GTM/GA and anonymizing (or not) via checking a GDPR cookie - javascript

I am trying to implement a GDPR-compliant site which implements Google Analytics via Google Tag Manager. GDPR status is determined via a cookie, which I do not have control over and is the only method I may use. My understanding is that I need to set the anonymizeIp value in Google Analytics to true based on the value of this GDPR cookie. I'm not quite sure how best to do this. I can make changes in GA or GTM directly or I can conditionally load different GTM snippets on the site. What I cannot do is use a different strategy to determine GDPR status. What is my likely best choice?
As far as I know I can't just drop the standard ga('set', 'anonymizeIp', true); when using GTM. (Though I'm not an expert on this.) Configuring the value via "Fields to Set" in the GA variable inside GTM is also not allowed unless I reset it when the GDPR cookie notes that un-anonymized tracking is allowed.

GA & GTM are extremely difficult to make GDPR compliant. You should not even load the scripts before getting consent. EU courts have already ruled that analytics does not constitute an "required" service, and thus does require consent, with all the baggage that goes with that.
GA's IP anonymization setting is a cosmetic fob - the act of loading the script has already revealed the user's full IP (and other fingerprintable data) to a corporation outside the EU, and it will also have fully identified them if they happened to have a google cookie set (which is very likely). The anonymization setting may mean that full IPs are not sent to analytics as part of analytics data capture, but by then the damage has already been done. Also, IP anonymization alone is insufficient to deidentify visitors.
GTM very often means that people without technical awareness load third-party extensions that add extra tracking without appropriate consent or control, that you (as the data controller) are liable for.
If you need proper compliance (in the spirit, not just the letter) of GDPR, I recommend self-hosted analytics and tag manager systems such as Matomo or Open Web Analytics.

Related

Unknown googletagmanager in chunk vendors

My ads blocker just blocked an unknown google tag manager request initiated from my vendor's chunk.
Is it a common practice to have tracking in dependencies, and what kind of data it is possible to extract from my website using google tag manager?
Should I even bother?
Having some sort of tracking in libraries isn't common practice but it isn't unheard of. I've seen it less after GDPR and similar laws where introduced however. But that kind of tracking is usually very specific, maybe some usage stats are sent towards an endpoint or maybe Google Analytics is embedded or something.
Google Tag Manager on the other hand can be used to inject almost anything into your site. They could inject a crypto miner, they could take all information from the current (possibly logged in) page and send it it to wherever, they could take actions on behalf of the user, redirect users to another page etc. Basically this is a backdoor into your site that might look harmless now but might do something completely different tomorrow so I really wouldn't trust it.

Opt Out of Google Analytics with gtag consent mode

I am trying to use the gtag.js consent mode of Google Analytics to design a GDPR compliant cookie banner for my website. I have followed the Google implementation guidelines (https://developers.google.com/gtagjs/devguide/consent), but I am stuck trying to create an opt-out functionality for my users.
I have created the following code that I think should work:
function optOut() {
gtag('consent', 'update', {
'analytics_storage': 'denied'
});
}
Which is triggered when the user clicks on the Opt-Out link.
<a onclick="optOut();">Opt-Out</a>
But I cannot see that the GA cookies change in any way. As I understand it, with previous solutions GA would set an opt-out cookie (for example as in this answer https://stackoverflow.com/a/10721214/7927271). I would have at least expected that the cookie properties are somehow updated. Does anyone know if the code above does indeed enable the user to opt-out of GA or whether I am doing something wrong?
Consent Mode does not remove the use from tracking, it just means that there will be no unique identifier created and stored in a cookie. It will not do anything to already existing cookies (but will not use them, either), and it will not set opt-out cookies. You can check this by looking for the consent mode parameter in the GA request (there should be "gcs=G100" in the query parameters).
In Consent Mode, GA collects anonymous data to use them with a machine learning algorithm that promises to deliver results (e.g. in ad targeting) comparable to conventional analytics.
If you want to stop even anonymized data, you cannot use consent mode, but need to implement some other blocking mechanism for your GA tags.

