Collect data in a privacy-friendly way

In Piwik PRO, you can collect data while respecting visitors’ privacy and staying compliant with various privacy laws. In this article, we’ll show you a few privacy-focused ways to set up your data collection. But before you decide on one, consult your legal team because they can have their own interpretations of applicable laws.

Privacy option: Ask visitors for consent (on)

First you need to decide if you’re going to use a consent form on your site. If you do, then you’ll collect all data from visitors who consent. And for visitors who don’t consent, you’ll be able to pick one option:

  • Collect data using a 30-minute cookie: You’ll use a 30-minute cookie to collect session data. You won’t recognize new and returning visitors. You’ll see data about visitor’s country. Visitors’ IP addresses will be fully masked.

    This setting is recommended for sites that need to follow privacy laws but want to capture some non-sensitive data from visitors who don’t consent.

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (on) > Collect data using a 30-minute cookie (on)

  • Collect data without using cookies: You won’t create or store any cookies on visitors’ browsers. Nothing will be stored on visitors` devices. You won’t recognize new and returning visitors. You’ll see data about visitor’s country. Visitors’ IP addresses will be fully masked.

    This setting is recommended for sites that need to follow privacy and strict cookie laws but want to collect some non-sensitive data from visitors who don’t consent.

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (on) > Collect data without using cookies (on)

    Extra layer of privacy: Use IP masking to offer visitors more privacy.

    Note: Some triggers in Tag Manager create cookies to work correctly. If you use one of the following conditions in triggers, we’ll set a cookie:

    • Event condition > Traffic source
    • Event condition > Returning visitor
    • Event condition > Campaign
    • Event condition > External referrer 
    • Multiplicity > Fire tag once per session
    • Multiplicity > Fire tag multiple times per session, excluding first
    • Multiplicity > Fire tag once per page view

    Make sure that tags with those triggers are set with the right consent type.

    We also set essential cookies that store visitor’s consent decision. More about cookies

  • Don’t collect data: The tracking code won’t be fired for visitors.

    With this setting, you’ll collect data in an ultra-privacy-friendly way, but the downside is that you’ll lose about 25 to 75 percent of traffic data. That is all visitors that won’t consent to data collection and usage. This method is recommended for sites that need to strictly comply with privacy laws and are ready to collect fewer data.

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (on) > Don’t collect data (on)

    Extra layer of privacy: Use IP masking to offer visitors more privacy.

Here is a comparison that can help you decide which option to choose. Each setting uses different mechanisms for collecting data, recognizing visitors and their sessions. It also affects what data you will collect.

When visitors agree When visitors don’t agree
Cookies & session ID 30-minute cookie No cookies Don’t collect data
Mechanisms used to collect data
First-party cookies (1) (2)
Local storage
Session ID (3)
Visitor’s IP address Yes / No (4)
Visitor ID
Collected data
Capture all traffic
New vs. returning visitors
Visitor’s session
Visitor’s location Latitude, Longitude, Organization, Provider, City, Region, Country, Continent Country, Continent Country, Continent
Events
Traffic sources
Channel attribution Last-click, position-based, first-click, last-non-direct-click, time-decay, linear and custom models Last-click Last-click
Consent stats (5)
Privacy laws
Compliant with LGPD, PDPA, GDPR, UK GDPR/ PECR LGPD, PDPA, GDPR (6) LGPD, PDPA, GDPR (6) LGPD, PDPA, GDPR, UK GDPR/PECR, CCPA
  1. You’ll use a 30-minute cookie to collect session data.
  2. We’ll set essential cookies that store visitor’s consent decision. Also some triggers in Tag Manager set cookies to work correctly. Make sure that tags with those triggers are set with the right consent type.  
  3. We create a session ID to recognize the visitor’s session. We use it only for 30 minutes.
  4. You can mask IP addresses for visitors under Administration > Sites & apps > Privacy > Mask IP addresses. The IP address informs about visitor’s location. Masking it can enhance visitors privacy because you won’t recognize their full location.
  5. You won’t collect any consent stats about people who don’t consent to analytics.  
  6. Check the cookie policy in your local guidelines. Each country can have their own policy.
Privacy option: Ask visitors for consent (off)

You can also decide not to use a consent form on your site. Then you have a few options to choose from:

  • Collect data using a session ID and visitor cookies : This lets you collect the most precise data. It’s recommended for sites that operate in regions that don’t have privacy guidelines or the privacy guidelines don’t require consent for collecting visitors’ data.

