Google Tag Manager (GTM) should have a built-in method to manage firing tags based on user consent, but it doesn’t. While looking for a good way to set this up, I was bewildered by the insanely complex methods people were coming up with.. Thankfully, there’s an easier way that doesn’t involve editing site code!
Note: The below may help make your site more GDPR or CCPA compliant, but it’s not everything you need to do. Go talk to a lawyer and get some proper advice!
Google Tag Manager basics
First, set up Google Tag Manager on your website and use it to fire something like a Google Analytics tag. Doing so is fairly straight forward, and there are heaps of guides online to show you how it’s done. For WordPress sites, I can recommend the Google Tag Manager for WordPress plugin. You’ll need to have GTM firing at least one tag so you can see the difference between having and not having user consent.
Osano Cookie Consent basics
Next – go to Cookie Consent by Osano. Osano offer two versions of their consent tool: a paid version and an open source free version. Unless you feel like paying (and it’s not a bad service from all reports), you want the open source version.
The download page has a table comparing the two versions – at the bottom, click the Start Coding button. In the Configure section, go through steps 1-6 to set up how you want your consent prompt to appear.
Here’s where we start ignoring most of their instructions 😉
All Consent Types
Irrespective of which consent compliance option you selected, you need to load the Osano code as a tag. In Google Tag Manager, create a new Custom HTML tag:
- Give it a name: “Cookie Consent by Osano”
- Copy both blocks of code from the Osano site (Copy HTML followed by Copy Code) into the HTML box in GTM
- Configure a firing trigger so this tag loads on All Pages as a Page View
Save and publish in GTM. What you do next depends on what type of consent you need..
- Just let the user know we’re using cookies
- Give the user the ability to opt out of cookies
- Require the user to opt in to cookies before using them
Consent Type 1: Inform User
If you selected the compliance option “Just tell users that we use cookies” – there’s nothing more you need to do! The consent prompt should now load on each page until the user dismisses it. 🙂
Consent Type 2: Opt Out
If you selected the compliance option “Let users opt out of cookies (Advanced)” – there’s a little more to do, but it’s easy. Ignore the warning about needing to modify your site. 😉
The Cookie Consent script stores the user choice in a cookie, so we need to tell GTM to read it and use it:
Read Cookie
In GTM, create a new Variable:
- Call it “Cookie Consent Status” or similar
- Select ‘1st-Party Cookie’ as the variable type
- For Cookie Name, enter
cookieconsent_status
Use Consent Status
Still in GTM, create a new Trigger:
- Call it “Cookie Consent equals deny”
- Select ‘Page View’ as the trigger type
- Choose ‘Some Page Views’
- Select ‘Cookie Consent Status’ (or whatever you called the variable) in the first drop down
- Choose ‘equals’ in the second drop down
- Enter
denyas the text
The line should now read “Cookie Consent Status equals deny”.
To make use of this trigger, go into each of the tags that are configured to fire using a trigger (except the Cookie Consent tag, obviously). Add an “exception” trigger, then choose the ‘Cookie Consent equals deny’ trigger you created above.
Finally, save and publish in GTM – tags should now be suppressed if your users choose to deny cookies. It’s important to note that tags will fire even if the consent prompt is ignored, so if you need to stop serving up delicious cookies until someone allows them..
Consent Type 3: Opt In
Aka – the GDPR option. This one sucks because you won’t get analytics data unless someone clicks ‘Allow cookies’, but if it’s what you need to do..
First, read through Consent Type 2 above. You need to create the same Variable in the Read Cookie section, but then things are a bit different:
Are Cookies Definitely Allowed?
In Google Tag Manager, create a new Trigger:
- Call it “Cookie Consent does not equal allow”
- Select ‘Page View’ as the trigger type
- Choose ‘Some Page Views’
- Select ‘Cookie Consent Status’ (or whatever you called the variable) in the first drop down
- Choose ‘does not equal’ in the second drop down
- Enter
allowas the text
The line should now read “Cookie Consent Status does not equal allow”. This is a little confusing, but this is different to the previous trigger in that it will also block tags if the user hasn’t made a choice. Logic is fun!
As with Consent Type 2, go into each of the tags that are configured to fire using a trigger (except the Cookie Consent tag). Add an “exception” trigger, then choose the ‘Cookie Consent does not equal allow’ trigger you just created.
One last thing – and this is optional – but when someone accepts cookies, you probably want to reload the page to fire all the tags that were being suppressed until now. To do so, you need to create another trigger and a tag:
Listen for the Allow Cookies click
We need to make sure GTM is paying attention to CSS classes on elements users click:
- In GTM, go to ‘Variables’
- Click ‘Configure’ in the ‘Built-In Variables’ section
- Scroll through the list and ensure the ‘Click Classes’ option is checked.
Now, create a trigger:
- Call it something like “Allow cookies button click”
- Choose ‘Click – All Elements’ as the trigger type
- Select ‘Some Clicks’
- Choose ‘Click Classes’ in the first drop down
- Select ‘contains’ in the second drop down
- Enter
cc-allowas the text
The line should now read “Click Classes contains cc-allow”.
Reload page when the user accepts
When the user clicks on the Allow cookies button, we need to do something with it..
Still in GTM, create another Custom HTML tag:
- Call it “Reload Page”
- In the HTML box, enter the following:
<script>window.location.reload();</script> - Select ‘Allow cookies button click’ as the trigger
At long last – save and publish in GTM. This configuration prevents tags from firing unless they’re allowed and reloads the page when the user allows them so you don’t lose the pageview.