How To Implement GDPR Cookie Consent Notification with Google Tag Manager
In less than a week, on May 25th, General Data Protection Regulation (GDPR) will come in effect, meaning that online businesses which get visitors from the European Union, must track visitor/user behavior and collect data more carefully, responsibly, and with consent.
I will not go into details what GDPR is (there are other great blog posts out there like this one, this one or this one). Long story short, a standard This website uses cookies blah blah blah cookie consent becomes irrelevant. From now on, cookies which contain personal data must be activated only when a person gives a consent, in other words, a visit is not a consent a consent by default.
So before you get the actual consent, all the tracking should be put on hold. In this guide, I’ll show you what solution did I choose and how I implemented GDPR cookie consent notification on analyticsmania.com + you’ll get a GTM Recipe.
First things first, GDPR is NO cookie legislation
Before we continue with the GDPR cookie consent notification, I’d like to point out a common misconception. The General Data Protection Regulation only involves personal data. It does not talk about cookies in any way. If a cookie contains personal data, then it GDPR applies to it (because of data), in all other cases, a “cookie law” should be applied.
In fact, the European ComisCommission is currently working on a new ePrivacy Legislation (expected end of 2018) which will be built upon the ePrivacy directive and the GDPR. This legislation is expected to bring more clarity on how companies should handle tracking and advertising online. And that’s good because most of us are still confused and everyone is interpreting GDPR in their own way.
GDPR Cookie Consent Notification: Action plan
OK, now let’s go back to our main topic, cookie notification. I’ve checked several solutions and the one that I’ve chosen is offered by OneTrust. In fact, you’ve probably already seen it here, on Analytics Mania just a couple of minutes ago. If you are a returning visitor, then open analyticsmania.com in Incognito window to check it out.
Here’s the flow:
- A new visitor lands on a page and sees the cookie notification banner at the bottom of the screen.
- Banner offers to accept cookies or decline them by going into cookie settings. Until this moment no tracking tags are fired yet. In other words, a visitor still has the opportunity to act before cookies are stored in his/her browser.
- If a visitor clicks Accept Cookies button, this is a consent.
- If a visitor continues browsing a website, this is considered as a soft opt-in and all the cookies are also stored in the browser.
- If a visitor clicks on Cookie settings he/she can change preferences and opt-out of particular groups of cookies.
Onetrust Cookie Consent Notification: Pros and Cons
I have to admit, I struggled a lot when I was trying to implement OneTrust’s consent for the first time. For the second one, I already had a GTM recipe which made things much faster and easier.
If you’re not sure whether this tool is right for you, here are the advantages and disadvantages:
Pros:
- Free for one website (not limited by pageviews/number of pages, etc.)
- The design is pretty good and clear
- A Preference Center and the ability to opt-out/in to separate categories of tracking cookies
- Pushes consent data and events to the Data Layer
- Scans the website for cookies, automatically assigns them to different cookie categories in the preference center.
- Offers various opt-in/opt-out settings, is pretty customizable.
Cons:
- On workdays, the cookie scan takes pretty long time (if not carefully configured, even several hours). But I’ll show you a workaround.
- Several bugs
- Not all data layer pushes are usable, some require hacking
- Does not store consent data (in the database). At least in a free version. I’ve found a workaround for this as well.
- Requires a lot of configuration on GTM side (but this step is required by pretty much all cookie consent tools, as far as I know).
- Setup flow was annoying sometimes, especially for new users who don’t know all ins and outs, yet.
- Sometimes script caching is too persistent. Once again, I’ll show you a workaround.
I have to admit, it took me way too much time during the first implementation (a day or two) because I had problems almost in every step (and the support was pretty meh with their help).
But when I did succeed, all the other attempts took me about 1-2 hours. Once I knew all the possible obstacles, I avoided them immediately, therefore saved a lot of time.
In this guide, I’ll also give you tips how to avoid possible blunders in order to implement the GDRP cookie consent notification asap.
Create an account
This is a very important part. It’s not that simple to create a OneTrust account. You will need to fill in this form, submit and wait for up to 48 hours because someone will manually create an account for you and then send an email with the confirmation link.
So if there is a slight chance that you will want to try OneTrust, immediately go to this page and submit the form. Go, do it now. I’ll wait.
I had different experiences waiting for the email with a link. Once it took maybe 2-4 hours of waiting, while the other time it indeed took me around 48 hours (2 work days).
After you get an email with a link, finish registration and come back to this blog post and we’ll continue.
OneTrust has published a long but informative and useful guide, you can find it here. Cookie-consent-related stuff starts at page 148.
Scan the website
After you get an email with a signup link and finish the registration, you should be redirected to this page.
Click Cookie Consent & Website Scanning. On the next page, click Scan Website.
Then click Add Website (in the top right corner of the screen) and enter website’s information. Free OneTrust plan allows you to have one domain.
Important! DO NOT ENTER a subdomain (e.g. www.analyticsmania.com). ALWAYS enter just the main domain, e.g. analyticsmania.com. By entering just the main domain you enable this GDPR cookie notification consent to work on all subdomains.
If I entered just www.analyticsmania.com, then consent cookie settings will be saved only on www.analyticsmania.com. If I also had support.analyticsmania.com, that subdomain wouldn’t be able to access cookie settings stored on www.
It is crucial to enter only the main domain on the first step because you won’t be able to edit it later and OneTrust’s support will also be useless here. The only way to change it is to delete all the content and settings in OneTrust and start from scratch (which is annoying and time-consuming).
Important #2! When you enter your website’s information, click Advanced Settings and set the Scan Limit to 50 or 100 pages. The default is 1000 pages which is A LOT. If you leave it as it is, your initial scan will take way too long. I did this mistake once and my page was being scanned for about 4 hours. Make the scanning process faster by reducing its scope. Without scanning, you won’t be able to proceed, therefore this step is required.
Once you create a website’s profile, its status will be Scan pending. It might take a while for it to start, sometimes 60+ minutes. It depends on how much OneTrust platform is currently loaded with other tasks and traffic.
Another tip. If your scan’s status changes to Error, this means that your website’s protection is too strict against bots (or there is a redirect).
In my case, I’m using Cloudflare and it did not let OneTrust’s scanning bots through. A solution? Temporary disable Cloudflare’s firewall or make its settings a bit lighter. Consult a developer/sysadmin, you has set Cloudflare in the first place. But this is not a common case. Usually, OneTrust’s bots manage to go through just fine and complete the scan.
It’s a good practice to go and drink some coffee while the website is being scanned. People say that time flies faster then 🙂
After the scan is complete, you should see some cookie numbers in this report:
If you see only zeros even though the scanning is complete, once again, that’st the issue that might be caused by your website’s firewall as it’s blocking OneTrust’s scanning bots. Temporarily disable it or make a bit less strict for a while and then re-scan.
Cookie Banner Setup
The next step, a banner which informs the visitor that a website is using cookies and it requires a consent. To set the banner, go to Cookie Banner page.
You will be able to change its layout, colors, content, and behavior. I won’t go into details of all options, just want to mention several:
- Layout and colors for GDPR don’t matter. Choose whatever is beautiful for you.
- In Content, I’ve enabled both Accept Cookies button and Cookie Settings link.
- In Banner Behavior, there are many options that you can play with. Personally, I chose that closing a message and scrolling down should be considered as a consent. Scrolling will be treated as a consent if a person has scrolled for ~25%. So an accidental scroll will NOT be taken for a consent (which is good!).
Yes, I know that this is not an explicit consent, but in this case, I am giving the visitor an opportunity to act before being tracked and doing a soft opt-in. I’ve seen other large companies implementing this similar tactic.
Yes, I know that’s not a good practice because that does not make you fully compliant. But for now, I’m choosing to spectate how the market acts and how GDPR is implemented on a larger scale. I chose this way as a small business owner. This is not a legal advice in any way. If you’re super concerned with GDPR, you should get a legal advice from an attorney.
I really doubt that after May 25th a bloody hunt will start, especially knowing that EU regulators themselves are not GDPR ready! So I chose to be partially compliant regarding the consent (at least, for now) and see what will happen on the market with larger businesses who have implemented the consent mechanism in the same way.
Nevertheless, OneTrust GDPR cookie consent notification banner has many options so you can decide how well compliant to you want to be.
The consent banner can be always viewed in a live preview (there’s no need to have OneTrust’s JavaScript added to your website).
After you’re satisfied with settings and appearance, hit Publish changes.
