Can I collect any data from visitors who don’t consent?

Consent Manager

Needed permissions: owner

When you use Consent Manager and ask visitors for consent to collect and use their personal data, some of them won’t agree. So can you collect any other data from these visitors? This depends on privacy laws and how your legal team interprets them.

In Piwik PRO, you can choose whether you want to collect anonymous data from these visitors or not. If you decide on the first option, you should inform them about this practice.

To set up data collection for visitors who don’t consent, follow these steps:

  1. Go to Menu > Administration.
  2. Navigate to Sites & apps.
  3. On the left, pick the site or app you want to work with.
  4. Navigate to Privacy.
  5. Ask visitors for consent needs to be turned on because only then you’re showing a consent form on your site.
    Ask visitor for consent in Piwik PRO
  6. Click View to customize the consent setting:
    • Collect anonymous data from non-consenting visitors: You can collect anonymous data from visitors who haven’t given their consent. Their IP addresses will be completely masked. You will not recognize new and returning visitors. And you will only know their country. It’s up to you to decide whether to use a session hash and visitor cookies for these visitors or not.
    • Use a session hash: If you use a session hash, it’ll be created for each session based on the visitor’s IP address, operating system, browser name, browser version, browser language, enabled browser plugins and site/app ID. This hash will help us recognize events that belong to the same session. Note: This setting only applies to non-consenting visitors.
    • Use visitor cookies: If you use visitor cookies (_pk_id and _pk_ses), we’ll use them to recognize events that belong to the same session. They will expire 30 minutes after the last event. Note: This setting only applies to non-consenting visitors.

    Note: Some triggers in Tag Manager create cookies to function correctly. If you use one of the following conditions in triggers, we’ll set a cookie:

    • Event condition > Traffic source
    • Event condition > Returning visitor
    • Event condition > Campaign
    • Event condition > External referrer 
    • Multiplicity > Fire tag once per session
    • Multiplicity > Fire tag multiple times per session, excluding first
    • Multiplicity > Fire tag once per page view

    Make sure that tags with those triggers are set with the right consent type.

    We also set essential cookies that store visitor’s consent decision. More about cookies

  7. Done!

Comparison of options

Here’s a comparison table to help you choose the right option. Each setting uses different mechanisms for collecting data and for recognizing visitors and their sessions. Settings also affect what data you collect.

Consenting visitors Non-consenting visitors
Cookies & session hash (1) Visitor cookies & session hash Visitor cookies only Session hash only No visitor cookies & session hash Don’t collect data
Mechanisms used to collect data
First-party cookies (2) (2) (3) (3)
Local storage
Session hash (4) (4)
Collected data
Visitor’s IP address Yes / No (5)
Visitor ID
Capture all traffic
New vs. returning visitors
Visitor’s session (6)
Visitor’s location Latitude, Longitude, Organization, Provider, City, Region, Country, Continent Country, Continent Country, Continent Country, Continent Country, Continent
Traffic sources
Channel attribution Last-click, position-based, first-click, last-non-direct-click, time-decay, linear and custom models Last-click Last-click Last-click
Consent stats (7)
Privacy laws
  1. It’s possible to turn off visitor cookies and session hashes for consenting visitors, but this is rare because you’re getting their consent to collect and use data.
  2. You’ll use a 30-minute cookie to collect session data.
  3. We’ll set essential cookies that store each visitor’s consent decision. In addition, some triggers in Tag Manager will set cookies in order to funcion correctly. Make sure that tags with these triggers are set with the right consent type.
  4. We create a session hash to recognize the visitor’s session. We only use it for 30 minutes since the last event.
  5. You can mask visitors’ IP addresses under Administration > Sites & apps > Privacy > Mask IP addresses. An IP address gives you a visitor’s location. Masking it removes the selected number of bytes from the address before saving it to the database. Nobody will ever see the full address. Masking an address can enhance visitor privacy, as you won’t be able to see their precise location.
  6. Each event is a new session.
  7. You won’t collect any consent stats about people who don’t consent to analytics.  
  8. Check the cookie policy in your local guidelines; different countries can have their own policy.
  9. Assuming the product is set up to avoid storing additional device-level information, such as screen resolution or browser plugins. You can set it in Administration > Sites & apps > Privacy > Don’t collect visitor’s device data (on).
  10. If you have the Enterprise plan and have signed a BAA with us

For developers: For more information about anonymous data collection, see our developer guides.

Was this article helpful?

Technical support

If you still have any questions, visit our community.
There’s always someone happy to help!

Back to help center