Cookie Consent Management Tools

GDPR among other things, and cookies usage, I’ve been publishing various articles.

Recently, I’ve gained the opportunity to observe and take notes on both personal and corporate processes related to regulations that impose significant obligations on ecosystems. For this purpose, I’ve examined numerous tools and have tried to engage with developers. In the rest of this article, I’ll summarize the notes I’ve gathered throughout the process.

Cookie Consent

Google Analytics, with its consent mode (consent/permission mode) feature, allows you to determine how a website or app behaves based on the user’s consent status regarding Google services (currently Google Ads, Floodlight, and Google Analytics¹). Users can grant permission for specific purposes (such as advertising, retargeting, analytics, performance, session, etc.) to use cookies.

To briefly recap on cookie consent: this process involves obtaining an explicit consent or permission from users regarding the cookies (small text files) installed on their computers by websites, applications, or directly by advertising and tracking tools that operate through these websites or applications. These websites, services, and related tools provide cookies for specific categories such as advertising, performance, necessity, and session. Users can either approve or deny all or some of these cookies or categories, and at any time, they can update their consent.

I previously shared my notes on Cookie, User, and Event Tracking in a special article based on advertising platforms. In addition to this article, I’ll explore what can be done during the tracking (monitoring) process and which tools can be used for this purpose.

Play

Google Analytics (UA and GA4)

With consent mode (beta), you can configure how Google tags behave based on user consent settings². Google tags can dynamically respond only to user consent (for example, advertising, analytics, login, etc.) for specific purposes, indicating whether consent has been granted or denied for Analytics and Ads cookies³.

As I demonstrated in the article titled Cookie, User, and Event Tracking, the consent mode code setup is fundamentally expressed as follows.

window.dataLayer = window.dataLayer || [];
function gtag() { window.dataLayer.push(arguments); }

gtag('consent', '<consent_command>', {
  <consent_type_settings>
});

The <consent_command> value can be either default or update. The update command notifies Google Analytics that the user’s consent has been updated, and that data should be processed accordingly.

<consent_type_settings> may take the values of denied and granted; denied indicates that the permission has not been granted, while granted indicates that the permission has been granted. We can express these details via code as follows.

When the denied value is assigned for ad_storage³:

• No new ad cookies will be created.
• Existing ad cookies in the system will not be read.
• Third-party cookies will be used solely for spam and fraud detection purposes.
• Google Analytics will neither read, create, nor use ad cookies, nor will it use Google Signals.
• IP addresses will be used exclusively for geographic location (geo-location) determination. I previously mentioned the masking feature. If desired, you can also enable Google Analytics to mask these IP addresses⁴.

Additionally, if you wish to have greater control over your ad data after assigning the denied value for ad_storage, you may set the ads_data_redaction parameter to true as an optional setting.

gtag('set', 'ads_data_redaction', true);

As a result, ad click identifiers included in network requests sent by Google Ads and Floodlight will be removed, and the network requests will be processed without cookies. If the value is set to granted, the ads_data_redaction setting will have no effect³.

When the denied setting is applied for analytics_storage:

• Google Analytics will neither read nor write first-party cookies.
• Page-level hit payloads are processed based on the page context. That is, Google Analytics will not be able to read or write the _ga content, so when a user views a page, data will be sent under a user identity. When the user navigates to a different page, page-specific data will be sent with the gcs parameter containing the permission status and a new user identity.

The denied value for analytics_storage does not prevent hit counting; it only limits the content based on cookie usage.

Managing Permissions

window.dataLayer = window.dataLayer || [];
function gtag() { window.dataLayer.push(arguments); }

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'analytics_storage': 'denied'
});

The above code indicates by default that both ad_storage and analytics_storage permissions are denied. This code snippet is valid under all conditions. We can restrict these conditions. For example, we can configure permissions based on country.

window.dataLayer = window.dataLayer || [];
function gtag() { window.dataLayer.push(arguments); }

gtag('consent', 'default', {
  'ad_storage': 'denied',
  'region': ['ES', 'US-AK']
});
gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'region': ['GB']
});

Let’s now examine all the above information in the context of a sample usage.