COnfiguring a Banner For a True Opt-in
One of the other possible banner configurations goes like this:
- A person lands on a page
- The entire content gets hidden behind the overlay
- This way, a user is forced to interact with the banner: give consent to be tracked or opt-out.
Here’s how this looks in action:
In order to enable such banner configuration, go to your OneTrust account > Cookie Consent > Cookie Banner > Behavior and enable Require Banner Interaction.
Cookie Policy Setup
If the scan was completed successfully, OneTrust will automatically assign the cookies to dedicated cookie categories. By default, there are 5 cookie categories:
- Strictly necessary cookies
- Performance cookies (a.k.a. for Analytics)
- Functional cookies (e.g. for A/B tests, for support chat widgets, etc.)
- Targeting cookies (for marketing)
- Sometimes a 5th category appears, Social Media Cookies.
Later in this blog post, I’ll share a GTM recipe for this cookie consent (which contains triggers, variables, etc.). It will work ONLY if you use the first 4 cookies groups as they are in their default state. #1 always must be Strictly necessary cookies, #2 must be Performance cookies, #3 must be Functional cookies, #4 – Targeting (Marketing) cookies.
Now go to Cookie Policy section (of OneTrust interface) and set cookie groups to the following statuses:
- Strictly Necessary Cookies – Always Active
- Performance cookies – Inactive LandingPage (consent will not be active just on landing)
- Functional Cookies – Inactive LandingPage.
- Target Cookies – Inactive LandingPage.
Inactive LandingPage consent model means that a cookie group toggle will be set to ON but it will come into effect only if a visitor gives consent to be tracked. A visitor will be able to change his/her preferences in the Cookie Preference Center. You can read more about OneTrust consent models here, at page 181.
As you can see in the screenshot above, each cookie groups has its ID. Make sure that they are identical to yours. If you do not change any default settings, they will be just like that.
If you don’t see any or some of these groups, do not fear, that means that a group still does not have any cookies automatically assigned to it.
We’ll be able to do that manually really soon. Go to Cookie Policy > Assign Cookies. You will see a more detailed list of those 4 cookie groups containing actual cookies, like _ga, etc.
OneTrust does a pretty decent job automatically assigning cookies, however, it won’t do the job at 100% precision. You should manually drag all unassigned cookies to the most appropriate cookie groups. Just click (and hold) a cookie block and drag it to, say, a group of Functional Cookies. Repeat the same action with all other unassigned cookies as well.
Keep in mind that a cookie group will be visible to visitors in the Cookie Preference Center only if it contains at least one cookie.
After you’re done, publish all changes.
COOKIE Preference Center Setup
Preference center is a popup with more settings, detailed explanation, and relevant links. It is displayed after a visitor clicks Cookie Settings link.
In Cookie Preference Center section, enter all the information you feel is necessary. Personally, I entered a link to the Privacy Policy, edited some texts. All other settings remain default. I chose not to display the detailed list of cookies in the Cookie Preference Center as my plan is to display the list in the Privacy Policy page on analyticsmania.com (but due to lack of time I still did not manage to do that).
In Preference Center Styling section, you’ll be able to change main color scheme and upload your own logo (also included in their free plan).
Script Integration
The next step is to get familiar with OneTrust GDPR cookie consent notification’s script. There are two options you should be aware of. Since my blog is without a staging environment, I used two scripts out of 4 options:
- Production Single Location. It is especially useful if you want to see your cookie banner/preference center changes almost immediately on your website (settings cache is not that persistent). However, cookie banner will load with some delay. I use this option when I’m configuring the consent solution and testing/debugging.
- Product CDN. This option uses multiple servers scattered across the globe. It uses a stronger cache, therefore it might take even several hours for your changes to go live for all visitors. On the other hand, the cookie banner loads faster. I switch to this solution after everything is configured correctly.
We’ll get back to these scripts really soon. But first, let’s prepare the GTM configuration.
GDPR Cookie Consent Notification: GTM Recipe
Configuring OneTrust’s cookie consent solution is just the half of the task. Your tracking scripts (like Google Analytics, Google Adwords, etc.) will still continue working as they always did unless you import my GTM recipe and then reconfigure all of your tracking tags. Yup, there’s a lot of manual work waiting ahead.
Important: After you follow my instructions and configure everything properly, OneTrust’s Cookie Consent will affect only those tracking codes which are implemented via GTM. So if you have Google Analytics hardcoded directly in website’s code, it’s right about time to migrate to GA + GTM.
I will not go into details how everything is set up in the recipe and why did I choose one solution over another but here’s a brief recap of what useful settings will you get. After you import the container, it will automatically create a dedicated Folder called GDPR Cookie Consent Notification containing 24 assets. Here are the most important ones:
Tags
- cHTML – Cookie Consent. This is the tag where you should paste your OneTrust consent script. Without it, GDPR cookie consent notification will not work.
- cHTML – Push To Data Layer – Consent Updated. Pushes an event to the Data Layer when consent settings are updated (a new consent is given or the current consent is updated).
- cHTML – Set Cookie – Actual Cookie Consent Active Groups. Stores consent settings in the cookie that expires in 12 months.
- cHTML – Push To Data Layer – Consent Data For The Record. Pushes full consent information (including user agent) to the Data Layer. That data will be later used to store the consent information (as a proof) in Google Analytics.
- GA Event – Cookie Consent Data For The Record. If a user gives a consent to at least one group of tracking cookies (excl. necessary ones), this event tag will send the consent data to Google Analytics.
Triggers
There are many triggers but the most important are those which control the permissions of tag firing:
- 4 blocking triggers:
- Blocking – Analytics Tracking is Not Allowed
- Blocking – Functional Cookies are Not Allowed
- Blocking – Marketing Cookies are Not Allowed
- Blocking – Total Opt-Out (if a visitor opts out of all cookies (except for necessary)
- 9 Pageview-related tags which fire only if a visitor has agreed to a particular group of tracking cookies.
- Pageview – All Pages – Analytics Tracking Allowed
- Pageview – All Pages – Functional Cookies Allowed
- Pageview – All Pages – Marketing Cookies Allowed
- Pageview – DOM Ready – Analytics Tracking Allowed
- Pageview – DOM Ready – Functional Cookies Allowed
- Pageview – DOM Ready – Marketing Cookies Allowed
- Pageview – Window Loaded – Analytics Tracking Allowed
- Pageview – Window Loaded – Functional Cookies Allowed
- Pageview – Window Loaded – Marketing Cookies Allowed
Variables
- dlv – consentData for the record. This variable will be used to record the consent and send the data to Google Analytics. In other words, you’ll have a proof of consent which will be stored in GA.
- Cookie – Actual Cookie Consent and dlv – Active Consent Groups. Two variables which store the consent information (a list of groups that a visitor agreed to). Both store the same information but in different places, one is Data-Layer-based, while the other one is cookie-based. Here’s a sample what its value could look like (in your case, some might look different, that’s perfectly fine):
- If its value contains ,1, then a visitor gave consent to Strictly Necessary Cookies. This is a default that cannot be turned off.
- If the value contains ,2, then a visitor agreed to Performance (analytics) cookies.
- ,3, means Functional cookies are allowed.
- ,4, means Targeting (marketing) cookies are allowed.
- For your convenience, I’ve prepared 3 variables which return true if a particular cookie group is allowed by the visitor.
- Custom JS – Functional Cookies Allowed
- Custom JS – Marketing Cookies Allowed
- Custom JS – Performance and Analytics Tracking Allowed
- Personally, for me, Social Media cookies were not needed therefore I did not include them in the recipe. If you need it, let me know and I’ll try to find spare time and update the recipe.
Other triggers and variables (which were not mentioned) are also important but not THAT much I should mention and explain them.
Import The GTM Recipe
After you download the GDPR cookie consent notification GTM recipe, follow this guide how to import it. Just make sure you choose Merge as an Import Option, NOT Overwrite.
Update Your Current Tags with New Triggers
There are several things you need to do (in this exact order!):
#1. Go to cHTML – Cookie Consent tag and replace its code with the script that OneTrust provides you at Cookie Consent > Script Integration. Use Production Single Location while you’re developing and testing. After everything’s done, replace the script with Production CDN option.
If for some reason you stop seeing latest changes with Production Single Location script, do a hack. Add “?v=1.0” to the end of script’s URL. Just like I did in the image below:
Save the tag and refresh the Preview and Debug mode. Updated URL will force the browser to download the latest version of the script. If you face the issue once again, change the v=1.0 to v=1.1, and so on. Everytime an issue reoccurs, change the URL parameter.
