How To Implement GDPR Cookie Consent Notification with Google Tag Manager

Hi Julius, Great post as always. Since this only applies to people in the EU, have you come across any solutions that only trigger the cookie consent popup based on location of the visitor? Cheers.

Thanks so much for posting this article. I have had a mixed impression of OneTrust - the product looks excellent but the sales guy kept forgetting to call/asked who I was/sent emails with the wrong name/couldn't remember where we were at and most importantly couldn't actually tell me how their cookie consent solution actually worked on a technical level (he was supposed to find out and let me know, he didn't then called a week later to say he found me in his emails and was confused). I was looking for the missing information as in what do you need to do after you've installed the OneTrust script to actually block cookies or stop third party services from loading. I've not looked in detail at the GTM profile yet, but it sounds like the combination of blocking triggers etc is what is required to actually make the thing work. I'm assuming it's the same principal for Civic and Cookie Control?

Excellent article Julius. It gives a practical solution for consent which you don't find easily anywhere else.
I have one question: What about Adsense ads? Does the OneTrust solution covers also consents for Adsense cookies as well? How do you allow/deny these ad cookies via GTM?

Wow amazing job!
I was plan to do it for some clients without evaluate all the steps you did.
I'll try soon.
Anyway, thanks for sharing

Great job putting it together. That said, none of these resulting outputs will really be ePrivacy+GDPR compliant. A soft opt-in (and a not-so-soft one) will miss key components of consent after May 25th. Most importantly, it must be unbundled, granular, informed, and unambiguous (see 5.3 ePrivacy Directive as affected by 4.11 GDPR and EDPB Guidelines on Consent 2018). The latter requires a clear affirmative act when presented with an equal opportunity to say "no", and granularity demands a split of purposes on the very first layer (you can split cookies and destinations further down as shown). In short, this would have worked with the "cookie law" prior to May 25th.

Alternatively, instead of guessing and implementing potentially overly complicated and intrusive solutions, wait until the ePrivacy directive is actually fully defined and comes in to force. Which according to Wikipedia is now some time in 2019. Here's hoping the shift is towards the browser software where this should be controlled and managed centrally, across all websites, in a unified interface, once and for all.

Hi Julius,

Thanks for this article. I'm glad not to be the only one finding OneTrust hard to use and I'm just starting with Google Ad Manager (at least the blocking of the tracking is done).

You might have noticed that yesterday OneTrust (I also tested all the others, OneTrust is the least painful I think, certainly for folks like you) announced an update. It's again free, for IAPP members (which I am) but that's a marketing trick, sales is never really aware of what comms launches.

Anyway, in that new version (awaiting response for activiation):

Consent audit trail is foreseen
I noticed support for Do Not Track
There is an integration with IAB Consent Management tool (but not sure AdSense will really play in it).

If you look at the real challenges for bloggers like me and many of us, I think that the essence revolves around:

Getting AdSense right. Do note that some use ad serving plug-ins to show AdSense and own ads, I use one which is great but no clue how to embed the .php code it uses in GTM, developer is asking for help himself.

It really is a shame there is no native support for Google AdSense and YouTube in....Google's Tag Manager. Found this but also only works when no ad management plug-in used: https://kbyte.snowpenguin.org/portal/en/2016/05/04/banner-adsense-google-tag-manager/

Embeds!!!! SlideShare is major pain. Of course it's built to be social but it drops cookies like....wow. Official reply SlideShare: LinkedIn is compliant and will launch things. Right, nothing yet. No clue where to start with that in GTM, OneTrust support said using helper function. Still Chinese to me ;)

YouTube has that private sharing mode but you need to warn people in your policy that when they play a video they do install cookies. Vimeo: found no solution, kicked off my site as did Google Fonts, Google Trends and loads more. List.ly awaiting a solution but fear they won't be there, asking since a long time: https://community.list.ly/t/cookies-and-gdpr-compliance-received-complaint/2346/7

Social plug-ins: GTM only supports ShareAholic natively but that is a pretty cookie-heavy one and AddThis just updated its policy, of course also self-protecting.

