If you've been trying to figure out GDPR compliance for your organization, then you have probably heard the term “cookie consent.” Unfortunately, cookie consent is not some new fad diet that will be going away a few months into the new year. Unless, maybe, you consider slimming down your Google Analytics tracking a type of diet?
In a nutshell
- In this video and post, we are going to look at how to obtain Google Analytics cookie consent from your website visitors.
- We'll examine some of the more common tracking consent tools that are in use.
- And, we'll also look at the on-page events that signal permission to track your visitors' data.
In the video, I explain everything you need to know about Google Analytics cookie consent.
Cookie consent refers to getting permission from your website visitors to collect personal data. Under GDPR, you are not allowed to collect personal data from your EEA users without their consent.
So the bottom line is:
No consent, no fancy tracking cookies!
But, you can collect this data for your visitors if they permit you.
Google Analytics, Personal Data, and Cookie Consent
Before we start looking at cookie consent banners or pop-ups, let's review when you need permission to track user data.
Advanced Google Analytics installations
Here are some of the advanced features in Google Analytics that rely on personal and third-party data.
- Display features
- Demographics
- User IDs
- Replicating Client IDs across devices
- Custom dimensions and metrics
- Remarketing features
These features bring personal data on your users into Google Analytics. This data is usually displayed in aggregate in your Google Analytics reports, but a few of these advanced features allow you to see the specific activity for individual users.
Basic Google Analytics installations
Basic Google Analytics installations don't use display features or advanced tracking. In this case, you can avoid tracking personal data by anonymizing user IP addresses. In the EU, GA4 anonymises IP addresses by default. If you don't collect personal data, then you don't need to ask for permission to track your visitors anonymously. The key word here is anonymous. If the data you’re collecting is anonymous and not user-specific, you don't need consent.
What type of consent do you need to collect personal data using Google Analytics?
If you want to use advanced Google Analytics collection and tracking features, you need to obtain consent to use cookies that collect personal data from your EEA website visitors. Hence the term cookie consent.
Before I share my understanding of how your website visitors can provide tracking consent, I have to offer this warning:
I am not an attorney. So, this post is not providing you with legal advice about cookie consent. I can only share my simple, caveman-like understanding of this process. You should consult your attorney before implementing any of these ideas.
Here's my interpretation of how consent requirements work under GDPR.
Advanced Google Analytics collection and tracking under GDPR
Many of us want to continue collecting user data. This data helps enhance our analytics. As we've discussed in previous posts, the collection of user data enables features like segmentation, table filters, and more.
If you use advanced Google Analytics tracking features, or you collect third-party data, you most likely need a cookie consent banner, at least for your EEA users.
Cookie consent notifications have conquered the internet. Here's an example of a consent notification on a website using a tool called Cookiebot.
As you can see in this example the notification lets you know they use cookies. And they also let you know why they collect user data.
If you click to see the cookie declaration, it shows where they embed their cookies.
The actual text you have to put on your cookie banner for Google Analytics 4 depends on whether you are using a basic or advanced installation.
On the banner itself, a generic text can do.
Your cookie banner text can for example mention the following text:
This website uses cookies
We use cookies to improve the user experience and analyze its performance. You can choose the cookies by clicking on “Select cookies” or click “I accept” to accept all cookies. Read more about our Cookie Policy in our Privacy policy
Or here is another example of a text for a cookie banner:
Cookie settings on this website
This site uses cookies, as described in our cookie policy. Click “accept all cookies” to agree to the use of cookies. You can set your individual cookie settings here at any time.
Apply these tips too:
- Make sure you use exactly the same text as on your cookie consent buttons. Don’t say click “OK”, if your consent button mentions “I agree”.
- Link in the banner to your privacy policy page, or cookie page. And make sure that you don’t put cookies there without consent.
- Make sure users can opt out for cookies that aren’t essential for the website to work. Google Analytics cookies, for instance, are not essential.
Depending on the available space you have in your consent banner, you can also give a more specific explanation about all the service providers that place cookies on your site.
For Google Analytics 4, your consent text may be classified as a performance or analytics cookie. It’s important that you mention the purpose. For example:
Performance (or analytics) cookies are used to see how users interact with our website, such as the pages they view.
Don’t forget to list all the cookie names, duration and description of what they are actually doing. To figure this out, you can use online cookie scanners or one of the tools I mention further on.
But first, let’s find out what a GDPR compliant cookie consent banner is supposed to do.
How does Cookiebot work?
The Cookiebot consent notification tool is transparent, simple, and effective.
Let's take a look at how this tool works. We can use the Google Chrome developer tools to see Cookiebot in action.
If I visit the Cookiebot site, I can see the scripts they are running in my developer window under the network tab.
This session is the first time I visited this site, and I haven't clicked their tracking consent opt-in yet. I also haven't scrolled the page yet.
Tracking scripts and Cookiebot
Usually, when you visit a site that's using Google Analytics, the analytics.js, or the new gtag.js beacon gets pushed when your browser loads the page.