#2. Update all your tracking tags (which deal with personal data) in Google Tag Manager by adding one of 3 blocking triggers to them as an exception. This needs to be done with every single tracking tag (which deals with personal information), including Google Analytics Pageview, Google Adwords Conversion Tag, etc. Simo Ahava has another solution but it’s available only for GA360 (premium) users.
If a tag is related to analytics (e.g. Google Analytics Event tag) then assign Blocking – Analytics Tracking is Not Allowed trigger as an exception. In case of Adwords tag, use Blocking – Marketing Cookies are Not Allowed trigger. You get the idea, right?
Here’s how an updated tag triggering could look like of a Universal Analytics tag:
#3. Additionally, update all those tags which fire upon Pageview, DOM ready, or Window Loaded Events. The important part of this new cookie consent is to hold tracking tags until a visitor gives a consent to be tracked. Therefore, GA, FB pixel, and other pageview-based tags must be “on hold” as well. Consequently, standard All Pages trigger becomes irrelevant here.
Firstly, you need to remove all Pageview, DOM Ready, and Window Loaded triggers from your current tags as they do not respect visitor’s consent. Instead, you need to fire Pageview-based tags immediately after the consent was given.
That’s why assign Custom – Optanon Consent Updated trigger to all of them.
The expected result: Universal Analytics pageview, Facebook Pixel main code, and others which fire upon page load must not fire until a visitor gives the consent (by clicking Accept Cookies button, closing the banner, or scrolling down).
But what happens to pageview tags if a visitor has already given the consent and then refreshes the page? That’s why you also need to complete the step #4.
#4. Add pageview-based triggers which respect the consent settings. In the aforementioned GTM recipe, I’ve prepared 9 pageview-related triggers which are based on separate cookie consent groups:
- Pageview – All Pages – Analytics Tracking Allowed
- Pageview – All Pages – Functional Cookies Allowed
- Pageview – All Pages – Marketing Cookies Allowed
- Pageview – DOM Ready – Analytics Tracking Allowed
- Pageview – DOM Ready – Functional Cookies Allowed
- Pageview – DOM Ready – Marketing Cookies Allowed
- Pageview – Window Loaded – Analytics Tracking Allowed
- Pageview – Window Loaded – Functional Cookies Allowed
- Pageview – Window Loaded – Marketing Cookies Allowed
Choose one of them for each tag and assign. For example, Universal Analytics Pageview Tag should get a Pageview – All Pages – Analytics Tracking Allowed trigger while Facebook Pixel should get a Pageview – All Pages – Marketing Cookies Allowed trigger, etc.
Record a proof of consent in Google Analytics
In order to have a proof of the consent, there is a tag called GA Event – Cookie Consent Data For The Record which will send the consent data to Google Analytics (as an event). Its data includes:
- Consent groups (to which groups did a visitor agree)
- Timestamp
- Google Analytics client ID (if the permission was given to analytics/performance cookies).
- User Agent (information about the browser: version, etc.)
If a consent was not given to analytics/performance cookies, then GA Client ID’s value will not be passed. If a visitor does not opt-in to all cookie groups, then no event will be sent to Google Analytics at all.
In order to make this feature work, you need to open GA Event – Cookie Consent Data For The Record and:
- Set GA tracking ID
- Or, preferably, set the Google Analytics Settings Variable:
To sum up
- Go to cHTML – Cookie Consent tag and replace its content with the script that OneTrust provides you at Cookie Consent > Script Integration.
- Every tag (regardless of whether they are event-based or pageview-based) should get a blocking trigger of a particular consent group. If a tag is for analytics, assign a Blocking – Analytics Tracking is Not Allowed trigger, etc.
- Remove Pageview, DOM Ready, and Window Loaded triggers from your current tags. Instead, choose a trigger which states that a Consent was updated. You must not fire tracking tags before the consent is given. So choose Custom – Optanon Consent Updated trigger. Do that to all tags that used to fire on pageload.
- Additionally, for every pageview-based tag choose one of 9 new pageview-based triggers. For example, in the case of Universal Analytics Pageview tag, choose Pageview – All Pages – Analytics Tracking Allowed trigger.
- Set the GA Settings variable in the GA Event tag which will record the proof of consent in Google Analytics.
In total:
- All event-based tags will get a new blocking trigger.
- All pageview-based tags will get a new blocking trigger, two new triggers and will get the old Pageview (or DOM Ready, or Window Loaded) triggers removed.
But wait, there’s more
Even though you’ve just installed and configured GDPR cookie consent notification with Google Tag Manager, there are other things to do if you’re a user of Google Analytics. I will not go into details and will only give a brief list.
- Anonymize IP. In Google Analytics tags or GA Settings variable go to More Settings > Fields to set and enter the following settings:
- Disable Display Advertising features or configure it to respect consent settings with allowAdFeatures.
Useful Resources
In addition to all of this, here’s a list of other useful resources related to cookie consent and GDPR in general:
- [VIDEO] GDPR and Google Analytics – What do you need to change? by MeasureSchool
- OneTrust documentation (really useful in order to learn more about their GDPR Cookie Notification Consent tool)
- The Definitive GDPR guide for ecommerce by my colleagues at Omnisend
- Configure Google Analytics to be GDPR compliant by Humix
- Did not like OneTrust as a cookie consent solution? Not a problem! Here are other GDPR cookie consent notification solutions:
GDPR Cookie Consent Notification: Final Words
In a nutshell: According to GDPR, firing all tracking codes right after a visitor landed on your page is not permitted anymore (since May 25th, 2018). You should first ask for a permission to track and only then fire your marketing tags.
In this blog post, I’ve explained how to implement a GDRP cookie notification consent with Google Tag Manager and how to update your current marketing tags accordingly.
Cookie consent notification is just a tool for getting a consent, it’s not capable of managing your tracking tags because every website and every GTM container is unique, therefore there is no universal solution. As a result, you will have to manually update all your tracking tags with additional firing rules.
OneTrust GDPR cookie consent notification solution was a tool of my choice (you saw it on this blog, already) and in this guide, I’ve explained how to configure it.
It has its pros and cons but with some experience, you can do pretty flexible implementations. Obviously, new users will have no previous knowledge, that’s why my guide should be useful to them as I share my blunders and ways to avoid them. Plus, my GDPR Cookie Consent GTM Recipe should save you lots of time.
Hi Julius, Great post as always. Since this only applies to people in the EU, have you come across any solutions that only trigger the cookie consent popup based on location of the visitor? Cheers.
Hey Clayton,
OneTrust cookie notification that I’ve used in this blog post has this setting, “Show only in the EU”. I haven’t tried it so you should check it on your own.
While IP-address-based option greatly decreases the issue with GDPR, EU citizens might be using VPN services (which are pretty popular here) and imitate being logged in from outside the EU.
Such visitors will avoid the cookie consent and will be tracked. The problem is that they are still eligible to GDPR protection. So I’m not sure whether this solution is ok, but after all, I’m not sure about many things GDPR 🙂
Thanks Julius. Good point. Keep up the good work!
I don’t think. if a person using proxy from USA then targeted hit will be considered from USA. that’s a USA user for as of now. proxy still stand for “to do for someone else” so i don’t think it will eligible .
Thanks so much for posting this article. I have had a mixed impression of OneTrust – the product looks excellent but the sales guy kept forgetting to call/asked who I was/sent emails with the wrong name/couldn’t remember where we were at and most importantly couldn’t actually tell me how their cookie consent solution actually worked on a technical level (he was supposed to find out and let me know, he didn’t then called a week later to say he found me in his emails and was confused). I was looking for the missing information as in what do you need to do after you’ve installed the OneTrust script to actually block cookies or stop third party services from loading. I’ve not looked in detail at the GTM profile yet, but it sounds like the combination of blocking triggers etc is what is required to actually make the thing work. I’m assuming it’s the same principal for Civic and Cookie Control?
Hey, yes, I guess Civic and Cookie Control should work in a similar manner (although I have not experience with those solutions).
Excellent article Julius. It gives a practical solution for consent which you don’t find easily anywhere else.
I have one question: What about Adsense ads? Does the OneTrust solution covers also consents for Adsense cookies as well? How do you allow/deny these ad cookies via GTM?
Hey, In fact, I have connected my adsense ads to OneTrust cookie notification as well 🙂
I just created a custom html tag in GTM where I placed the main Adsense script (). This tag fires only if a person agrees to Targeting cookies.
You can give it a shot on my blog:
– Open analyticsmania.com with incognito
– Decline marketing cookies and save preferences.
– Scroll down until you see a strange white rectangle (empty) in the sidebar). That’s my ad block which is not loaded yet because there was no consent
– Close all incognito windows you have
– Open my blog again and agree to all cookies.
