Turn on or off the consent form on your site

Consent Manager

Needed permissions: owner

After installing the Piwik PRO container on your site, the consent form will automatically appear on it with its default settings. However, you can change some of the form settings or turn it off completely if you wish.

In this article, we’ll show you how to turn your consent form on or off and adjust its settings.

To turn on or off the consent form on your site, follow these steps:

  1. Log in to Piwik PRO.
  2. Go to Menu > Administration.
  3. Navigate to Sites & apps.
  4. On the left, pick the site or app you want to work with.
  5. Navigate to Privacy.
  6. Turn on or off Ask visitors for consent. This setting controls whether your consent form is displayed or not.
    Ask visitor for consent in Piwik PRO

    Note: You can edit your consent form by going to Consent Manager > Consent forms.

  7. (Optional) Click View to customize the consent setting:
    • Collect anonymous data from non-consenting visitors: You can collect anonymous data from visitors who haven’t given their consent. Their IP addresses will be completely masked. You will not recognize new and returning visitors. And you will only know their country. It’s up to you to decide whether to use a session hash and visitor cookies for these visitors or not.
    • Use a session hash: If you use a session hash, it’ll be created for each session based on the visitor’s IP address, operating system, browser name, browser version, browser language, enabled browser plugins and site/app ID. This hash will help us recognize events that belong to the same session. Note: This setting only applies to non-consenting visitors.
    • Use visitor cookies: If you use visitor cookies (_pk_id and _pk_ses), we’ll use them to recognize events that belong to the same session. They will expire 30 minutes after the last event. Note: This setting only applies to non-consenting visitors.

    Note: Some triggers in Tag Manager create cookies to function correctly. If you use one of the following conditions in triggers, we’ll set a cookie:

    • Event condition > Traffic source
    • Event condition > Returning visitor
    • Event condition > Campaign
    • Event condition > External referrer 
    • Multiplicity > Fire tag once per session
    • Multiplicity > Fire tag multiple times per session, excluding first

    Make sure that tags with those triggers are set with the right consent type. 

    We also set essential cookies that store visitor’s consent decision. More about cookies

    • Ask for consent in countries under the GDPR and UK GDPR: If turned on, we’ll show the form only to visitors from countries under the GDPR and UK GDPR. We’ll use visitors’ IP addresses to recognize countries. 
    • Consent is valid for: The cookie storing consent preferences will expire after this time, and your form will ask a visitor for consent again.
    • Share consent between subdomains: You can add subdomains to share consent between them. Enter a domain, subdomain or a wildcard like *.example.com.

    Note: If you enter a few values, each will create a bucket of shared consent. Let’s look at an example.

    We have the following domains:

    • example.com
    • blog.example.com
    • help.example.com

    We only want to share consent between the first two: example.com and blog.example.com. So we need to type in: *.example and help.example.com.

    This will create two buckets of shared consents:

    • One bucket for: example.com and blog.example.com.
    • And another bucket for: help.example.com.
    • Use a custom consent form: This consent form overrides those from Consent Manager. You can add it via the JavaScript API. Read more
  8. When you’re done, click Save.
  9. Done! Your consent form is now visible on your site. Just remember to set the appropriate consent type for each tag in Tag Manager.
    Consent types in Piwik PRO

Comparison of options

Here’s a comparison table to help you choose the right option. Each setting uses different mechanisms for collecting data and for recognizing visitors and their sessions. Settings also affect what data you collect.

Consenting visitors Non-consenting visitors
Cookies & session hash (1) Visitor cookies & session hash Visitor cookies only Session hash only No visitor cookies & session hash Don’t collect data
Mechanisms used to collect data
First-party cookies (2) (2) (3) (3)
Local storage
Session hash (4) (4)
Collected data
Visitor’s IP address Yes / No (5)
Visitor ID
Capture all traffic
New vs. returning visitors
Visitor’s session (6)
Visitor’s location Latitude, Longitude, Organization, Provider, City, Region, Country, Continent Country, Continent Country, Continent Country, Continent Country, Continent
Events
Traffic sources
Channel attribution Last-click, position-based, first-click, last-non-direct-click, time-decay, linear and custom models Last-click Last-click Last-click
Consent stats (7)
Privacy laws
Compliant with LGPD, PDPA, GDPR, UK GDPR/ PECR (8), TTDSG (9), HIPAA (10) LGPD, PDPA, GDPR (8), HIPAA (9) LGPD, PDPA, GDPR (8), HIPAA (9) LGPD, PDPA, GDPR (8), UK GDPR/PECR (8), TTDSG (9), HIPAA (10) LGPD, PDPA, GDPR (8), UK GDPR/PECR (8), TTDSG (9), HIPAA (10) LGPD, PDPA, GDPR, UK GDPR/PECR, CCPA, HIPAA (10)
  1. It’s possible to turn off visitor cookies and session hashes for consenting visitors, but this is rare because you’re getting their consent to collect and use data.
  2. You’ll use a 30-minute cookie to collect session data.
  3. We’ll set essential cookies that store each visitor’s consent decision. In addition, some triggers in Tag Manager will set cookies in order to funcion correctly. Make sure that tags with these triggers are set with the right consent type.
  4. We create a session hash to recognize the visitor’s session. We only use it for 30 minutes since the last event.
  5. You can mask visitors’ IP addresses under Administration > Sites & apps > Privacy > Mask IP addresses. An IP address gives you a visitor’s location. Masking it removes the selected number of bytes from the address before saving it to the database. Nobody will ever see the full address. Masking an address can enhance visitor privacy, as you won’t be able to see their precise location.
  6. Each event is a new session.
  7. You won’t collect any consent stats about people who don’t consent to analytics.  
  8. Check the cookie policy in your local guidelines; different countries can have their own policy.
  9. Assuming the product is set up to avoid storing additional device-level information, such as screen resolution or browser plugins. You can set it in Administration > Sites & apps > Privacy > Don’t collect visitor’s device data (on).
  10. If you have the Enterprise plan and have signed a BAA with us.

Consent Manager is connected to Tag Manager and fires tags only when visitors give their consent, assuming tags require it. It also controls how the tracking tag works. Depending on the settings you choose and the visitor’s consent, the Piwik PRO tag, containing the tracking code, will activate in consent mode, anonymous mode, or not activate at all.

The graph below illustrates how the tracking tag fires and what happens to tags that require analytics consent.

Consent management in Piwik PRO

Note:

  • The Piwik PRO tag that contains the tracking code requires analytics consent by default. This can be changed. However, if you’re collecting anonymous data, don’t set it to “No consent is required” as this will cause errors.
  • Anonymous data collection only works for the Piwik PRO tag.
  • The mechanism sets three values for the consent parameter: 0, 1 or -1. -1 is set when visitors ignore the form and informs Piwik PRO that these visitors can be asked for consent again.
  • If third-party consent forms are not integrated and don’t communicate with Piwik PRO via API, all visitors are treated as if they ignored the form, and the analytics parameter is set to -1.

Was this article helpful?

Technical support

If you still have any questions, visit our community.
There’s always someone happy to help!

Back to help center