GDPR Cookie Consent Notification Recipe for Google Tag Manager

Updated: July 19th, 2018. This recipe installs a Cookie Consent Notification provided by OneTrust (you’ll need to paste your own code there, though) and sets up triggers which respect visitor’s consent and cookie preferences.

It is highly recommended that you read this guide which explains how to create a OneTrust Cookie Banner, set it up and successfully integrate into your current Google Tag Manager stack.

This recipe is for the cookie banner, triggers, and variables only. It does not send data to Google Analytics. Also, it does not automatically adapt to your current GTM setup. After you import everything, you’ll still need to manually update your current tags. Follow the instructions given on this page.

Changelog

If you’re just starting with this GTM recipe, ignore the changelog and skip to the Instructions section of this page (because the recipe here is up-to-date).

June 14th, 2018 – Fixed a bug for iOS browsers (at least Safari and Chrome). Due to this issue, a consent cookie wasn’t stored properly on Apple mobile devices (the scope is unclear). How to update:

• Two assets were updated in this Recipe:
  • Variable: Cookie – Actual Cookie Consent. Enabled checkbox URI-decode cookie)
  • Tag: cHTML – Set Cookie – Actual Cookie Consent Active Groups. Changed the 4th line of the script to this one:
    
    JavaScript

     var cookieValue = encodeURIComponent({{dlv - Active Consent Groups}});

    1	var cookieValue = encodeURIComponent({{dlv - Active Consent Groups}});

• If you haven’t modified the aforementioned tag and variable before, download this patch and import (by choosing the option Merge and then Overwrite conflicting tags, triggers, and variables).

July 19th, 2018. Added a built-in functionality which records the proof of consent and sends this data to Google Analytics.

INSTRUCTIONS

1. Create a free OneTrust account. It might take up to 48 hours to get it, so register as soon as possible. Here’s a form that you need to submit and after a while, you’ll get an email with the confirmation link.
2. Download Container File
   Download the container JSON file (right-click on the link and click “Save Link As” or “Save Target As” to save the JSON file to your computer).
3. Import JSON File into GTM
   Log into your own Google Tag Manager container and head to the Admin section of the site. Under Container options, select Import Container. Read this blog post for more details about importing a container file.
4. Set up cookie consent notification, publish changes.
   Read the first half of this guide for step-by-step instructions.
5. Update all your tracking tags (which deal with personal data) in Google Tag Manager by adding one of 3 blocking triggers to them as an exception.
   This needs to be done with every single tracking tag (which deals with personal information), including Google Analytics Pageview, Google Adwords Conversion Tag, etc.If a tag is related to analytics (e.g. Google Analytics Event tag) then assign Blocking – Analytics Tracking is Not Allowed trigger as an exception. In case of Adwords tag, use Blocking – Marketing Cookies are Not Allowed trigger. You get the idea, right? Here’s how an updated tag triggering could look like of a Universal Analytics tag:
6. Additionally, update all those tags which fire upon Pageview, DOM ready, or Window Loaded Events.
   The important part of this new cookie consent is to hold tracking tags until a visitor gives a consent to be tracked. Therefore, GA, FB pixel, and other pageview-based tags must be “on hold” as well. Consequently, standard All Pages trigger becomes irrelevant here. Firstly, you need to remove all Pageview, DOM Ready, and Window Loaded triggers from your current tags as they do not respect visitor’s consent. Instead, you need to fire Pageview-based tags immediately after the consent was given. That’s why assign Custom – Optanon Consent Updated trigger to all of them. The expected result: Universal Analytics pageview, Facebook Pixel main code, and others which fire upon page load must not fire until a visitor gives the consent (by clicking Accept Cookies button, closing the banner, or scrolling down).But what happens to pageview tags if a visitor has already given the consent and then refreshes the page? That’s why you also need to complete the step #5.
7. Add pageview-based triggers which respect the consent settings.
   This recipe contains 9 pageview-related triggers which are based on separate cookie consent groups:
   • Pageview – All Pages – Analytics Tracking Allowed
   • Pageview – All Pages – Functional Cookies Allowed
   • Pageview – All Pages – Marketing Cookies Allowed
   • Pageview – DOM Ready – Analytics Tracking Allowed
   • Pageview – DOM Ready – Functional Cookies Allowed
   • Pageview – DOM Ready – Marketing Cookies Allowed
   • Pageview – Window Loaded – Analytics Tracking Allowed
   • Pageview – Window Loaded – Functional Cookies Allowed
   • Pageview – Window Loaded – Marketing Cookies Allowed

   Choose one of them for each tag and assign. For example, Universal Analytics Pageview Tag should get a Pageview – All Pages – Analytics Tracking Allowed trigger while Facebook Pixel should get a Pageview – All Pages – Marketing Cookies Allowed trigger, etc.

8. Open GA Event – Cookie Consent Data For The Record tag and set the GA Tracking ID (or GA Settings Variable).
9. Need more information?
   Read this extensive guide how to install and configure OneTrust’s Cookie Consent Notification.

View all 30+ Google Tag Manager Recipes