29th April 2019

Programming proper GDPR cookie consent

10 min. read

Are you including 3rd-party services, like Google Analytics, Facebook’s tracking pixel, embedded videos, and other integrations? Be mindful about GDPR compliance and cookie consent.

We will focus specifically on how you can adjust your integrations, and to allow users to opt-out of personalised remarketing. Remarketing is one of the main concerns for which cookie consent becomes necessary.

1. Google Analytics

This is a very common integration allowing you to study site traffic and user behaviour. Google Analytics is free and for a very good reason. Google uses data you provide to inform their advertising network. But you can choose to opt out of this in code and allow opt-in when your users have accepted cookies. Well, how do we do this?

// Disable ad features by default (cookie policy)
ga('set', 'allowAdFeatures', false);

This turns off ad features by default. Ad features need to be turned on in Google Analytics itself in order for this to have any real impact. Once a user has opted-in to your cookies and cookie policy, you can set this value to true. This will begin collecting data for display and search remarketing, and advertising reporting.

You should also take the extra step to anonymise their IP. The user has not yet opted in to share their precise location. You probably don’t need to switch this on again unless you particularly want their exact location. Even then, IP addresses are not reliable means of identifying a location.

// Disable precise IP tracking
ga('set', 'anonymizeIp', true);

Note that you should disable these features before sending a page view. You should set these variables as early as you can.

2. Facebook pixel

If you have integrated Facebook pixel, you should integrate this with your cookie consent feature. Facebook then tracks your users’ behaviour only after consent is given.

// Immediately revoke consent on page load
fbq('consent', 'revoke');

// Once user has opted-in to your cookies, grant consent
fbq('consent', 'grant');

This simple switch stops Facebook from reporting data until consent is explicitly granted by your cookie consent feature.

3. Other 3rd parties not offering explicit consent?

You may want to integrate another service like LinkedIn which does not appear to offer a programmatic means of consent. You will need to stop loading the script altogether until consent is granted. This seems to be the safest way to prevent your users being tracked without their explicit consent. It’s not apparent what LinkedIn’s script is tracking at this point.

The same can be said for other services that have not documented a method of opting out from marketing tracking.

// Pseudo example
onCookiesAccepted(function linkedInInitGDPR(){
    _linkedin_partner_id = "PARTNER_ID";
    window._linkedin_data_partner_ids = window._linkedin_data_partner_ids || [];
    (function(){var s = document.getElementsByTagName("script")[0];
    var b = document.createElement("script");
    b.type = "text/javascript";b.async = true;
    b.src = "https://snap.licdn.com/li.lms-analytics/insight.min.js";
    s.parentNode.insertBefore(b, s);})();

4. Third-party embeds.

Where possible you should use a nocookie version of an embed. With YouTube this is possible using the nocookie domain:

// Embed a cookie-less version of the video

This will prevent tracking from taking place and influencing the videos a user may see on YouTube.

For Vimeo embeds add the parameter dnt=1 to the video URL:

// Embed a Vimeo video without tracking

Sea of people
Don’t let your users get lost in a sea of data mining

This may frustrate your salespeople, but you will be much closer to GDPR compliance. You will demonstrate that you care about your users and are not being negligent about their privacy.

It may not be possible to disable tracking on an embed. You may then want to force the user to opt-in to load it. Do this by displaying a warning message and a poster. The user will have to click on an “Accept Cookies” button on the poster. When clicked, the embed will load along with any third party cookies it uses. With this approach you are doing your best to protect the user. It’s ultimately up to them whether they should consent and load the video.

Why is it important to approach third-party integrations carefully?

There’s been a tendency to just include third party services without thinking about the impact on the user. A user should be able to browse a website without this affecting what they may see on other websites (remarketing).

This means a user must explicitly consent to cookies that track their behaviour for the explicit reason of remarketing.

This may frustrate your salespeople, but you will be much closer to GDPR compliance. You will demonstrate that you care about your users and are not being negligent about their privacy.

Get on the right side of the law

Compliance within GDPR is a complex issue, and is somewhat open to interpretation, like anything in law. If you have a genuine concern for your users and you’re taking the necessary steps to be compliant, then you should be in the clear, but it’s wise if you are holding a lot of personal data to take the advice of a privacy lawyer.

Remember that developers and agencies are not lawyers, and they can only follow documented methods of compliance (and some times budget constraints don’t allow them to do so). It’s up to the owner of an organisation to ensure their web products are compliant, so their users are protected.

Programming proper GDPR cookie consent https://lab19.dev/programming-proper-gdpr-cookie-consent/...
Share tweet

Are you looking for an experienced team of engineers to help with GDPR implementation?

Chat to us now
Want to build something great? We’d love to help.

Trading hours:
Mon – Fri: 9am – 5:30pm (BST)
Closed on bank holidays

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

We use cookies on this site for basic tracking, and to enhance your experience. Find out more