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (off) + Use a session ID (on) + Use visitor cookies (on)

    Extra layer of privacy:

    • Use an opt-out form to offer visitors opting out from data collection.
    • Use IP masking to offer visitors more privacy.
  • Collect data without using cookies: This lets you collect data without asking a visitor for cookie consent, but collected data is less accurate. This method is recommended for sites that want simple statistics and don’t want to worry about consent forms.

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (off) + Use a session ID (on) + Use visitor cookies (off)

    Extra layer of privacy: Use IP masking to offer visitors more privacy.

    Note: Some triggers in Tag Manager create cookies to work correctly. If you use one of the following conditions in triggers, we’ll set a cookie:

    • Event condition > Traffic source
    • Event condition > Returning visitor
    • Event condition > Campaign
    • Event condition > External referrer 
    • Multiplicity > Fire tag once per session
    • Multiplicity > Fire tag multiple times per session, excluding first
    • Multiplicity > Fire tag once per page view

    If you don’t want to use these cookies, don’t set these conditions in the trigger. More about cookies

  • Collect data without using a session ID: This lets you turn off a session ID that is used to recognize visitor’s sessions.

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (off) + Use a session ID (off) + Use visitor cookies (on)

  • Collect data without using a session ID and visitor cookies: This lets you forget about cookie consents and data collection consents altogether. Your data will be least accurate out of all described ways. You won’t recognize visitors and their sessions. Each session will be treated as a new event.

    This method is recommended for sites that need to stick with some rigid privacy rules and don’t want to use consent forms.

    Setting: Administration > Sites & apps > Privacy > Ask visitors for consent (off) + Use a session ID (off) + Use visitor cookies (off)

    Note: Some triggers in Tag Manager create cookies to work correctly. If you use one of the following conditions in triggers, we’ll set a cookie:

    • Event condition > Traffic source
    • Event condition > Returning visitor
    • Event condition > Campaign
    • Event condition > External referrer 
    • Multiplicity > Fire tag once per session
    • Multiplicity > Fire tag multiple times per session, excluding first
    • Multiplicity > Fire tag once per page view

    If you don’t want to use these cookies, don’t set these conditions in the trigger. More about cookies

Here is a comparison that can help you decide which option to choose. Each setting uses different mechanisms for collecting data, recognizing visitors and their sessions. It also affects what data you will collect.

Cookies & session ID No cookies No session ID No cookies & session ID
Mechanisms used to collect data
First-party cookies (1) (1)
Local storage
Session ID (2)
Visitor’s IP address Yes / No (3) Yes / No (3)
Visitor ID
Collected data
Capture all traffic
New vs. returning visitors
Visitor’s session (4)
Visitor’s location Latitude, Longitude, Organization, Provider, City, Region, Country, Continent Latitude, Longitude, Organization, Provider, City, Region, Country, Continent Latitude, Longitude, Organization, Provider, City, Region, Country, Continent Latitude, Longitude, Organization, Provider, City, Region, Country, Continent
Events
Traffic sources
Channel attribution Last-click, position-based, first-click, last-non-direct-click, time-decay, linear and custom models Last-click Last-click, position-based, first-click, last-non-direct-click, time-decay, linear and custom models
Privacy laws
Compliant with Countries without privacy laws,
CCPA (5)
Cookie laws Cookie laws GDPR, UK GDPR/PECR
  1. Some triggers in Tag Manager set cookies to work correctly.
  2. We create a session ID to recognize the visitor’s session. We use it only for 30 minutes.
  3. You can mask IP addresses for visitors under Administration > Sites & apps > Privacy > Mask IP addresses. The IP address informs about visitor’s location. Masking it can enhance visitors privacy because you won’t recognize their full location.
  4. Each event is a new session.
  5. You need to add an opt-out form (“do not sell my personal data”).

Was this article helpful?

Technical support

If you still have some questions, visit our community.
There’s always someone ready to help!

Back to help center