are always available since we’re using HTTP protocol.

Topic		Replies	Views
"No cookies" option & visitor ID Privacy	1	445	January 27, 2022
How can I deactivate Fingerprinting? Privacy	4	302	July 3, 2023
How the data is collected in anonymous mode? Data collection and tags	5	270	January 31, 2023
New/returning report with GDPR setup Reports and working with data	5	191	January 3, 2024
ID cookies and unique ID visitor Reports and working with data	2	21	March 19, 2025

Session ID and GDPR?

Related topics