<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}

  // Default consent settings
  gtag('consent', 'default', {
    'ad_storage': 'denied'
  });

  // Optional. Enables passing query parameters from page to page.
  // e.g., gclid, dclid, gclsrc, _gl, etc.
  gtag('set', 'url_passthrough', true);
</script>

<script async src="https://www.googletagmanager.com/gtag/js?id=GA_MEASUREMENT_ID"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'GA_MEASUREMENT_ID');
  gtag('config', 'AW-CONVERSION_ID');
</script>

<script>
  // After this point, if the user has modified the consent settings, we will resend the updated values.
  // For example, assume the user has granted permission for `ad_storage`. In this case, we can send the 'granted' value.
  // If no changes have been made, there's no need to resend the 'update' command.
  // However, for safety's sake, sending the 'update' command again will not cause any issues.
  gtag('consent', 'update', {
    'ad_storage': 'granted'
  });
</script>

Let’s create the same example in both async and permission context, configured appropriately.

<script>
window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments)};

  // Load default settings.
  // For example, deny `ad_storage` by default, and grant `analytics_storage`.
  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'analytics_storage': 'granted',
    'wait_for_update': 500 // Async section 'wait_for_update'
  });

  // Receive the permissions sent by the consent tool.
  ConsentTool.on('consent-tool-initialized', function(consentObject) {
    gtag('consent', 'update', {
      'ad_storage': consentObject.ADVERTISING == 'ACCEPT' ? 'granted' : 'denied',
      'analytics_storage': consentObject.ANALYTICS == 'ACCEPT' ? 'granted' : 'denied',
    });
  });
  
  // Receive the user-defined permissions sent via the consent tool.
  ConsentTool.on('consent-saved', function(consentObject) {
    gtag('consent', 'update', {
      'ad_storage': consentObject.ADVERTISING == 'ACCEPT' ? 'granted' : 'denied',
      'analytics_storage': consentObject.ANALYTICS == 'ACCEPT' ? 'granted' : 'denied'
    });
  });
</script>

<script async src="https://www.googletagmanager.com/gtag/js?id=GA_MEASUREMENT_ID"></script>

gtag('config', 'GA_MEASUREMENT_ID');
  gtag('config', 'AW-CONVERSION_ID');
</script>

Consent mode defines how Google tags should behave, but it is not a consent tool that manages user permissions⁶. In the example above, a direct or indirect consent (permission) mechanism must be used for managing user permissions. You can examine several of the tools listed under the Consent Tools section in the article’s subsection below.

Play

Google Tag Manager (GTM)

For now, relevant operations for Google Tag Manager can be handled through templates and the Custom HTML tag. By configuring the code mentioned above to run before the Google Analytics tag, you can specify exactly which data should be sent to Google servers and how.

Via Google Tag Manager, you can restrict Google Ads Conversion Tracking and Google Ads Remarketing tags using Enable Restricted Data Processing.

Templates

Google Tag Manager can perform consent mode operations through templates⁷. To do so, simply click on Google Tag Manager > Tags > New > Tag Configuration > Template Gallery or the Templates header in the sidebar. Then, you can configure an appropriate template created for various consent tools. Additionally, you can use the Consent Mode (Google tags) template, which is one of the available templates, to implement the consent tag published by Simo Ahava⁸.

Facebook enables cookie management based on user definitions, similar to Google Analytics. For this process, the revome and grant parameters are used⁹.

fbq('consent', 'revoke');
fbq('init', '<your pixel ID>');
fbq('track', 'PageView');

Of course, this process must be implemented on all pages using the pixel.

HubSpot

HubSpot or similar CRM systems require certain behavioral data to perform operations directly or indirectly related to users/customers. For example, if you’re using any of the HubSpot Pages products or have loaded a tracking code on an external page, HubSpot creates a series of tracking cookies that contain behavioral data about the user who viewed the page.

Some CRM systems may provide settings that allow them to manage user permissions based on their own tracking methods. However, these tracking and permission processes will generally work effectively when the pages being viewed are hosted within the CRM environment.