But, on cookiebot.com, you can see their tracking scripts haven't run yet. The only thing that's running on page load is some basic javascript and images.
There are a couple of different ways Cookiebot tracks consent. This tool will record tracking consent when I check “OK” on their cookie notice.
These tracking scripts would typically fire right away on page load. But in this case, they are delayed until I click on their tracking notice.
First, they log my consent to be tracked. Then Cookiebot starts setting cookies and collecting my data. If you look at the scripts that were triggered by my scroll action, you see Hotjar, Facebook, Google Analytics, as well as others being initiated.
There are some differences in how various types of cookie consent software display their tracking notices. But these tools all operate on the same basic premise. They delay your scripts, such as the Google Analytics tracking code, until consent has been obtained from your website visitor.
In the past, they also recorded that I had consented to these cookies when I scrolled past the notification on the page. That’s no longer the case, which makes you wonder …
Is page scrolling enough for user consent?
Now you might be wondering if this implied consent process is compliant with GDPR? Do you need users to click the “OK” button to track their data? Or is page scrolling enough?
Let's take a look at some additional resources.
Facebook GDPR documentation
Now I'll admit, it's rare for me to trust a vendor when it comes to regulatory issues.
But Facebook has some very clear explanations of who needs to ask for cookie consent, and how it works.
Here are some of the types of websites Facebook previously identified as needing consent.
These websites include:
- Retailers that use cookies to collect information
- Blogs that use an analytics provider to collect aggregate demographic data about users
- News media websites using cookies to display ads
- Anyone using the Facebook tracking pixel
Well, that list calls out pretty much everybody on the internet!
Which on-page actions indicate user consent?
Facebook also shares the acceptable way to get cookie consent.
You can obtain cookie consent when a visitor takes an affirmative action. E.g.:
- Clicking your “I agree” button in a banner or splash screen that includes specific information.
There is not a single mention whether visitors who scroll, give consent for non-essential cookies, such as Google Analytics.
Keep in mind; this is Facebook's position on cookie consent and GDPR compliance. You should discuss your own tracking consent solution with your attorney.
In this post, we are merely sharing examples of the most common approaches to cookie consent. I am certainly not recommending a specific strategy.
That said, the documentation Facebook's providing is consistent with current cookie consent trends I am seeing implemented by other websites.
Deleting user data
Facebook also provides some guidance on allowing users to opt-out of tracking and deleting their data.
Now that we have some reference points let's get back to looking at how to implement a cookie consent notification.
Cookie Consent notification software
I know a lot of you are fretting about implementing a consent notification pop-up. But I don't think we need to be intimidated by this problem. There are a lot of options for displaying cookie notices. And there are many free tools that we can use to get our tracking notices set up on our websites.
Here's a rundown of some of the more common consent notification systems being used.
CookieBot
We already looked at how Cookiebot works and discussed its popularity.
I'll also mention that I was tagged in this tweet from Andy Crestodina. He cautioned that one of his clients saw a significant drop off in traffic after installing Cookiebot.
The analyst in me is skeptical that this decrease in traffic is a direct result of Cookiebot. You can see that this site's USA traffic is also down. So, there could be many reasons for this dip in traffic.
But I appreciate the heads up from Andy. We need to be aware that cookie pop-ups could affect our traffic data in Google Analytics. And really, anytime you implement a change in your tracking you want to consider the potential ramifications to your analytics.
This tool was recommended to me by Falk (Thanks!).
Iubenda offers a free version of their software for websites that get less than 25K pageviews a month.
Goole Tag Manager (GTM)
My friend Julius at Analytics Mania created a tracking consent solution using GTM.
As Julius mentions in his article – if you haven't already migrated GTM, this is as good a time as any. It's generally easier to adjust your tracking scripts with GTM than it is to fix scripts that are hardcoded on your site.
Portent
The team at Portent also introduced a GTM cookie consent form. This solution includes a geofence based on your users' IP address. The geofence attempts to limit your cookie banner to only users from EEA countries.
Personally, I am still undecided on using geofence. There are pros and cons to geofences that depend on your approach to this strategy.
Jetpack for WordPress
Jetpack offers its users a free cookie banner. If you're using WordPress, the set up for this cookie banner is as simple as adding a widget to your website.
Keep in mind some of these solutions only include display banners. They don't affect how and when you fire your tracking scripts. Under GDPR your tracking shouldn't deploy until after your EEA users have provided consent. So, a cookie consent banner is only half of the solution you need for GDPR compliance.
Final thoughts
If you’re targeting EEA users with your website, make sure you only place Google Analytics cookies after the user has given explicit consent.
Alas, the matter is more complicated than that.
The GDPR is a EU directive, but each member can interpret it differently. And this can change at any time, as it did, for example in Austria where Google Analytics is completely banned.
The best you can do is consult your legal department or a lawyer. While you are having the talk, don’t forget that the GDPR rules are not restricted to Google Analytics. You may also have to configure your cookie consent banner for other plugins and platforms.