– Scroll down and you’ll see an ad loaded/being loaded.
Hi Julius,
I’ve been trying to setup Adsense with two levels as I don’t want people to completely opt out of advertising.
1> Personalised adverts to those who explicitly consent to opt in
2> Non personalised adverts to users who don’t opt in to personalised adverts
Interesting point about 2 is that as there’s no personal data you don’t need explicit consent and that implicit consent is ok. See https://www.cookiechoices.org/
I’ve been trying to get this to work as follows:
This script loads as default:
(adsbygoogle=window.adsbygoogle||[]).pauseAdRequests=1;
(adsbygoogle = window.adsbygoogle || []).push({
google_ad_client: “ca-pub-XXXX”,
enable_page_level_ads: true
});
On Accepting
(adsbygoogle = window.adsbygoogle || []).pauseAdRequests = 0;
Rejecting
(adsbygoogle=window.adsbygoogle||[]).requestNonPersonalizedAds=1;
However it doesn’t seem to be working, have you a working example this way?
Thanks
Sorry, I haven’t found enough time to play with Adsense. Due to lack of time, I just disabled Personalized ads in Adsense.
Julius, thanks so very much for taking the time to document and post this. After a solid week of trying to find a GDPR solution to AdSense I feel I am almost ready to get this done and move on with my business.
I have a question about AdSense. In your reply above you stated: “created a custom html tag in GTM where I placed the main Adsense script ()”
Can you provide more details? What on earth is “the main AdSense script”? Is this the code we paste into our blogs that create the adds? How would applying this code to a custom HTML tag in GTM make the required connection to adds placed in our blogs? I am just barely beginning to grasp how all these pieces fit together. So this may seem like a very basic question to those that are very skilled in this environment.
Thanks again for your time and efforts!
Hey, here’s a sample Adsense banner code example:
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><ins class="adsbygoogle"style="display:inline-block;width:728px;height:90px"data-ad-client="ca-pub-1234567890123456"data-ad-slot="1234567890"></ins><script>(adsbygoogle = window.adsbygoogle || []).push({});</script>
So I took the first line (script) and added it as a Custom HTML tag in GTM.
This script is needed for Adsense banners to load.
Respectively, I’ve removed this line of code from all embedded banner locations within the website’s code.
The final result:
– A Custom HTML tag in GTM with this line of code
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
– All hardcoded banner position codes are now without that first line, like this:
<ins class="adsbygoogle"style="display:inline-block;width:728px;height:90px"data-ad-client="ca-pub-1234567890123456"data-ad-slot="1234567890"></ins><script>(adsbygoogle = window.adsbygoogle || []).push({});</script>
But those banner codes are still hardcoded on a site. If the Adsense script is not loaded, that banner location will be invisible.
Fantastic, thanks for explaining those details. Problem is your script did not display in your reply. So other viewers are going to miss some details. However most of it came through in the email notification of your reply, so I can fill in the blanks.
Thanks for letting me know. Fixed!
its still opening your ads even decline all cookies.
Which browser are you using? Just tried it on Chrome and Adsense ads are not displayed after cookies are declined in the cookie consent banner. My sidebar banners (offering to download something) are not affected by the GDPR because they do not process personal data.
I am using chrome (latest one). also i am not talking about sidebar banners for download something.. it was adsense image and i even close that ads.
How to reproduce – if i block all cookie then ads doesn’t show but if i disable only marketing cookie then still ads will be loaded.
check this snapshot – http://tinypic.com/view.php?pic=24gn7yd&s=9
Now, this is an expected behavior. I’ve recently updated my Adsense implementation to be “Smarter”. If a visitor declines marketing cookies, I still display Adsense (but all the ads are non-personalized).
Non-personalized ads don’t process PII but they still store some cookies for frequency capping, etc. Such cookies are assigned to the “functional cookies” groups. To sum up:
– If you accept all cookies, you get personalized ads
– If you decline marketing cookies, you get non-personalized ads.
– If you decline functional cookies, you don’t get any ads.
Here’s the guide how I implemented it.
Wow amazing job!
I was plan to do it for some clients without evaluate all the steps you did.
I’ll try soon.
Anyway, thanks for sharing
Great job putting it together. That said, none of these resulting outputs will really be ePrivacy+GDPR compliant. A soft opt-in (and a not-so-soft one) will miss key components of consent after May 25th. Most importantly, it must be unbundled, granular, informed, and unambiguous (see 5.3 ePrivacy Directive as affected by 4.11 GDPR and EDPB Guidelines on Consent 2018). The latter requires a clear affirmative act when presented with an equal opportunity to say “no”, and granularity demands a split of purposes on the very first layer (you can split cookies and destinations further down as shown). In short, this would have worked with the “cookie law” prior to May 25th.
Alternatively, instead of guessing and implementing potentially overly complicated and intrusive solutions, wait until the ePrivacy directive is actually fully defined and comes in to force. Which according to Wikipedia is now some time in 2019. Here’s hoping the shift is towards the browser software where this should be controlled and managed centrally, across all websites, in a unified interface, once and for all.
Agree.
I look at my current implementation (described in this blog post) as a temporary solution to wait till the new ePrivacy directive is launched. It is promised to bring more clarity into this whole data protection context.
In the meantime, I’ll just wait and spectate what’s happening around.
True! Do Not Track, now supported by OneTrust (at last) is one.
Hi Julius,
Thanks for this article. I’m glad not to be the only one finding OneTrust hard to use and I’m just starting with Google Ad Manager (at least the blocking of the tracking is done).
You might have noticed that yesterday OneTrust (I also tested all the others, OneTrust is the least painful I think, certainly for folks like you) announced an update. It’s again free, for IAPP members (which I am) but that’s a marketing trick, sales is never really aware of what comms launches.
Anyway, in that new version (awaiting response for activiation):
Consent audit trail is foreseen
I noticed support for Do Not Track
There is an integration with IAB Consent Management tool (but not sure AdSense will really play in it).
If you look at the real challenges for bloggers like me and many of us, I think that the essence revolves around:
Getting AdSense right. Do note that some use ad serving plug-ins to show AdSense and own ads, I use one which is great but no clue how to embed the .php code it uses in GTM, developer is asking for help himself.
It really is a shame there is no native support for Google AdSense and YouTube in….Google’s Tag Manager. Found this but also only works when no ad management plug-in used: https://kbyte.snowpenguin.org/portal/en/2016/05/04/banner-adsense-google-tag-manager/
Embeds!!!! SlideShare is major pain. Of course it’s built to be social but it drops cookies like….wow. Official reply SlideShare: LinkedIn is compliant and will launch things. Right, nothing yet. No clue where to start with that in GTM, OneTrust support said using helper function. Still Chinese to me 😉
YouTube has that private sharing mode but you need to warn people in your policy that when they play a video they do install cookies. Vimeo: found no solution, kicked off my site as did Google Fonts, Google Trends and loads more. List.ly awaiting a solution but fear they won’t be there, asking since a long time: https://community.list.ly/t/cookies-and-gdpr-compliance-received-complaint/2346/7
Social plug-ins: GTM only supports ShareAholic natively but that is a pretty cookie-heavy one and AddThis just updated its policy, of course also self-protecting.
Hoping to see some last-minute blogger code examples here as you can imagine. Yet, thanks again.
PS: cookies and IP addresses and so forth are covered in GDPR, they are part of the broadened definition of personal data and identifiers. ePrivacy Regulation will just be a lot worse with thanks to the EU policy makers forgetting the little guys and having rushed it all, the major brands (yes, also Google) being of no help really (except protecting themselves) and of course to the excuse of the moment, Facebook.
Love privacy, love my business too. Sharing what I can, thanks for doing so here!
PS: agree with what you say on all consent tools, bloody hard, yet indeed will be must. Data protection authorities will set examples but don’t forget data subjects can lodge a complaint which needs to be followed up though…
PS2: if you have bandwidth to lend a hand (of course paying) would be swell. If not: will try to follow your advice!
Correction: Do Not Track was already in. Also got confirmation about the IAB tool integration and granular compliance reporting explained here: https://www.prnewswire.com/news-releases/onetrust-updates-cookie-solution-to-simplify-consent-management-ahead-of-gdpr-deadline-300652343.html
So, even a reason more and making some changes unnecessary. OneTrust is swamped, like all of us 😉
Hi again. What is coming is an ePrivacy Regulation (huge difference: directly applicable). Also: the draft is widely available and it includes an exception for analytics cookies -check article 8.1-, but it goes along the same lines already discussed when marrying the current ePrivacy Directive (first and last with that name) and GDPR. Hopefully more clear in a guide I just put together and here’s a direct link to avoid filling out forms https://www.sweetspot.com/en/download/9658/ (temporary, I will add a final one later if I do not forget). Best of lucks with all of it and I look forward to a post where we can combine these great expertise of yours with the actual requirements in the law.