Hoping to see some last-minute blogger code examples here as you can imagine. Yet, thanks again.

PS: cookies and IP addresses and so forth are covered in GDPR, they are part of the broadened definition of personal data and identifiers. ePrivacy Regulation will just be a lot worse with thanks to the EU policy makers forgetting the little guys and having rushed it all, the major brands (yes, also Google) being of no help really (except protecting themselves) and of course to the excuse of the moment, Facebook.

Love privacy, love my business too. Sharing what I can, thanks for doing so here!

PS: agree with what you say on all consent tools, bloody hard, yet indeed will be must. Data protection authorities will set examples but don't forget data subjects can lodge a complaint which needs to be followed up though...

PS2: if you have bandwidth to lend a hand (of course paying) would be swell. If not: will try to follow your advice!

Hi again. What is coming is an ePrivacy Regulation (huge difference: directly applicable). Also: the draft is widely available and it includes an exception for analytics cookies -check article 8.1-, but it goes along the same lines already discussed when marrying the current ePrivacy Directive (first and last with that name) and GDPR. Hopefully more clear in a guide I just put together and here's a direct link to avoid filling out forms https://www.sweetspot.com/en/download/9658/ (temporary, I will add a final one later if I do not forget). Best of lucks with all of it and I look forward to a post where we can combine these great expertise of yours with the actual requirements in the law.

Or Google will force an implementation with this: https://www.google.com/about/company/consentstaging.html

Still really unclear on exactly what we are supposed to be recording that still complied with GDPR.

Honestly, I'm so fed up with the whole thing. Guess what - apple.co.uk no cookie popup, eBay "we use cookies" --- like so many other big sites.

It is annoying indeed, but it makes sense that Apple avoids the notice altogether, as the conditions for a waiver seem to be met. Again, all here:

https://www.linkedin.com/pulse/digital-analytics-gdpr-compliance-sergio-maldonado/ -

and now the final link to the referred doc: https://www.sweetspot.com/en/ideas/knowledge/analytics-gdpr-survival/

Bottom line (easier to grasp): You can go deep for a small sample or shallow and wide. Another good example (of the way it should be if you aim for depth) is Trustarc's use of their own Consent Management tool.

Best, Sergio

Superb article. I was racking my brain trying to figure out, or at least confirm, the default group IDs in OneTrust. 200+ page documentation, but nobody could tell me this information. Thanks Julius. Back to work now....

Hi Julius,
Thank you for your blog. This is a great resource about GTM!

I tried several cookie consent tool and oneTrust seems to be one of the best even if confusing. I must admit it takes time to set and install. The documentation is sparse and the support is more console/product oriented than technical oriented.
As I understand GDPR (from Switzerland where I live), Privacy Policy and Cookie Policy are core elements to be available on websites to describe how your company process data. As I'm not a lawyer I use iubenda services to generate the policies.

I'm a bit perplex about cookie consent tools, especially complex tools with granular setting like oneTrust. It takes about 2 days of work for the configuration and implementation with GTM. I'm wondering if that level of setting detail is really required today? Shouldn't we wait and see what browsers companies will suggest? GDPR does not handle cookies per se, so waiting for the ePrivacy Directive (end 2018 / 2019) would be wise.

Some big companies handle this really simply, so why bother:
https://www.gov.uk/, https://tfl.gov.uk/, https://www.theguardian.com, https://www.loreal.com, https://www.airfrance.fr, https://www.lemonde.fr/

Some companies use oneTrust but not at its best. It is very surprising but both website are tracking before consent: https://mailchimp.com/ (with an active opt-in and no efficient results if you op-out, cookies are always there!!), https://www.loreal-paris.co.uk/ (with an active opt-in!)

By the way OneTrust is launching a new solo product https://www.cookiepro.com that is... not free. So it adds up to the confusion, as https://free.onetrust.com/ suite is free for one website.

