Question about GA4 and GDPR

[ioweb-gr]

Summary (*)

I have noticed the addition for GA4 but I'm questioning the usability in EU domain due to GDPR and also other similar privacy protection laws. Currently the way I see it the solution is based on the assumption that everything is read server-side and rendered however if we were to implement a cookie consent solution that's not relying on GTM (for gtag implementations for example) then any FPC solution would basically break these blocks in the sense that you can't really read the consent choice of the user as the page is rendered.

You can't really read cookies for consent on php side and expect things to function with FPC on because your code won't be really executed.

Shouldn't this be more integrated with a frontend solution that can actually read dynamic values from the cookie consent frameworks instead of just rendering the scripts directly on html ?

Examples (*)

Proposed solution

[fballiano]

the way cookiebot works is that you have a <script type="text/plain" data-cookieconsent="statistics" so that the script is run only when cookiebot actually confirm that the user wants that type of scripts. It's a pretty easy implementation and works for all of my european customers that use cookiebot.

FPC shouldn't be an issue too unless unless some javascript code modify the page in such a way that the pre-rendered scripts are then wrong, but I've never encountered any situation like this.

also, the way it works now is the same way it was working before, with ga3 etc.

[pquerner]

This is exactly the reason I had to backport this feature on our shop.

We have a cookie banner, which the customer must answer if not set. Theres options for marketing cookies etc. Only when marketing cookies are wanted, a js function is executed and that GA4 stuff can execute.

The server doesnt decide, the frontend does. The backend still can send details about the GA4 stuff to the frontend, but it will not execute when marketing cookies arent allowed.

The issue now for OM is, that iirc no cookie banner solution exists in the core, so it will excute no matter what the customer chosen in a 3rd party cookie banner etc.
In such situations you have to either

a) overwrite the ga.phtml file and come up with your own solution on when to execute the GA related code (ie. behind a cookiebanner)
b) backport the feature and fully adjust how you want it.

[ioweb-gr]

I see this looks pretty clear now. I have a question about further customizing this solution but I'll open a new discussion :)

Thanks for the input guys

[Flyingmana]

so I might not be fully up2date and reliable, but there are 3 main parts I think.

you need a privacy policy on your website explaining which data you collect and for what.

not sure how it is currently, but in the past for germany there was for germany an "annonymize" parameter, which cut of a part of the IP, which lead to less reliable numbers, but made it conform with avoiding identification.

cookie consent is relevant for anything which sets a cookie, or even just does a request to the outside which might set a cookie.
For GA in the previous edition the cookie was set when loading the JS file, so the solution was, to have all the tracking code not break the page, when GA is not loaded.
I did not check the current implementation, but alone because of ad blockers, the tracking blocks should not break when GA is not loaded. They can still be loaded into the page, they will just not do anything.
So the point is, the only difference will be the loading of the GA JS, which might need a small modification in how its loaded then, usually by having an additional if(), or some cookie consent specific solution.

[fballiano]

super quick answer from the holidays, ga4 doesn't have an anonymize because it's already anonymized by design ;-)