Thanks, Sergio, for your input. I’ve updated a blog post with an additional chapter “Configuring a banner for a true opt-in” showing other possibilities of a OneTrust solution.
Or Google will force an implementation with this: https://www.google.com/about/company/consentstaging.html
Still really unclear on exactly what we are supposed to be recording that still complied with GDPR.
Honestly, I’m so fed up with the whole thing. Guess what – apple.co.uk no cookie popup, eBay “we use cookies” — like so many other big sites.
It is annoying indeed, but it makes sense that Apple avoids the notice altogether, as the conditions for a waiver seem to be met. Again, all here:
https://www.linkedin.com/pulse/digital-analytics-gdpr-compliance-sergio-maldonado/ –
and now the final link to the referred doc: https://www.sweetspot.com/en/ideas/knowledge/analytics-gdpr-survival/
Bottom line (easier to grasp): You can go deep for a small sample or shallow and wide. Another good example (of the way it should be if you aim for depth) is Trustarc’s use of their own Consent Management tool.
Best, Sergio
Superb article. I was racking my brain trying to figure out, or at least confirm, the default group IDs in OneTrust. 200+ page documentation, but nobody could tell me this information. Thanks Julius. Back to work now….
Hi Julius,
Thank you for your blog. This is a great resource about GTM!
I tried several cookie consent tool and oneTrust seems to be one of the best even if confusing. I must admit it takes time to set and install. The documentation is sparse and the support is more console/product oriented than technical oriented.
As I understand GDPR (from Switzerland where I live), Privacy Policy and Cookie Policy are core elements to be available on websites to describe how your company process data. As I’m not a lawyer I use iubenda services to generate the policies.
I’m a bit perplex about cookie consent tools, especially complex tools with granular setting like oneTrust. It takes about 2 days of work for the configuration and implementation with GTM. I’m wondering if that level of setting detail is really required today? Shouldn’t we wait and see what browsers companies will suggest? GDPR does not handle cookies per se, so waiting for the ePrivacy Directive (end 2018 / 2019) would be wise.
Some big companies handle this really simply, so why bother:
https://www.gov.uk/, https://tfl.gov.uk/, https://www.theguardian.com, https://www.loreal.com, https://www.airfrance.fr, https://www.lemonde.fr/
Some companies use oneTrust but not at its best. It is very surprising but both website are tracking before consent: https://mailchimp.com/ (with an active opt-in and no efficient results if you op-out, cookies are always there!!), https://www.loreal-paris.co.uk/ (with an active opt-in!)
By the way OneTrust is launching a new solo product https://www.cookiepro.com that is… not free. So it adds up to the confusion, as https://free.onetrust.com/ suite is free for one website.
To sum up and what I will do:
– Privacy Policy (legal text, about data processing and user rights)
– Cookie Policy (legal text, that explains what cookies are used and provides means on how to opt-out)
– Cookie consent (less is more: blocking all tags at first, tracking on consent only). Can be done with iubenda as well.
Thank you Julius, that was a helpful guide.
One question–I’m getting reports of multiple users on my website (getcheddar.com) that can’t get the cookie consent banner to go away, but it’s not consistent (I haven’t been able to replicate the issue, but my team members say some of them have been asked multiple times, others haven’t, sometimes it’s on and off…)
Have you run into similar issues? If not, would you suggest adding blocking triggers or re-prioritizing some tags? I used Production CDN too while I was changing cookie settings, I’m testing to see if I switch back to Production Single Location fixes that.
Thank you!
Wes
That’s odd. I haven’t seen similar issues. Do your teammates have the same problem while browsing my blog? The fact that consent was closed is handled by the OneTrust script, not by my recipe or GTM.
It’s a good idea to try switching to the Production Single Location. Chances are that something was not cached correctly.
Thank you for the response.
I’m the only analytics person on my team, so I’ve been the only one browsing your blog, but so far I haven’t had any issues.
I’m attacking this right now. I’ll post an update when it’s complete.
Wes
It’s been a few days and I haven’t heard of any more errors. It was probably the caching error. Thanks!
Hello,
First of all, thanks for this helpful post!
I am stuck at the first part. I submitted the form a week ago and I have not got an email with the confirmation link yet. I emailed them and they have not answered yet. Is this something that usually happens? What should I do in this situation?
Best,
Inés
This happened to me maybe once. In that case, I submitted the form with another email address (just make sure that you don’t use personal emails, like @gmail.com, etc.). They accept only business accounts, like [email protected].
If that does not help, let me know. We’ll try to think of something else.
I just got the email.
Thank you for your suggestion anayway!
Hi,
This recipe is a total life saver, but I found a problem. The “cHTML – Push To Data Layer – Consent Updated” is configured to fire “once per page” which is not good if you put also a button to re-consent, since then the changes does not get reflected. I changed it to ‘unlimited’ and it seems to function ok without side effects, but maybe it’s better if you check this and eventually fix it the proper way.
Thanks for noticing. I’ll mark a reminder to update the recipe.
I remembered why I set it to fire once per page. If you open a Consent’s Preference Center, disable just one group of cookies and hit save, two Consent Updated events will fire therefore you might have two Google Analytics Pageview hits after the consent is given (on that page only).
“Once per page” solves this problem. However, your comment regarding the “re-consent” button is valid. Therefore I’ll need to think of a solution which solves both your and my issues.
Hi Julius,
First Thank you for this helpful article! I am totally new to GTM and GA and was following your article to set everything up and running for my cookies consents.
I tried to find a way to store the consents in GA following the article you recommended. Of course i had to adapt the triggers to the OneTrust cookie tool as it is the one I use. Everything triggers well and I can see the event displaying in GA. Unfortunately the label of the event is ‘not set’.
I used the GTM preview and debug tool and when i accept the cookies I can see that the label is set to the right data (timestamp, clientId and userAgent) but for a reason this information doesn’t make it to GA. Category and Action are ok.
Do you have any idea where it could come from?
Thanks a lot for your time,
Kil
Hey, where do you see that the label is set correctly?
Hey,
Thanks for your time.
I created a “GA Event – Cookie Consent” Tag and when I accept the cookie, i see in the preview and debug mode that this event Tag has been triggered. When I click on it, I see the details like, the event action, the event category, ans label and the label returns what is intended (timestamp, ClientId and userAgent).
However when i go to GA, I see the event appearing but the label appears as “not set”. Any Idea?
Hey, contact me via email, it would be faster to debug. julius [@] analyticsmania.com.
Send me screenshots of what you see.
Ok I’ll do that.
Thank You!
Sorry to bother you again :/
It seems there is a problem with the email address as gmail is unable to deliver my email to this address.
Everything’s working fine. I’ve just sent an email from another gmail account and it works fine. Please check for mistypes. It’s [email protected].
Hi there, did you solve that point ?
I encountered the same “not set”
Hi, me again. Two things.
First, to report a broken link. The section title is “Create An Account”. The link you provided for the free user guide now reports 404 page not found. Here is the link from your site: https://www.onetrust.com/documentation/iapp/user_guide_free.pdf
Second. I cannot get my customized version of the cookie banner to appear on my site. Only the default cookie banner displays. And this happens for both the “live preview” option from the OneTrust site as well as after I update “cHTML – Cookie Consent” and use the preview mode of Google Tag Manager. Did I miss something? I also added the ?v=1.0 to the src url. Or does this just take a long time to update? According to their sales pages the free version does provide for customized cookie banner. It should be working.
Hey, Pete, thank for noticing the broken link. For some reason, OneTrust broke it (because it’s also not working in their interface). I’ll contact them via support.
As for the second question, did you press Save button in Onetrust’s interface? If it did not help, try clicking Publish as well. This should update at least the preview version.
Update: the link to documentation has been updated. I’ve uploaded it myself and shared the link. OneTrust team isn’t very fast when it comes to bugfixing 🙂
Hate to be a bother. But I refreshed the page and went back to the link for the user guide and it’s the same link as it was yesterday. Still 404 page not found.
As to the cookie banner. Yes I clicked save and publish repeatedly to ensure that was not the issue. I reported it to OneTrust support. I checked it this morning and it’s working fine now.