To sum up and what I will do:
- Privacy Policy (legal text, about data processing and user rights)
- Cookie Policy (legal text, that explains what cookies are used and provides means on how to opt-out)
- Cookie consent (less is more: blocking all tags at first, tracking on consent only). Can be done with iubenda as well.

Thank you Julius, that was a helpful guide.

One question--I'm getting reports of multiple users on my website (getcheddar.com) that can't get the cookie consent banner to go away, but it's not consistent (I haven't been able to replicate the issue, but my team members say some of them have been asked multiple times, others haven't, sometimes it's on and off...)

Have you run into similar issues? If not, would you suggest adding blocking triggers or re-prioritizing some tags? I used Production CDN too while I was changing cookie settings, I'm testing to see if I switch back to Production Single Location fixes that.

Thank you!

Wes

Hello,

First of all, thanks for this helpful post!

I am stuck at the first part. I submitted the form a week ago and I have not got an email with the confirmation link yet. I emailed them and they have not answered yet. Is this something that usually happens? What should I do in this situation?

Best,

Inés

Hi,
This recipe is a total life saver, but I found a problem. The "cHTML - Push To Data Layer - Consent Updated" is configured to fire "once per page" which is not good if you put also a button to re-consent, since then the changes does not get reflected. I changed it to 'unlimited' and it seems to function ok without side effects, but maybe it's better if you check this and eventually fix it the proper way.

Hi Julius,

First Thank you for this helpful article! I am totally new to GTM and GA and was following your article to set everything up and running for my cookies consents.

I tried to find a way to store the consents in GA following the article you recommended. Of course i had to adapt the triggers to the OneTrust cookie tool as it is the one I use. Everything triggers well and I can see the event displaying in GA. Unfortunately the label of the event is 'not set'.

I used the GTM preview and debug tool and when i accept the cookies I can see that the label is set to the right data (timestamp, clientId and userAgent) but for a reason this information doesn't make it to GA. Category and Action are ok.

Do you have any idea where it could come from?

Thanks a lot for your time,

Kil

Hi, me again. Two things.
First, to report a broken link. The section title is "Create An Account". The link you provided for the free user guide now reports 404 page not found. Here is the link from your site: https://www.onetrust.com/documentation/iapp/user_guide_free.pdf

Second. I cannot get my customized version of the cookie banner to appear on my site. Only the default cookie banner displays. And this happens for both the "live preview" option from the OneTrust site as well as after I update "cHTML - Cookie Consent" and use the preview mode of Google Tag Manager. Did I miss something? I also added the ?v=1.0 to the src url. Or does this just take a long time to update? According to their sales pages the free version does provide for customized cookie banner. It should be working.

Hi,
I'm trying to trigger accepting the cookies when a logged-in user agrees our GDPR policy on the site. I sorted out what calls has to be done through the Optanon javascript, but I hit the following issue - the code has to trigger AFTER the OneTrust javascritpt is loaded, since the Optanon object does not exist before that, of course. I see that in the code of OneTrust there is a push of an OptanonLoaded event to the datalayer, but it actually never fires, because it is conditional. Do you have any idea how can I detect the load of OneTrust script in GTM ? Any kind of help on that would be appreciated.

Hello again,

As I mentioned a few days ago, I finally got the email with the confirmation link. Now I am trying to set up everything. However, I have almost zero knowledge of Google Tag Manager. In reality, I am pretty new with everything. So, I have a few questions, and they may be very basic.

First, the only thing I have in GTM is Google Analytics and your recipe. So, how can I allow/deny the rest of cookies via GTM including the third party cookies, such as facebook or PayPal?

Also, I followed the instructions you gave to somebody else about adding Google Adsense in GTM, I created the tag that you mentioned. However, I read somewhere else that I need to created a new variable. How do I do that?

Additionally, you say:" #3. Additionally, update all those tags which fire upon Pageview, DOM ready, or Window Loaded Events. Firstly, you need to remove all Pageview, DOM Ready, and Window Loaded triggers from your current tags...That’s why assign Custom – Optanon Consent Updated trigger to all of them." What am I supposed to do with the tag called cHTML - Cookie Consent that came with your recipe?