Disabling third party cookies as per GDPR compliance

I am currently working on developing a solution for clients to comply with incoming GDPR regulations. Part of this task involves allowing users to explicitly opt-in and opt-out of cookies. I am using Cookie Consent for the general framework of displaying notices and allowing users to opt in/out but when it comes to actually developing code to implement that, I am stuck.
Google Analytics explicitly provides an opt-out function in the form of:
window[ga-disable-UA-XXXXXXXX-Y] = true;
However I have not been able to find ways to do this for other third-party cookies, such as Twitter and LinkedIn despite much googling. Twitter, for example, doesn't seem to offer anything similar to Google Analytics in the form of opt-out code; it seems like users need to log into their Twitter account and change settings through that, but on the sites I am working on Twitter is setting cookies because Twitter embeds are used on the site regardless of whether a visitor has an account or not.
The closest I have came to a solution is a suggestion to delete cookies by setting their expiry date in the past. However, AFAIK this won't stop cookies being set again. Also how then do I explicitly re-allow these cookies if the user decides to opt-in to allowing cookies in the future?

Organic vs Paid traffic in Javascript

Is there a way to (in Javascript+jQuery), extract the data of whether a visitor is Paid vs. Organic traffic (or other such metrics)?
For the scope of the question, you can assume that Universal Analytics is running on the landingpage, but I'm limited to console-level Javascript only.
Little background: For a test we want to run, we're looking to target different visitors in different ways in a sort of tag manager-tool. The tool limits us to only using Javascript, so we can not directly use the information from Analytics.
I've seen this question. However, that question appears to be outdated, because (as is written in the comments of the answer), the answer does not work with UA.
This information is available in Analytics, so you'd think they'd be able to retrieve it from somewhere. My question is, could I find this information through Javascript?
You can identify the traffic on the landingpage, since with UA paid traffic either needs to have a gclid (a Google click id from Google Adwords) or campaign parameters ("utm parameters", most notably utm_campaign) that identify if this is a paid channel. Then you'd have to store the information via a cookie or localstorage.
Other than that the Universal Analytics tracking code will not reveal anything about the visitor except the client id, which says nothing about paid vs. organic.
For completeness sake: In theory you could store client ids as a custom dimension in GA and use the API to create a service that let's you retrieve information about a given client id via an ajax call, but that would have a certain lag (since GA needs a few hours before it has processed data for a visit), would probably not be very efficient and might have privacy implications that might put you at odds with the Google TOS and national laws.

How does Google Analytics tag users in Custom Variables?

We have an page that is shown inside a software tool we have. It's a sort of "starterpage" that shows up when you start it. Our software is available as Free, Pro, and Trial.
I have set up my tracking so that people who visit this page are tagged as a "Free user" or a "Pro user" using custom variables.
I then segment my visitors in GA to show only, for example, "Free users" to see how many of these later go on and purchase the Pro-version (using a regular Goal).
The software leverages a specific browser, called the JXBrowser, and the purchase is done through the regular webpage visited through another browser (like Firefox or Chrome). I want to know how Analytics saves the tag of the user. Does it tag the IP address visiting the software starterpage or does it save it in some sort of cookie.
I'm asking because I want to know how accurate the data I'm seeing is. I am seeing that the tagging is working and that the goal completion for that usergroup is working as well. The goal completions is somewhat low though, which is why I want to make sure that isn't becuase of some technical difficulty.
TL;DR; Is Custom Variables tagging users IP as certain visitor-groups or are they saving the data in a cookie? How does Custom Variables work in cross-browser situations?
Custom variables available in Google Analytics ga.js library have a scope that defines whether they are attached to a pageview, visit or visitor. From your question, I would assume that you are using a visitor-level scope.
_gaq.push(['_setCustomVar',
1, // This custom var is set to slot #1. Required parameter.
'Software Version', // The name acts as a kind of category for the user activity. Required parameter.
'Free', // This value of the custom variable. Required parameter.
3 // Sets the scope to visitor-level. Optional parameter.
]);
Visitor-level custom variables do indeed use a cookie to persist the value (the cookie name is __utmv).
On a side-note, GA also uses cookies for measuring unique visitors and many other things like session start / end, number of visits. This means that a user using multiple browsers will not be seen as one users, but as many users as there are different browsers (based on cookie sets).
It's worth pointing out that Google Analytics offers another collection libary designed to make tracking across browsers and devices easier, the analytics.js library. In your case, if all users are registered or have a unique 'install id' you might be better off disabling cookies storage and using your own id for the cookie - a feature available in the analytics.js library.

Categories