Sorry, apparently, not all links were updated. Now all are fixed. I’ll also paste the link here https://drive.google.com/file/d/1LMRd2qT8GcNR9yVan7GZgHigRJJjJYve/view?usp=sharing
Cheers
Hi,
I’m trying to trigger accepting the cookies when a logged-in user agrees our GDPR policy on the site. I sorted out what calls has to be done through the Optanon javascript, but I hit the following issue – the code has to trigger AFTER the OneTrust javascritpt is loaded, since the Optanon object does not exist before that, of course. I see that in the code of OneTrust there is a push of an OptanonLoaded event to the datalayer, but it actually never fires, because it is conditional. Do you have any idea how can I detect the load of OneTrust script in GTM ? Any kind of help on that would be appreciated.
Nope, sorry 😐 I haven’t digged that deep into the optanon.
Ok, no problem. I have a solution – by using javascript to load the script instead of just putting a in the gtm tag. I was just wondering a simpler way to be done. Thanks anyway.
Hello again,
As I mentioned a few days ago, I finally got the email with the confirmation link. Now I am trying to set up everything. However, I have almost zero knowledge of Google Tag Manager. In reality, I am pretty new with everything. So, I have a few questions, and they may be very basic.
First, the only thing I have in GTM is Google Analytics and your recipe. So, how can I allow/deny the rest of cookies via GTM including the third party cookies, such as facebook or PayPal?
Also, I followed the instructions you gave to somebody else about adding Google Adsense in GTM, I created the tag that you mentioned. However, I read somewhere else that I need to created a new variable. How do I do that?
Additionally, you say:” #3. Additionally, update all those tags which fire upon Pageview, DOM ready, or Window Loaded Events. Firstly, you need to remove all Pageview, DOM Ready, and Window Loaded triggers from your current tags…That’s why assign Custom – Optanon Consent Updated trigger to all of them.” What am I supposed to do with the tag called cHTML – Cookie Consent that came with your recipe?
Best
Quote: “So, how can I allow/deny the rest of cookies via GTM including the third party cookies, such as facebook or PayPal?”
Indeed. I have this question too. In fact after getting the GTM recipe imported and adjusting the Google Analytics tag, I could not figure out the rest so I gave up. I am blocking all GDPR countries until there is a solution that deals with the entire scope.
Hey, Looks like I’ll need to cover this part in greater detail since there are at least several readers who got confused. This GTM Recipe lets you control only tags and cookies which are in the GTM container (like GA, Adwords, etc.). But only if they are in the container.
If Facebook or Paypal are outside of the container, you need to work together with a developer. Here’s the action plan in that case:
– This cookie consent, after a consent is given (or denied), stores a cookie in the browser called “actualOptanonConsent”.
– That cookie contains the consent data (which cookie groups are accepted or rejected).
– So if you want to affect cookies and scripts outside GTM, you need to ask a developer to to that.
– A developer needs to take that cookie, decode it (he’ll know that means) and check what values are in there. If the cookie contains “,2,” (without quotation marks), a visitor has accepted Analytics cookies. If “,3,” – functional cookies, If “,4,” – marketing/targeting cookies.
– Cookies should be checked every time a page loads.
– Also, developer should listen to the dataLayer. It’s a global JavaScript variable. If event “optanonConsentUpdated” is pushed, a developer should also check the cookie.
– So based on these cookie preferences, a developer needs to edit all the scripts coded directly on a website and fire them accordingly to the cookie settings or the dataLayer.
– Yes, that’s a lot of work to do and that’s why many businesses have spent a lot of money on this. So the more you have tracking codes implemented via GTM, the better/easier.
Thanks for explaining all this Julius. This clearly demonstrates the dilemma of all WordPress users. Even if we take the time to hack various plugins and core files. The very first update will undo our modifications. WordPress users need a framework within which all plugin developers are required to ensure their tools will not place cookies until user consent has been determined. At the same time, all “cookie consent” providers must ensure their tools are able to integrate with said framework. Until this happens, WordPress users really have no sure solution.
Hello,
Thanks for the answer! However, finally I decided to use a plugin to implement a GDPR cookie consent.
Now, I am trying to delete the OneTrust cookie consent banner from my website, but I am having some problems. I deleted everything that was related to GDPR cookie consent GTM recipe from my GTM however, it is still showing in my website. Is there anything else I should do in order to delete the banner from my site?
Also, do you know how I can delete my OneTrust account?
Best.
Roll back to the previous version of the container and you’ll be fine. Also, do not forget to refresh the preview mode.
Hi Julius,
Really a great article. We have implemented One Trust soft optin solution for one of our client.
Since as part of GDPR compliance we are not allowing tracking to begin when user lands on the website and begins the tracking only when user provides explicit consent or continue browsing on the website without interactin with banner.
Problem we are facing is for all the new user attribution report has messed up. Since now all the new user are getting attributed to Direct channel which is not correct for all those new users who are coming from various other channel.
Could you please thow some light on this and how we can get our channel report correct keeping in line with GDPR compliance.
Thanks in advance!!
Looking forward to your valuable suggestion
Hey, looks like people click some top link in your website before giving a consent. This loses the traffic source data.
Currently, the cookie consent recipe is not updated according to that, but basically you should update the implementation that a link click or button click would be also considered as a consent (as it was mentioned before, this is not very GDPR compliant, but this should follow the consistence of this OneTrust cookie consent mechanism).
Hi Julius,
I have a question… my team are building a cookie consent mechanism entirely within GTM – we are not using OneTrust.
Here’s a brief description of how it works: If a user doesn’t have a cookie, the notification appears when they arrive on the site. If they say yes, we give them a ‘cookie permission’ cookie with content ‘yes’, and the page reloads. This reload page view and ‘yes’ cookie are used to trigger our Google Analytics tags and ensures users are not tracked unless they have said yes.
But there is a problem… because the page reloads and THEN we start tracking, we actually lose any source/medium data of the user. So all New Users would come under the ‘Direct’ channel in GA.
Is there any way of keeping hold of this information? The page reload seems to be the issue, but I am not clear on a workaround. (by the way I am not a developer)
Thanks
Patrick
Yup, not to reload a page or utilize the utmz cookie imitator (google that solution, it’s created by the lunametrics. However, I would not reload the page after the consent is given. This solution is more robust.
Hello, I have been reading your blog for a month now and I think your articles are very well written and really helpful for everyone who wants to get familiar to GTM. I have been trying to migrate from native Analytics code to GTM and implement your recipe for Onetrust cookie consent. However, I have some questions and I would very much appreciate your help:
1. In GTM I created tags for Analytics Page View, Adwords Conversion Tracking, events such as clicks on outbound links, clicks on phone number and email address, pdf file download, scroll depth, embedded Youtube Videos + customHTLM tags for integrating Zopim Livechat and for social interactions (based on your post https://www.analyticsmania.com/post/track-addthis-google-tag-manager/).
My question is: for which tags should I apply steps # 3 and #4 #3 ( Additionally, update all those tags which fire upon Pageview, DOM ready, or Window Loaded Events.
#4. Add pageview-based triggers which respect the consent settings)?
2. as regards Addthis interactions, should I change them from Social to Events? (you did not include social cookies in your recipe)
3. when migrating to GTM, what should I do with this script provided by Addthis
? Should I leave it hardcoded in my website source?
Thank you in advance for your time and patience.
Hey,
1. Apply those changes to all tags which are processing visitor’s personal data, e.g. GA, Adwords, Facebook Pixel, etc.
2. Yes, you can change to events.
3. I guess that AddThis script also processes personal data, therefore you should probably remove the hardcoded code and implement it via GTM (if possible). I’d assign AddThis script to Functional cookies.
Thanks a lot. One more question: the Adwords tag that I placed only on my thank you page (reached by users after they complete a submission form) is a page based tag or an event based tag?
If you are using Adwords Conversion Tag template, it does not matter whether you should use event or page based tags. Because all you need to enter in the tag settings are Conversion Label and Conversion ID.
what about shareThis and discuss comment system plugin. they also track some short of data. so will these also cover?
If you move their scripts to GTM, then you can control their behavior (to fire or not to fire). Maybe they have even more options but you need to find out that by yourself.
Is there a way to read out if consent was given / updated etc outside of the GTM world? in my own little javascript library that runs on my page.
e.g. is there any API endpoints and events _outside_ of GTM? for example: if people do not give consent, well, one could just add an image “sorry no youtube if you do not accept”
or “sorry you cannot share if you don’t accept” if they decide to accept, one could add the missing pieces.
Sorry, I’m not sure about that. Sounds like with every plugin/solution you’ll need to keep looking for an individual solution.