Best

Quote: "So, how can I allow/deny the rest of cookies via GTM including the third party cookies, such as facebook or PayPal?"

Indeed. I have this question too. In fact after getting the GTM recipe imported and adjusting the Google Analytics tag, I could not figure out the rest so I gave up. I am blocking all GDPR countries until there is a solution that deals with the entire scope.

Hey, Looks like I'll need to cover this part in greater detail since there are at least several readers who got confused. This GTM Recipe lets you control only tags and cookies which are in the GTM container (like GA, Adwords, etc.). But only if they are in the container.

If Facebook or Paypal are outside of the container, you need to work together with a developer. Here's the action plan in that case:
- This cookie consent, after a consent is given (or denied), stores a cookie in the browser called "actualOptanonConsent".
- That cookie contains the consent data (which cookie groups are accepted or rejected).
- So if you want to affect cookies and scripts outside GTM, you need to ask a developer to to that.
- A developer needs to take that cookie, decode it (he'll know that means) and check what values are in there. If the cookie contains ",2," (without quotation marks), a visitor has accepted Analytics cookies. If ",3," - functional cookies, If ",4," - marketing/targeting cookies.
- Cookies should be checked every time a page loads.
- Also, developer should listen to the dataLayer. It's a global JavaScript variable. If event "optanonConsentUpdated" is pushed, a developer should also check the cookie.
- So based on these cookie preferences, a developer needs to edit all the scripts coded directly on a website and fire them accordingly to the cookie settings or the dataLayer.
- Yes, that's a lot of work to do and that's why many businesses have spent a lot of money on this. So the more you have tracking codes implemented via GTM, the better/easier.

Hi Julius,

Really a great article. We have implemented One Trust soft optin solution for one of our client.

Since as part of GDPR compliance we are not allowing tracking to begin when user lands on the website and begins the tracking only when user provides explicit consent or continue browsing on the website without interactin with banner.

Problem we are facing is for all the new user attribution report has messed up. Since now all the new user are getting attributed to Direct channel which is not correct for all those new users who are coming from various other channel.

Could you please thow some light on this and how we can get our channel report correct keeping in line with GDPR compliance.

Thanks in advance!!

Looking forward to your valuable suggestion

Hi Julius,

I have a question... my team are building a cookie consent mechanism entirely within GTM - we are not using OneTrust.

Here's a brief description of how it works: If a user doesn't have a cookie, the notification appears when they arrive on the site. If they say yes, we give them a 'cookie permission' cookie with content 'yes', and the page reloads. This reload page view and 'yes' cookie are used to trigger our Google Analytics tags and ensures users are not tracked unless they have said yes.

But there is a problem... because the page reloads and THEN we start tracking, we actually lose any source/medium data of the user. So all New Users would come under the 'Direct' channel in GA.

Is there any way of keeping hold of this information? The page reload seems to be the issue, but I am not clear on a workaround. (by the way I am not a developer)

Thanks

Patrick

Hello, I have been reading your blog for a month now and I think your articles are very well written and really helpful for everyone who wants to get familiar to GTM. I have been trying to migrate from native Analytics code to GTM and implement your recipe for Onetrust cookie consent. However, I have some questions and I would very much appreciate your help:
1. In GTM I created tags for Analytics Page View, Adwords Conversion Tracking, events such as clicks on outbound links, clicks on phone number and email address, pdf file download, scroll depth, embedded Youtube Videos + customHTLM tags for integrating Zopim Livechat and for social interactions (based on your post https://www.analyticsmania.com/post/track-addthis-google-tag-manager/).
My question is: for which tags should I apply steps # 3 and #4 #3 ( Additionally, update all those tags which fire upon Pageview, DOM ready, or Window Loaded Events.
#4. Add pageview-based triggers which respect the consent settings)?