Required Cookies

The __hs_opt_out cookie is set when visitors are given the option to disable cookies, and is used to remind users of their decision to not allow cookie usage. This cookie is stored for 13 months and only contains the [var]yes[/var] or [var]no[/var] values.

The __hs_do_not_track cookie is set to ensure that the tracking code does not send any identifying data to HubSpot, except for anonymized data. This cookie is stored for 13 months and only contains the [var]yes[/var] value.

The __hs_initial_opt_in cookie is used to ensure the banner does not display continuously. This cookie is stored for 7 days and only contains the [var]yes[/var] or [var]no[/var] value.

The __hs_cookie_cat_pref cookie is used to remember the categories of cookies that the visitor has allowed. This cookie stores category information for up to 13 months.

The hs_ab_test cookie is used to prevent the same page from being displayed to a user if an A/B test is being conducted. It contains the identity of the selected variation for the A/B test page and the visitor. It is stored until the user session ends.

The <id>_key cookie is set to prevent the system from asking the user to re-enter their password when viewing a password-protected page. Each such cookie has a unique name for each protected page and contains the user’s password in an encrypted form. The validity period of this cookie is 14 days.

The cookies listed above, along with other cookies such as hs-messages-is-open, hs-messages-hide-welcome-message, and __hsmem, are essential cookie definitions required for the system to function properly. In addition, HubSpot also utilizes analytics and function-specific cookies such as __hstc, hubspotutk, __hssc, and __hssrc, as well as the messagesUtk cookie.

As noted, we may need to use either cookies or similar data storage methods for managing consent. However, these created cookies do not contain user data and are not used by third-party services.

You can manage HubSpot cookie settings by following the Settings > Cookies instructions. Additionally, you can also add the cookie deletion code found on this page to your website.

<!-- Start of HubSpot code snippet -->
<button type="button" id="hs_remove_cookie_button"
  style="background-color: #425b76; border: 1px solid #425b76;
         border-radius: 3px; padding: 10px 16px; text-decoration: none; color: #fff;
         font-family: inherit; font-size: inherit; font-weight: normal; line-height: inherit;
         text-align: left; text-shadow: none;"
  onClick="(function(){
    var _hsp = window._hsp = window._hsp || [];
    _hsp.push(['revokeCookieConsent']);
  })()">
  Remove cookies
</button>
<!-- End of HubSpot code snippet -->

Cookie tools also provide the ability to manage these processes through their own platforms (either via cookie-related or tag-based features).

Hotjar

Hotjar uses various cookies such as _hjShownFeedbackMessage, _hjDonePolls, _hjid, _hjRecordingLastActivity, _hjptid, _hjOptOut, and segment_id to analyze user interactions and is associated with sessions and integrations¹⁰. In addition to cookie usage, it is possible for form inputs to be recorded during the process of capturing user interactions. For more information, see the article “Defining CF7 Form Elements as Hotjar Whitelisted Inputs”.

Hotjar does not currently provide an active parameter definition for its consent management. However, it is recommended to trigger the recording process based on user activity.

Consent Tools (Consent / Opt-In Tools)

Above, I attempted to summarize how the cookie consent process is handled in several service contexts. End users can now, through modern web browsers and/or extensions, go beyond these consent management systems and establish a central policy (to allow or block) for all of them. However, it is currently difficult to state a clear approach for publishers.

Play

For example, you can directly intervene in the installation code of your tracking and advertising tools—ideally by utilizing functions and/or parameters specifically provided by the relevant tool—enabling you to carry out operations¹¹. In this case, you must list cookies via the browser’s interface, based on the site/page, clearly stating in your notification page which purposes the cookies are used for and for how long, and provide users with the ability to manage cookie permissions via a banner, allowing them to update these settings at their discretion¹².

Play

On the other hand, new solutions have emerged to facilitate the implementation of these technical solutions. For instance, cookie management related to this site is currently being carried out via Cookiebot. The tools perform pricing based on criteria such as the targeted page, domain name count, number of pages displayed, and similar factors. In addition to pricing, features such as banner and code customization, automatic notification generation, code implementation format, tag management, and language support vary depending on the specific tool.