Thanks for the great post – really useful information in here!
Unfortunately it looks like OneTrust isn’t offering the free edition anymore. I filled out their form about 2 weeks ago and only just heard from them now. I mentioned I wanted the cookie consent and their advisor pushed me onto their new (non-free) offering on cookiepro instead.
That’s a shame. I hope that this was just a bad luck. If anyone else complains regarding the same issue, looks like I’ll have to rewrite the guide and offer another solution.
Turns out it was just bad luck after all. The OneTrust advisor forwarded on my details I have finally gotten setup with a free account.
Now to continue with these steps! 🙂
Hi Julius,
Have you set up a way to sort out the visits with activation or deactivation of cookies. Ideally visits with Analytics cookies enabled or not, targeting cookies enabled or not, etc. ?
Thanks again for this good post
Hi
Finally made it through the steps – they were very good.
Now that I’ve done all this setup in GTM I’m wondering if maybe its a bit wasted since most adblockers block GA and GTM right off and I think FF blocks GTM by default through their privacy settings so cookie consent never even gets a chance to activate.
I’m wondering if you have any thoughts on the OneTrust instructions for GTM
https://support.onetrust.com/hc/en-us/articles/360000070778-Cookie-Consent-Integration-with-Google-Tag-Manager
Looking over them it looks to my untrained eye that they achieve mostly the same result with only a handfult of regex based triggers. Is there an obvious downside to this that I’ve missed?
Sorry, one more question, have you looked at sub-group opt-out?
I think ultimately GDPR requires that each cookie be opt-in/out -able at any time rather than at the group level.
Do you know how these sub-groups work?
I tried to decode my cookie but I don’t know where these numbers come from
groups=105:1,0_37017:1,1:1,104:1,2:1,103:1,0_37083:1,102:1,0_37018:0,0_37033:1,0_37032:1,8:1,101:1
Thanks!
Hey, unfortunately, I haven’t implemented subgroup optout, there I’m not sure what each subgroup means.
Turns out you can drill down the cookie ID to see the sub-group IDs on the Cookie Policy screen – so actually quite easy to decipher now.
I’m so glad I found your post as I’m really struggling to get this thing on my site. I have no knowledge about coding stuff and find it very challenging. Your post really helped me…so much! Thank you for writing this article!!! I managed to follow your instructions and oh my, the GTM was really challenging I hope I get it right. My only problem is I don’t know how to implement or to put the codes that the OneTrust generated on the script integration to put in my site. I’m in Production CDN and I managed to put the first code in GTM but I don’t know how to put the two next codes for my site: The Cookie Setting Button and the Cookie Policy codes. I hope you could help me how to set them up on my site. Thank you in advance for your time and patience.
Hey, those two codes should be added directly in the website’s code, not via GTM. People usually place them in the privacy policy page. Most often they just add a single code – cookie settings button.
Hi Julius!
Great article. But regarding the Cookie Setting Button I have some problems.
I put it in my privacy policie page, but sometimes it is not became active. To be able to make it work it is necessary to run first the main Ontrust script before. And I think the problem is here. My main script is included in GTM -as you wrote in your paper- and it looks like that sometimes this included script is not running, even it is included in each site header.
When I included the main Ontrust script additionally on my site directly before calling Cookie Setting Button, on some browser I have 3 overlaped button, on some it works 1 times, but after reloading overlaping too. Without additional explicit including the main script directly before call of Button, on Chrome working fine on other, FF, Safari and mobile browser the button is not activated.
Thats why I think that the script in GTM is not always running the necessary part for Cookie Settings Button.
Do you have any idea how to solve the problem?
Thanks in advance!
Hey, this is a known issue. The recipe blocks the OneTrust consent script from firing on a page with URL /privacy-policy. Because if it fired, then just by simply navigating the Privacy policy, an automatic consent would be given (and that is not what should be done). That’s why I implemented by “Manage cookie settings” on all the pages of my website (in the footer). An alternative solution could be to store that Cookie button on another page where URL does not contain “privacy-policy”.
Thanks for quick answer. But I do not think that this is the problem. My site is hungarian and there is no privacy-policy text in the naming of site where the Cookie setting Button is located.
I have made a test today. I have removed the GTM script from headers of my sites and put instead the main Ontrust script. In this case on each type of browser everithing is working fine. (exept the cookie handling ). So it is sure now that there is some kind of block in GTM for main Ontrust script.
Which browser are you using?
For my “manage cookie settings” link, I used the following code:
<a class="optanon-toggle-display" href="#" rel="nofollow">Manage Cookie Settings</a>
When the OneTrust JS code is fired on the page, that link works all the times for me. Maybe it will help you too?
Thank you for getting back to me. I will try to do the same — just one code—cookie settings button.
Hi Julius,
Thanks for writing these blog articles. Helped me a lot. Total noob at GTM and have been forced by company to adopt OneTrust. I still have certainly have not digested everything, and I am not a web developer 🙂 I have used your OneTrust+GTM recepie.
If we get consent I let HubSpot run its tracking code on our WordPress site. This approach means that we lose data about where the visitor comes from.
Another perhaps better approach is to let GTM set a cookie in the visitor web browser called __hs_do_not_track. This should disable the website Java Script from sending any tracking data to the HubSpot cloud.
This is probably what we want to achieve instead. This approach would hopefully also work better across all our sub-domains since one issue is that me as admin cannot turn off/control tracking on HubSpot hosted landing pages and blog without using their Cookie banner. And we want to use OneTrust Cookie Banner across all sub-domains.
Using your recipe I assumed that the trigger “Blocking – Marketing Cookies are Not Allowed” would be used to trigger a tag to run which sets the “__hs_do_no_track” cookie.
When I debug this in GTM I can see that the tag seem to run many times: 1 Page View, 2 DOM Ready, 5 Window Loaded, 6 gtm.click, 7 gtm.click…
Is my understanding incorrect – should I use another trigger condition?
I also read your other GTM article on setting/deleting cookies. Now I am also thinking I want to delete (back-date expiration time) for the __do_not_track cookie if someone later enables “tracking cookies” in the OneTrust dialog. Is there a trigger point I can use to execute a “Delete __hs_do_not_track cookie” tag?
Again – thanks for your articles!
Hey, my Blocking triggers work on all events, Pageview, DOM ready, etc.
As for the __hs_do_no_track, I don’t quite follow the logic. Does Hubspot respect this cookie? If yes, then yeah, you can additionally set it to block Hubspot tracking on their landing pages. But after all, I’m still not sure I understood your idea correctly.
Greetings!
First of all, thank you so much for doing this. It is much appreciated, as I am currently working for a client which needed this in a hurry.
I am, however, having some issues.
1. The cookie did not seem to be set in Chrome. But after removing the leading dot on domain, it seems to work. Have you encountered this issue before?
2. The popup keeps popping. When testing on localhost I am repeatedly getting the cookie consent popup. When inspecting the dataLayer and cookie information, it seems to be all there. Is there something obvious I’m missing?
Cheers again, this has helped me immensely – especially since I have no prior experience with GTM 😉
A thing to note, is that if I make changes to which type of cookie I want to allow (e.g. Functional cookies), and press save, then reload the page and go to settings again, it is not saved.
As long as you keep working on a localhost, you won’t be able to save cookie settings in the Onetrust Free cookie consent solution.
Hey,
1. No, I haven’t encountered such issues.
2. Such behavior is expected. The cookie consent banner will work only on the main domain that is configured in OneTrust’s settings. Of the domain is different, cookie consent banner will continue to pop up, because the cookie which saves the fact “that a consent banner is closed” is still stored on the originaldomain.com, not the localhost.
Hi
I’ve got 3.5 issues, I wonder if you have experienced any of this before:
1. The cookie consent box doesn’t seem to come up on a new first visit in IE or FF but works fine in Chrome. Often it will load on a second page in FF. I’m using the onetrust CDN version.
2a. When enabling cookies and disabling cookies on the same visit – no page reload – one cookie keeps coming back even though the other two are disabled. This happens if I manually delete the cookie in the browser too, is this some sort of magic cookie or is something triggering I can’t see?
2b. Same situation as above, cookies enabled and then disabled. When I reload the page I can see the cookies enabled – triggers are run – even though the preferences box still shows inactive.
I’ve used mostly your recipe out of the box except that I modified the custom js cookies script to delete the cookies (if they exist) on a “false” to “show” that something is really happening when onetrust preferences are toggled.
