cookie tracking in banner with GA

rick_d · ‎May 21, 2019

Hi there, posting this on behalf of a customer:

We have a problem: while the cookie banner is displayed, it will not block all the site's advanced scripts that potentially collect user data. Only when the user has given his consent(s) through an active action, such as setting check marks in the banner clicking on a button, the data processing requiring consent may actually take place (ensured by technical measures).

They are looking for a customized way to use all these scripts at once, while being GDPR compliant, so that declining the initial cookie banner would make sure that no scripts are loaded against user will.
Suggested solution was something as described by the end of this former post: https://integrate.hubspot.com/t/issues-in-hubspot-customized-tracking-code/10850/6

IsaacTakushi · ‎May 22, 2019

Hi, @cbaumert.

With @rick_d's help, I believe I better understand your question.

If you wish to only fire external scripts like Google Tag Manager, Google Analytics, etc. after a visitor has granted consent, you can leverage the addPrivacyConsentListener method Derek cites in this post.

I just tested this script and it worked for me. My GTM script was not loaded until after I consented to cookie tracking:

var _hsq = window._hsq = window._hsq || [];
_hsq.push(['addPrivacyConsentListener', function(consent) {
console.log("Consent has been granted.");
(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-MY-GTM-ID');
console.log("GTM-MY-GTM-ID was triggered.");
}]);

Isaac Takushi

Associate Certification Manager

View solution in original post

cbaumert · ‎May 21, 2019

We are not looking for an individual solution but for a basic solution. to act dsgvo compliant may not be tracking until the cookie banner is approved. Hubspot therefore urgently needs to find a solution to prevent tracking.

IsaacTakushi · ‎May 21, 2019

Hi, @cbaumert.

To clarify, is your primary concern that HubSpot fires some of its own scripts before visitors approve cookie tracking? Do you believe this to be non-GDPR compliant?

I cannot offer legal advice, however the HubSpot Legal team approved this GDPR Playbook, which states that "Personal data [under GDPR] is anything identifiable." The document asserts anonymized analytics do not constitute personal data and can be retained even after a GDPR-compliant delete.

The scripts which trigger before the banner collect these anonymized analytics. This data will not be associated with a contact record unless the visitor explicitly approves cookie tracking. The HubSpot Legal team believes this type of behavior complies with the GDPR legislature.

I will share your feedback internally, but there are no immediate plans to overhaul the behavior of the cookie consent banner.

Isaac Takushi

Associate Certification Manager

IsaacTakushi · ‎May 22, 2019

Hi, @cbaumert.

With @rick_d's help, I believe I better understand your question.

If you wish to only fire external scripts like Google Tag Manager, Google Analytics, etc. after a visitor has granted consent, you can leverage the addPrivacyConsentListener method Derek cites in this post.

I just tested this script and it worked for me. My GTM script was not loaded until after I consented to cookie tracking:

var _hsq = window._hsq = window._hsq || [];
_hsq.push(['addPrivacyConsentListener', function(consent) {
console.log("Consent has been granted.");
(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-MY-GTM-ID');
console.log("GTM-MY-GTM-ID was triggered.");
}]);

Isaac Takushi

Associate Certification Manager

tgr3gory · ‎Dec 30, 2019

Hello Isaac,

This is exactly the solution I'm looking for... I'm not a developer, so where would this script go to make it work? Would it be implemented in the header above the GTM header code on all pages? (I see where the GTM ID goes in your script, I've got that, it's just where this piece of script needs to go where I'm a little out of my element)

Thank you!

IsaacTakushi · ‎Dec 31, 2019

Hey, @tgr3gory.

Happy to help.

You'd actually move your GTM and GA codes inside the privacy consent listener so that they only fire when consent is granted. If your scripts exist outside the code below, they'll fire even if consent isn't granted

var _hsq = window._hsq = window._hsq || [];
_hsq.push(['addPrivacyConsentListener', function (consent) {
	// All of your codes go in here. You can place this wherever you want on your site, but the header is a common placement.
}]);

Isaac Takushi

Associate Certification Manager

theboi · ‎Feb 24, 2020

Would this be the case for all tracking scripts?

RStein · ‎Jan 21, 2020

Hey @IsaacTakushi ,

thank you very much for your support. From what I read in the documentation I believe one does have to check whether the consent was actually granted, right?

Like this:

var _hsq = window._hsq = window._hsq || [];
_hsq.push(['addPrivacyConsentListener', function (consent) {
   if (consent.allowed) {
	// All of your codes go in here. You can place this wherever you want on your site, but the header is a common placement.
   }
}]);

IsaacTakushi · ‎Jan 21, 2020

Yes, you're absolutely right, @RStein! I neglected to mention that in my response. Thanks for pointing that out.

Isaac Takushi

Associate Certification Manager

ziadi · ‎Feb 12, 2020

Hi, this is all very helpful thank you! From my understanding (and I may be wrong) the cookie consent should be only applied in the EU, is there a way to trigger this only if it's outside of the US based by IP GEOLOCATION?

Also, I tried inserting the code into the header section and received this error code: "invalid HTML or HubL in the Head HTML"

Here's the code I used, but I replaced with my GTM ID:

var _hsq = window._hsq = window._hsq || [];
_hsq.push(['addPrivacyConsentListener', function (consent) {
if (consent.allowed) {
(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-MY-GTM-ID');
console.log("GTM-MY-GTM-ID was triggered.");
}
}]);

What is the issue?

ziadi · ‎Feb 12, 2020

the &l characters are invalid and I am unsure why?

APIs & Integrations