2. as regards Addthis interactions, should I change them from Social to Events? (you did not include social cookies in your recipe)

3. when migrating to GTM, what should I do with this script provided by Addthis
? Should I leave it hardcoded in my website source?

Thank you in advance for your time and patience.

Is there a way to read out if consent was given / updated etc outside of the GTM world? in my own little javascript library that runs on my page.

e.g. is there any API endpoints and events _outside_ of GTM? for example: if people do not give consent, well, one could just add an image "sorry no youtube if you do not accept"
or "sorry you cannot share if you don't accept" if they decide to accept, one could add the missing pieces.

Thanks for the great post - really useful information in here!

Unfortunately it looks like OneTrust isn't offering the free edition anymore. I filled out their form about 2 weeks ago and only just heard from them now. I mentioned I wanted the cookie consent and their advisor pushed me onto their new (non-free) offering on cookiepro instead.

Hi Julius,
Have you set up a way to sort out the visits with activation or deactivation of cookies. Ideally visits with Analytics cookies enabled or not, targeting cookies enabled or not, etc. ?

Thanks again for this good post

Hi
Finally made it through the steps - they were very good.
Now that I've done all this setup in GTM I'm wondering if maybe its a bit wasted since most adblockers block GA and GTM right off and I think FF blocks GTM by default through their privacy settings so cookie consent never even gets a chance to activate.

I'm wondering if you have any thoughts on the OneTrust instructions for GTM
https://support.onetrust.com/hc/en-us/articles/360000070778-Cookie-Consent-Integration-with-Google-Tag-Manager
Looking over them it looks to my untrained eye that they achieve mostly the same result with only a handfult of regex based triggers. Is there an obvious downside to this that I've missed?

Sorry, one more question, have you looked at sub-group opt-out?
I think ultimately GDPR requires that each cookie be opt-in/out -able at any time rather than at the group level.

Do you know how these sub-groups work?
I tried to decode my cookie but I don't know where these numbers come from

groups=105:1,0_37017:1,1:1,104:1,2:1,103:1,0_37083:1,102:1,0_37018:0,0_37033:1,0_37032:1,8:1,101:1

Thanks!

I'm so glad I found your post as I'm really struggling to get this thing on my site. I have no knowledge about coding stuff and find it very challenging. Your post really helped me...so much! Thank you for writing this article!!! I managed to follow your instructions and oh my, the GTM was really challenging I hope I get it right. My only problem is I don't know how to implement or to put the codes that the OneTrust generated on the script integration to put in my site. I'm in Production CDN and I managed to put the first code in GTM but I don't know how to put the two next codes for my site: The Cookie Setting Button and the Cookie Policy codes. I hope you could help me how to set them up on my site. Thank you in advance for your time and patience.

Thank you for getting back to me. I will try to do the same -- just one code---cookie settings button.

Hi Julius,

Thanks for writing these blog articles. Helped me a lot. Total noob at GTM and have been forced by company to adopt OneTrust. I still have certainly have not digested everything, and I am not a web developer :) I have used your OneTrust+GTM recepie.
If we get consent I let HubSpot run its tracking code on our WordPress site. This approach means that we lose data about where the visitor comes from.

Another perhaps better approach is to let GTM set a cookie in the visitor web browser called __hs_do_not_track. This should disable the website Java Script from sending any tracking data to the HubSpot cloud.

This is probably what we want to achieve instead. This approach would hopefully also work better across all our sub-domains since one issue is that me as admin cannot turn off/control tracking on HubSpot hosted landing pages and blog without using their Cookie banner. And we want to use OneTrust Cookie Banner across all sub-domains.

Using your recipe I assumed that the trigger "Blocking - Marketing Cookies are Not Allowed" would be used to trigger a tag to run which sets the "__hs_do_no_track" cookie.

When I debug this in GTM I can see that the tag seem to run many times: 1 Page View, 2 DOM Ready, 5 Window Loaded, 6 gtm.click, 7 gtm.click...