CookieBot

Cookiebot, is available free of charge for up to 100 pages under one domain name, while its premium package, Premium Small, has a limit of 500 pages. On the other hand, features such as banner customization, consent editing, multi-language support, email reporting, data transfer, geolocation detection, bulk operations, statistics, and field definition for development environments can be used either on a paid or free plan. Additionally, Cookiebot unfortunately also treats domain names (excluding non-www and www variants) as separate domain definitions¹³.

<script id="Cookiebot" src="https://consent.cookiebot.com/uc.js" data-cbid="<cookiebot-id>" data-blockingmode="auto" type="text/javascript"></script>

Now, we can organize our code based on consent settings¹⁴.

<script type="text/javascript">
window.addEventListener('CookiebotOnAccept', function (e) {
  if (Cookiebot.consent.marketing) {
    // Code related to marketing operations can be placed here.
  } 
}, false);
</script>

Domain definitions can be set during the onboarding process, followed by the first scan. Cookies are listed based on the pages being scanned. For each cookie displayed in relation to a page, a category definition can be created^{14 15}. Moreover, additional explanations to be included in the consent message related to cookies can also be added. The absence of search capabilities for cookies by page or cookie name is a deficiency. Additional customizations can also be made outside of the listed cookies.

After logging the actions related to cookies, consent messages can be dynamically displayed in the specified language(s) via JavaScript from the desired page, allowing users to manage their cookie consent preferences through that page.

<script id="CookieDeclaration" src="https://consent.cookiebot.com/<cookiebot-id>/cd.js" type="text/javascript" async></script>

In summary, one of the options we found to be successful in cookie scanning and tag management is Cookiebot.

CookieFirst

You can perform operations with a more modern UI according to Cookiebot. However, when comparing the features available in free accounts, it can be argued that CookieFirst is not a very reasonable option¹⁶. On the other hand, when the Basic plan is considered, CookieFirst becomes more advantageous than CookieBot by offering additional features such as adding subdomain and enabling scanning without page limits.

Meanwhile, CookieFirst enables code/tag management through its platform. The downside is that tags added via the platform are placed inside a div element within the body element. Since many tracking and advertising tools do not recognize this practice, it may result in errors.

However, of course, this is not a requirement. Once the CookieFirst JavaScript file is added to your website or application, the data layer variables and settings such as cf_functional_enabled, cf_necessary_enabled, cf_advertising_enabled, and cf_performance_enabled become available¹⁷. Thus, tag management can also be handled using Google Tag Manager and/or EventListener¹⁸.

<iframe
  width="640"
  height="360"
  frameborder="0"
  allowfullscreen="allowfullscreen"
  data-src="https://www.youtube.com/embed/..."
  data-cookiefirst-category="advertising"></iframe>
<div class="cookiefirst-disabled-resource">
 Please <button onclick="CookieFirst.acceptCategory('advertising')">Accept marketing cookies</button> to watch this video.
</div>

CookieFirst features a robust scanning capability. While it does not list cookies in relation to pages, when you are required to specify or classify a cookie, you will have to investigate on your own the reason for its creation and the related service. On the other hand, CookieFirst also enables limitations for iframe usage¹⁹.

The platform offers great features such as dynamic notification creation, language support, and a broad range of cookie category options. After account registration, the scanning process must be initiated using the domain names defined for cookie operations. Once the scanning process is completed, the Cookies tab becomes active. Defining directly through a step-by-step process is not possible before the scan begins.

CookieHub

CookieHub has a page limit for the pages to be scanned, similar to Cookiebot, including both paid and free plans. In addition, there is a limit on the number of pages viewed per month. Even if the pricing appears more reasonable compared to Cookiebot and CookieFirst, you may encounter issues if you have a small number of pages and high traffic. When the monthly page view limit is exceeded, your subscription plan will automatically upgrade to the next month’s package based on the required page view limit.

Apart from this, features such as cookie consent, Facebook and Google consent mode support, GTM integration, domain addition, and multilingual support are available within the paid packages^{20 21 22}.