Thanks a lot for your recipe, it’s driving me crazy but its saved me a ton of time too
Hey,
1. I’d contact Onetrust support regarding this issue.
2a-b. Which cookie is coming back?
I don’t know how exactly you modified your cookie so it’s hard to support. I can stand just behind my own unmodified recipe.
Hi, Thanks for a really great tutorial! I’ve been following it as it really explains how I shall go about, but despite I’ve added the script (Production CDN) before the closing tag, it does not seem to work!
I’ve tried several devices but the banner is not coming up! When looking at the source code it seems there is something wrong with the javascript output; Uncaught TypeError: Cannot read property ‘fn’ of undefined
at e (cff579cd-9c26-48c0-8061-73261baf1969.js:32)
at Object.Init (cff579cd-9c26-48c0-8061-73261baf1969.js:120)
at cff579cd-9c26-48c0-8061-73261baf1969.js:129
Is this the reason why the banner is not showing up? Or have I done anything else wrong by putting it in?
NB! Added via functions.php in Genesis framework
Hope you can help me
Sorry, I haven’t seen this error before. You should contact OneTrust support team.
Hi Julius
Many thanks for your recipes, its a life saver. I am using one trust and have managed to install it and get it working. The only step I am stuck at is recording the cookie consent. I read the article you suggested but need some tips on how to apply it to OneTrust cookie tool as I am not that familiar with GTAG. For example the article mentions creating a variable for the button they are using but I don’t know how to apply this to the one trust cookie tool.
Many thanks for your help in advance.
Bhav
Hi Julius,
I really love this, thank you so much for this. I have two questions:
1. Although I found this difficult to do I tried to as much of it as I could but I am unsure if I did it right. How can I test it in Google Analytics to know I set it up right?
2. I followed the link you suggest for recording consent and I did follow that too but I am unsure how I can view the consent recorded in GA? How do you view your stored cookie consent?
Thanks for your help,
Aneesa
Hey,
1. First, you add all the triggers to Google Analytics tags (like blocking statistics triggers and when the consent to statistics is given). Then you refresh the GTM Preview and debug mode and you’ll see the Onetrust cookie notification. Your GA Pageview tag must fire only after you give a consent to be tracked. And if you track clicks, their tags must fire only after the consent is given. If you click links before the consent, no related tags must fire.
2. Those consents are stored as events in GA reports. Behavior > Events
Hey,
Thank you so much for the reply. So I can’t seem to see those consents does that mean I have done something wrong? I can’ figure out what I am doing wrong!
Thanks,
I am of the understanding that the cookie notifications are the result of a European Union law?
Whilst I didn’t vote in favour of Brexit, I presume that once we leave these notifications will cease?
I hope so, I am bored of being told something repeatedly, day in, day out and having to respond by clicking
No, these notifications will remain as usually business will continue to display them regardless of your location.
UPDATE: I’ve added a built-in solution in this GTM recipe which will now record the proof of consent and send this data to Google Analytics. All you need to do is to set the GA Tracking ID or GA Settings Variable.
Thank you, great work.
In GA I have Undefined value for consent groups :
Consent groups: undefined; Fri Aug 10 2018 11:01:08 …
Can you help me ?
Solved !
“cHTML – Push To Data Layer – Consent Data For The Record” was fired before “cHTML – Set Cookie – Actual Cookie Consent Active Groups”
Hi Julius
I’m revisiting your post for some inspiration, thank you again for writing it. I know that you have purposely not gone in to the specifics around why you chose one method over the other when creating your GTM container, but I’m curious about two points.
Is there a benefit to using blocking exceptions for page view tags instead of having the tag fire on either a page view with consent or an update event where the consent is set to allowed? It seems you trigger the tag on any update of the permissions, but use the exception to block if the update wasn’t to allow that specific type. Is that more scalable in some way or did I misunderstand?
Secondly, why does the consent information need to be present in the dataLayer as well as the cookie? It seems this has created extra work in the custom JS variables as both are checked. Is this for convenience, or does the OneTrust solution not keep the cookie values updated properly? I thought I had read the latter in your article, but can’t seem to find it now.
Thanks again!
Jamie
Hey, thanks for taking time and digging deeper into the solution. I like how Onestrust’s Preference center looks like on my site but from the dataLayer perspective, there are some serious issues which forced to apply multiple hacks.
Both your questions are related to those hacks 🙂
1. The problem with OneTrust is that it pushes the consent data to the dataLayer without the “event” parameter, therefore I could not use them as a trigger and had to listen to all the permission updates and then filter which ones are that I need. Anyway, to answer your question, using a blocking trigger seems more convenient to me than to update every trigger with the condition. If (for some reason) the must be done a change in the blocking trigger, I’d need to update only one place. In your solution, I’d have to update every single trigger.
But now you got me thinking/confused regarding another issue: “Why did I have to create separate pageview triggers for every permission level?”. Thinking right now, I’d rather just use a regular Pageview tag and if the permission is not given, the blocking trigger would be activated. That way I’d remove the 9 triggers in that GTM recipe. I’ll have to think harder to remember what is the reason. Although, at that time I was pretty in a hurry so it must be a result of “rapid development” rather than “thinking carefully”.
2. When the page loads, the consent is still not ready in the Data Layer. Therefore I would not be able to fire tags on Pageview events (and sometimes even on DOM Ready). That’s why I realized that I need to check the cookie. However, the dataLayer is the place where the latest consent data is stored. In other words, there might be quick moments, when the consent in the Data Layer has changed but the consent in the cookie still hasn’t been updated. That’s why I’m checking both of them. This solution is more of a safeguard.
Thanks Julius. It’s funny, because I’ve just been reading about blocking triggers and how they help keep things DRY and now I’m too wondering why it’s necessary to create all of the different allow based triggers :/
If you remember, I’m interested to know!
Julius, I wanted to ask two last question to you. Hope you will answer me.
1. Lets say, I do not implement any tool like oneTrust but simply show one popup banner with accept and reject button. upon user reaction, if he choose to accept then i will set cookie and show the page but if he choose reject then simply I want to redirect to 404 or an specific page where i will show that, “we are unable to server you without cookies”. is it okay for now? is it enough way to put off GDPR headAche ?
2. what if i block all traffic from EU region? is it best solution for those who has very less (like 1%) traffic from EU.
Hey, I’m not the right person to ask legal GDPR-related questions. I’ve seen many businesses doing that (both solutions that you’ve mentioned) but I cannot tell you how much compliance is there 🙂
Hi Julius,
Thank you for the recording of consent to GTM but I am bit confused, I am assuming I would have to create this GA Event? If so, Would I choose UA as tag type? And what about the track type?
Thanks,
Aneesa
Yes, choose Universal Tag Type
And track type should be event.
Hi, all
After the integration of these GTM Recipe have you noticed a decrease in the bounce rates of your site?
And a decrease in the traffic recorded by Google Analytics?
Bounce rate shouldn’t be affected a lot but the decrease in traffic is very much expected. Various websites which have implemented Cookie consent mechanism (any, not only OneTrust) noticed a 20-30% decrease in the traffic. This means that either people decline to be tracked or just open a page, do nothing and close it.
Thanks Julius for the info.
I’m not surprised by the decrease in the traffic
For the bounce rate, could it be a “bad” integration of the recipe ?
Everything is possible. But I did not notice that on my blog (I’m using that very same recipe).
Hi Julius,
Thanks a lot for the detailed guide. I am having trouble with the GA tag. It is firing properly by the GTM (I can see it in the Tag assistant) but I am not getting any recordings in the Google Analytics itself. I tried different browsers and still can’t figure out why it is not firing.
I can see my FB pixel in the Helper working properly.
I assume I have not set up the GA code correctly.
I used Universal Analytics, Event, {{GA Tracking ID variable}}. As triggers, I used the Custom – Optanon Consent Updated and Pageview – All pages – Analytics allowed. Exceptions is Blocking – Analytics not allowed.
Any idea what am I doing wrong? Cheers!
I figured it out. I had set a filter not to track traffic from my IP address. Nothing to do with the setup.
I have another question though. The script doesn’t work when I access the website from my Android mobile device. Is this a limitation?
Hey. Did you publish the GTM container?
Yes, it is working fine on desktop now, but it doesn’t show on mobile.
Can you share a link to that website?
http://www.emigratetoaustralia.info
Thanks!
There are two versions of your website: desktop and mobile (when the url contains “?m=1”). There is no GTM in the mobile version, therefore nothing in GTM works in mobile. You need to add GTM container to that mobile version as well. Ask a developer to do that (or maybe you Content Management System can do that).
Thanks a lot! I will have a look tomorrow.