Is my understanding incorrect - should I use another trigger condition?
I also read your other GTM article on setting/deleting cookies. Now I am also thinking I want to delete (back-date expiration time) for the __do_not_track cookie if someone later enables "tracking cookies" in the OneTrust dialog. Is there a trigger point I can use to execute a "Delete __hs_do_not_track cookie" tag?

Again - thanks for your articles!

Greetings!

First of all, thank you so much for doing this. It is much appreciated, as I am currently working for a client which needed this in a hurry.

I am, however, having some issues.

1. The cookie did not seem to be set in Chrome. But after removing the leading dot on domain, it seems to work. Have you encountered this issue before?

2. The popup keeps popping. When testing on localhost I am repeatedly getting the cookie consent popup. When inspecting the dataLayer and cookie information, it seems to be all there. Is there something obvious I'm missing?

Cheers again, this has helped me immensely - especially since I have no prior experience with GTM ;-)

Hi
I've got 3.5 issues, I wonder if you have experienced any of this before:

1. The cookie consent box doesn't seem to come up on a new first visit in IE or FF but works fine in Chrome. Often it will load on a second page in FF. I'm using the onetrust CDN version.

2a. When enabling cookies and disabling cookies on the same visit - no page reload - one cookie keeps coming back even though the other two are disabled. This happens if I manually delete the cookie in the browser too, is this some sort of magic cookie or is something triggering I can't see?

2b. Same situation as above, cookies enabled and then disabled. When I reload the page I can see the cookies enabled - triggers are run - even though the preferences box still shows inactive.

I've used mostly your recipe out of the box except that I modified the custom js cookies script to delete the cookies (if they exist) on a "false" to "show" that something is really happening when onetrust preferences are toggled.

Thanks a lot for your recipe, it's driving me crazy but its saved me a ton of time too

Hi, Thanks for a really great tutorial! I've been following it as it really explains how I shall go about, but despite I've added the script (Production CDN) before the closing tag, it does not seem to work!

I've tried several devices but the banner is not coming up! When looking at the source code it seems there is something wrong with the javascript output; Uncaught TypeError: Cannot read property 'fn' of undefined
at e (cff579cd-9c26-48c0-8061-73261baf1969.js:32)
at Object.Init (cff579cd-9c26-48c0-8061-73261baf1969.js:120)
at cff579cd-9c26-48c0-8061-73261baf1969.js:129

Is this the reason why the banner is not showing up? Or have I done anything else wrong by putting it in?

NB! Added via functions.php in Genesis framework

Hope you can help me

Hi Julius

Many thanks for your recipes, its a life saver. I am using one trust and have managed to install it and get it working. The only step I am stuck at is recording the cookie consent. I read the article you suggested but need some tips on how to apply it to OneTrust cookie tool as I am not that familiar with GTAG. For example the article mentions creating a variable for the button they are using but I don't know how to apply this to the one trust cookie tool.

Many thanks for your help in advance.

Bhav

Hi Julius,

I really love this, thank you so much for this. I have two questions:

1. Although I found this difficult to do I tried to as much of it as I could but I am unsure if I did it right. How can I test it in Google Analytics to know I set it up right?

2. I followed the link you suggest for recording consent and I did follow that too but I am unsure how I can view the consent recorded in GA? How do you view your stored cookie consent?

Thanks for your help,

Aneesa

I am of the understanding that the cookie notifications are the result of a European Union law?

Whilst I didn't vote in favour of Brexit, I presume that once we leave these notifications will cease?

I hope so, I am bored of being told something repeatedly, day in, day out and having to respond by clicking

UPDATE: I've added a built-in solution in this GTM recipe which will now record the proof of consent and send this data to Google Analytics. All you need to do is to set the GA Tracking ID or GA Settings Variable.

Hi Julius

I'm revisiting your post for some inspiration, thank you again for writing it. I know that you have purposely not gone in to the specifics around why you chose one method over the other when creating your GTM container, but I'm curious about two points.

