When using the form to opt-out of tracking (tested on https://matomo.org/privacy-policy/):

Expected behaviour

The PIWIK_SESSID cookie is removed from my browser.

Actual behaviour

The PIWIK_SESSID cookie remains with its previous value.

Discussion

We have tested this on our own install and the opt out mechanism works, in the fact that this user's sessions do not appear in the dashboard. However, there are two primary concerns:

1. If the cookie remains, there is no guarantee tracking will not continue - one must trust that the server side is honoring the piwik_ignore cookie. The Privacy by Design approach would be to unset the session cookie, then every user can be sure that the identifier is no longer present.
2. From a compliance perspective (considering upcoming GDPR and ePrivacy regulations), if a user has explicitly opted-out of tracking, yet the identifier is still being sent by the client, I must be able to be 100% sure that this identifier is not being stored somewhere. On our installation I could see that a session ID for a user who was opted out from the start is still stored in the database. How can I verify that there are no other traces of this user in the database which could lead this to violate GDPR? Similarly any logs upstream on the webserver may need to be purged of this identifier.

Therefore, it would be preferable if the server would remove/reset the PIWIK_SESSID cookie on opt-out, and enforce that this cookie does not persist. This would meet the goal on both sides: that the user can trust the opt-out mechanism, and that the administrator can prove compliance with user consent.