<script type="text/javascript">
var cpm = {
  onAllow: function(category) {
    if (category == 'marketing') fbq('consent', 'grant');
  },
  onRevoke: function(category){
    if (category == 'marketing') fbq('consent', 'revoke');
  }
}

(function(h,u,b){
var d=h.getElementsByTagName("script")[0],e=h.createElement("script");
e.async=true;e.src='https://cookiehub.net/c2/xxxxxxxx.js';
e.onload=function(){u.cookiehub.load(b);}
d.parentNode.insertBefore(e,d);
})(document,window,cpm);
</script>

I do not believe CookieHub’s scanning feature is particularly effective. Generally, scans are limited to a few pages, and as a result, only a limited number of cookies are listed. On the other hand, I should note that the UI and feature management, especially customizations for banner / popup elements, are quite practical. Notifications regarding cookie usage are still delivered to users via these banner / popup elements.

CookiePro

CookiePro is a product from OneTrust. While there are page view and scan limits for free usage, there are no restrictions in the paid packages regarding domain addition²³.

Unlike other services, CookiePro enables compatibility with a wide range of frameworks and provides feedback based on such compatibility. Additionally, numerous solutions within the platform can be accessed with additional charges. Once basic operations (such as geolocation, etc.) are completed, the website addition process can proceed.

Post-scan monitoring methods (cookies, HTML storage), cookie limits, tags (script, iframe), forms, and other reporting criteria are in place. However, I can state that the number of cookies returned after scanning is significantly lower compared to other solutions. On the other hand, cookie listing based on page is highly effective. Additionally, session-related cookies can be identified and scanned in session-based mode.

Unlike other cookie solutions, additional features such as configuration for scanning and page access via sitemap are available. All features, starting with scanning, are evaluated within the framework of geolocation-based rules specified and are reported accordingly.

<!-- CookiePro Cookies Consent Notice start for ceaksan.com -->
<script
  src="https://cookie-cdn.cookiepro.com/scripttemplates/otSDKStub.js"
  type="text/javascript" charset="UTF-8"
  data-domain-script="<cookiepro-id>-test" ></script>
<script type="text/javascript">
  function OptanonWrapper() {
    //...
  }
</script>
<!-- CookiePro Cookies Consent Notice end for ceaksan.com -->

Other (test and launch) operations related to automatic cookie blocking, language control, and integrations can also be managed and implemented separately²⁴.

CookieScript

While unlimited domain name definitions are possible, having a page scan limit of 10 pages per domain name is obviously very reasonable. On the other hand, unlimited page viewing is available for all pricing plans, both free and paid. However, when comparing features, I can state that the most reasonable package is Plus. This package, which allows for two domain name definitions, provides access to scanning up to 3,000 pages, along with all features. Considering all these factors, I can confidently say that the pricing is very reasonable²⁵.

Settings related to plugins and other integrations are quite extensive²⁶. The platform does not currently support the Turkish language. However, text and notification documents can be customized thanks to the new language addition feature.

The platform features a powerful scanning capability and can report cookies by type after scanning.

<script
  type="text/javascript"
  charset="UTF-8"
  src="//cdn.cookie-script.com/s/<cookie-script-id>.js"></script>

Customization of the Banner is available only within paid packages. In addition, other behavioral features (such as scroll confirmation, etc.) can be managed, as well as in relation to GDPR.

CookieYes

CookieYes is a cookie management solution featuring one of the most effective management dashboards. The platform does not currently support the Turkish language, and new language definitions cannot be added. However, existing texts can be edited. There are no customizable options available for Banner behaviors. Cookie notifications are delivered dynamically to users via popup.

<!-- Start cookieyes banner -->
<script
  id="cookieyes"
  type="text/javascript"
  src="https://cdn-cookieyes.com/client_data/9480f5c189b375b91ea50bff.js"></script>
<!-- End cookieyes banner --> 

The banner code must be added to and verified on the website.

After scanning, you can modify definitions and classifications for the identified cookies, as well as define new cookies. The scanning feature does not perform highly detailed operations.

Efilli is a local initiative. I had the opportunity to get acquainted with them during our recent interactions and was informed about the new features that will be added. Although the platform appears to be more youthful compared to other alternatives, the features it offers can be comparable to global alternatives at a certain level. Unfortunately, there is no trial feature available alongside membership. Trial processes require a request to be sent for membership and billing information²⁷.