Is there a benefit to using blocking exceptions for page view tags instead of having the tag fire on either a page view with consent or an update event where the consent is set to allowed? It seems you trigger the tag on any update of the permissions, but use the exception to block if the update wasn't to allow that specific type. Is that more scalable in some way or did I misunderstand?

Secondly, why does the consent information need to be present in the dataLayer as well as the cookie? It seems this has created extra work in the custom JS variables as both are checked. Is this for convenience, or does the OneTrust solution not keep the cookie values updated properly? I thought I had read the latter in your article, but can't seem to find it now.

Thanks again!
Jamie

Julius, I wanted to ask two last question to you. Hope you will answer me.

1. Lets say, I do not implement any tool like oneTrust but simply show one popup banner with accept and reject button. upon user reaction, if he choose to accept then i will set cookie and show the page but if he choose reject then simply I want to redirect to 404 or an specific page where i will show that, "we are unable to server you without cookies". is it okay for now? is it enough way to put off GDPR headAche ?

2. what if i block all traffic from EU region? is it best solution for those who has very less (like 1%) traffic from EU.

Hi Julius,

Thank you for the recording of consent to GTM but I am bit confused, I am assuming I would have to create this GA Event? If so, Would I choose UA as tag type? And what about the track type?

Thanks,

Aneesa

Hi, all
After the integration of these GTM Recipe have you noticed a decrease in the bounce rates of your site?
And a decrease in the traffic recorded by Google Analytics?

Thanks Julius for the info.
I'm not surprised by the decrease in the traffic
For the bounce rate, could it be a "bad" integration of the recipe ?

Hi Julius,
Thanks a lot for the detailed guide. I am having trouble with the GA tag. It is firing properly by the GTM (I can see it in the Tag assistant) but I am not getting any recordings in the Google Analytics itself. I tried different browsers and still can't figure out why it is not firing.
I can see my FB pixel in the Helper working properly.
I assume I have not set up the GA code correctly.
I used Universal Analytics, Event, {{GA Tracking ID variable}}. As triggers, I used the Custom - Optanon Consent Updated and Pageview - All pages - Analytics allowed. Exceptions is Blocking - Analytics not allowed.
Any idea what am I doing wrong? Cheers!

www.emigratetoaustralia.info
Thanks!

a question: Will googlebot see a cookie consent message created in this way? I'm asking because I feel uneasy about such possibility (what if my website gets penalized (with lower search rankings) for a pop-up window or whatever is the correct name for that type of notification window).

I know for sure that cookie notice by cookie/GDPR plugins for Wordpress that I've tested IS visible to googlebot (I used "Fetch and render" option in Google Webmaster Tools, the screenshot that's on the left shows what the googlebot sees).

If you don't know for sure the answer to my question, could you please do "Fetch and render" thing for your site to check? (it's in Crawl -> Fetch as Google -> Fetch and render button) Thank you!!

Hi Julias,

If I only use Google Analytics do I need one of those pop up window things? I have done the anonymize ip setting. I turned off name/email for comments. My site also uses Amazon affiliate links and has an opt in box (which should be clear they're giving consent...right?) If I have this in my privacy policy is this sufficient?

Sorry if this has been covered but it's like an information overload and I can't handle it. lol

Hey Julius, firstly thank you for this excellent guide it's very useful and has saved me a lot of time getting up and running.

I'm currently testing this out in TagManager's preview mode but I'm having a couple of issues which I'm having trouble debugging.

1) The documentation refers to a soft opt-in model on page 146/7 but on page 182 it doesn't mention it.

The banner on Analytics Mania hides after a short time after using the site - mine won't! I have the consent preferences set as indicated in your guide... I'm wondering if it's preview mode?!

2) When previewing the site in TagManager preview mode I can see 'Custom JS - Marketing Cookies Allowed' etc all get set to true, the OptanonConsent Cookie also seems to contain the string for these being true too.

However - the Tags aren't being fired if I begin to navigate around the site (I'd expect it to behave like yours!).
If I interact with the banner and accept cookies, the tags will fire and I get the additional actualOptanonConsent cookie...