The features are being observed through the domain name registration and the defined domain name. As a result, a comparison regarding browsing success could not be made.

<script
  src="https://cdn.efilli.com/efl.js"
  data-key="<efilli-key>"></script>

Pricing is implemented based on the domain name and language. Different subdomains can be defined under a domain name. Packages are also limited by the number of pages viewed per month.

Customizations such as banner / popup and JavaScript personalizations can be implemented within the context of language and subdomain. The platform provides information such as device type, cookie class, page load times, geographic location statistics, and browser details regarding cookies.

Other Tools

Below, I briefly mention other tools that I found equivalent, although with limited evaluation opportunities.

iubenda

iubenda can be considered a platform that provides standard privacy and cookie usage notices, as well as integration solutions, and also enables the creation of documentation such as cookie consent management and terms/conditions.

However, due to the pricing being offered with all these options, it sits at a notably high point compared to other alternatives. Additionally, there is a page view limitation within the packages, making it difficult to claim that it is a reasonable option²⁸.

Termly

Termly offers two package options: Basic and Pro. The Basic package allows only one policy notification per domain name. The Pro package enables unlimited notifications per domain. While the Basic package has a monthly limit of 100 page views, the Pro package has no such restrictions. However, for both packages, cookie frequency settings cannot be changed²⁹.

One of the solutions that provides the lowest number of cookies and limited language options after scanning with Termly.

Complianz

Complianz, one of the tools with the highest pricing for cookie management, offers solutions specifically for WordPress. As no free trial access was available, the panel and scan performance could not be compared³⁰.

Osano

For all operations except membership and domain registration, one of the package options must be evaluated. Features include cookie management, script and iframe control, and crawling via sitemap, among others³¹. On the other hand, Osano also provides an open-source cookie management solution³².

If you could share any other alternative solutions outside of the ones mentioned above, I would be grateful to include them in the discussion.

Footnotes

1. Comparison of Google Analytics 4 data with Universal Analytics. Analytics Help ↩
2. Privacy controls in Google Analytics. Analytics Help ↩
3. Consent mode (beta). Analytics Help ↩ ↩² ↩³
4. Chris Shuptrine. (2019). The 2020 Guide to Google Analytics and GDPR Compliance ↩
5. GDPR Cookie Consent Cheatsheet. iubenda ↩
6. Google Analytics Cookie Usage on Websites. Google Analytics ↩
7. Custom Templates Guide for Google Tag Manager. Simo Ahava’s blog ↩
8. Consent Mode for Google Tags. Simo Ahava’s blog ↩
9. General Data Protection Regulation. Facebook for Developers ↩ ↩²
10. Hotjar Cookie Information. Hotjar Documentation ↩
11. Helge Klein. (2020). Google Analytics: Cookieless Tracking Without GDPR Consent ↩
12. Google Analytics.js Cookie Opt-in Consent Checker. GitHub ↩
13. GDPR, ePrivacy and CCPA compliant cookies. Cookiebot ↩
14. Setting Up Cookiebot ↩ ↩²
15. Google Tag Manager deployment. Cookiebot ↩
16. Cookie Consent Management Platform. CookieFirst ↩
17. Google Tag Manager cookie banner configuration. CookieFirst ↩
18. [Conversion tracking and Google Tag Manager. ↩
19. Iframe (e.g. Video players), only load when consent is given. CookieFirst ↩
20. Google Tag Manager implementation. CookieHub ↩
21. Methods / Functions. CookieHub ↩
22. Events. CookieHub ↩
23. Plan Comparison. CookiePro ↩
24. Cookie Compliance Integration with Google Tag Manager. CookiePro ↩
25. Cookie Script membership plans. Cookie-Script ↩
26. Integration. Cookie-Script ↩
27. Web Site Consent Management Platform. efilli ↩
28. Pricing. iubenda ↩
29. GDPR Compliance Software for Websites & Online Businesses. Termly ↩
30. The Privacy Suite for WordPress ↩
31. The most popular solution to cookie laws. Osano ↩
32. Download Cookie Consent. Osano ↩