No need for a hack this time for me - in my case consent counts if a user navigates to a page beyond their landing page.

If they do so, the relevant DLV's are set to true, I just needed TagManager to recognise this. Changing the trigger for the tags to 'Window Loaded' rather than using the 'Page view' type solved it.

This is a great article, although OneTrust is very buggy - I originally had an issue where the banner wouldn't load, which support sorted out for me with custom code they provided.

The GTM recipe has been really useful as well as the standard Regex matching triggers and blocking triggers suggested by OneTrust just don't work, so I've relied on yours.

However, while you've set everything to 'inactive landing page', I'd like to have just our anonymous Google Analytics as 'active' on the landing page with the option to opt out (the ICO actually do this and don't even provide an opt-out mechanism themselves, so why not?!).

I thought that setting an 'all pages' trigger and then adding your blocking trigger for performance cookies should work, but it just doesn't want to fire on landing and only on page reload - meaning we lose all our source data.

Can you think of a reason for this and suggest a fix?

PS - just realised this publishes client's site in my name link, if you could remove that would be great!

Thanks for the detailed post. I have successfully installed OneTrust on my website and it initially worked. I don't know what happened to make it stop working. I went through the cycle of deleting caches and browser history, clearing my site's caches, ect... but I'm yest to see that working now.

I don't know why but I have recently removed the www from my site's address. Can this be the issue? What do you think I should do to get it back to work?

P.S. I contacted OneTrust support but they didn't come back to me.

Hi Julius,

Thanks for the article it's very helpful. I have got some of this working in a dev environment. Rookie question but how do I handle a pageview trigger on a marketing tag that is set only to fire on 1 specific page? Should I copy the Pageview - All Pages - Marketing Cookies Allowed and add a second condition when url path = ... then apply this new trigger to the tag?

Thanks,
Brendan

It appears that OneTrust has done away with the soft opt-in. No longer is there an option for scroll accepts cookies and closes banners, rather the option is Scroll saves settings and closes banner, resulting in opt-out behavior. Took me a while to figure this out, just thought I would pass it on. Thanks for the great guide.

Hi Julius, I have a question about step #3. You said that we should use the "Custom - Optanon Consent Updated" trigger for tags that record personal info. But doesn't this trigger occur if someone declines some tracking cookies and saves their consent settings?

Hi Julius!!

One quick question: your GTM recipe that build the Triggers, Variables and Tags for OneTrust, still works with CookiePRO cookie consent?

Cookie Pro is owned by One Trust, and it have very same internal dashboard to manage cookie banner and consents.

Thanks!

Hi Julius,

Thanks for the recipe and instructions!

I've followed this, however I cannot get the "Custom - Cookie Notification Closed" trigger to fire. I can see in my browser console that OneTrust popup is sending the event "trackOptanonEvent" with a optanonAction of "Banner Accept Cookies", but that doesn't seem to trigger anything in GTM!

Any ideas?

Thanks!

Hi Julius,

Thank you very much for this article! I seemingly succeeded on implementing using the formula in GTM with the cookie consent banner from OneTrust and then moved to CookiePro from OneTrust. On preview mode I get all the cookies to pass in the US (with EU look up implementing the API from OneTrust), and they all pass when accepting them through the banner using a vpn. Yet I have been noticing that the amount of users decreased exponentially in Analitycs (almost 50%), and it is not only from the EU, also decreased from the US which should've stayed consistent, whereas pageviews have duplicated.

Did you encounter something similar? Do you think the triggers have anything to do with it?

Hello from Spain Julius!

Thanks for this great guided lesson.

Please tell me how did you do to configure the percentage of scrolling to accept the cookies, you explained that you set a ~25% in your site. But I can't find where to change this.

Thanks!

I have signup for one trust but since 3 days I have not seen a message for them.what should I do

Ouch... Now I see I'm being ignored... However, I feel thankful for the information that you shared with the world. It help me.

I guess that for a response of you I need to buy something.

Peace.