[2.x?] How to block cookies until the user accepts, for example Google Analytics cookies?

Sorry to say that the module doesn't implement that feature yet. However you should comply with EU regulation as long as you inform the user that your site is using cookies, which is what this module does.

Two old 6.x issues have patches that look promising.
We should look into adding this functionality into 7.x and 8.x.
I don't think it makes much sense at this point to add more features to the 6.x branch.

https://www.drupal.org/project/eu_cookie_compliance/issues/1744852
https://www.drupal.org/project/eu_cookie_compliance/issues/1779878

There's also a patch here for Google Analytics in #2827860: Prevent Google Analytics from adding cookies until the user accept cookies:

I created a new issue for Drupal 8, but the patch is in https://www.drupal.org/node/1648286#comment-11769242

If it's not right to add this logic into the module, it could easily be a separate submodule.

For Piwik (now named Matamo), you probably do not need a cookie alert: https://matomo.org/blog/2014/10/cnil-recommends-piwik-analytics-tool-no-...

Here's an updated patch.

Thanks for the patch.

Great to see that you read the UA id from the Google Analytics module settings so there's no duplication of config.

We need to handle the case where the administrator has installed GA module, but not configured it.
If $ga_config->get('account') returns an empty string, we should skip adding the extra javascript and drupalSetting.

I would like to make this an option to the administrator, since I can see some users of the module may want to leave this option off, even though it may be best practice to block Google Analytics till the policy has been accepted.

When we make the config option for this, can we also place the setting inside a new fieldset called "Blocked cookies"?

Hello,

I've just posted this feature request about the "Disagree" button, after finding out that it actually doesn't disagree at all, which is subject to the individual implementation by the developer as stated on the project page too.

To be honest, personally I would absolutely expect this module to take control of the cookie part and was somewhat "disappointed" that it wasn't the case.

Now with the coming EU-DSGVO, that will apply from 28. May 2018, this topic became very important again. According to many sources, which aren't "official" maybe, but still seem to interpret the officialy published part in the same way, it will most likely be not enough to just inform the visitors about using cookies on a website. In this document http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011... §66 states the following:

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive in formation when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as userfriendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/E C, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

After some research I landed in this issue and I'm glad to see, that this topic is being worked on and that the module does a step away of the stance of not disagreeing with any cookies (if I understand you guys correctly) - many thanks to all contributors nevertheless!

For non-drupal sites I've found this solution: https://cookieconsent.insites.com/download/ which works quite well (unless you use NoScript extension).

Even with the compliance type 1 ("Just tell users that we use cookies") it prevents cookies until you click at the accept/agree/ok button.

Our Drupal site with the current version of this module, though, sets a cookie straight after a page was loaded and while the cookie banner from this module is still visible and no interaction happened with it. The cookie's name is "has_js". Nothing major surely, but still it's set already, unlike with the above solution. It's a different website, but it also has JS...

Aside from this the solution also offers two other compliance types:
- Let users opt out of cookies (Advanced)
- Ask users to opt into cookies (Advanced)

This requires some customization of the code and I didn't test it yet, but accordings to some comments on their GitHub project it works.

These opt-in / opt-out options *might* be required through that EU-DSGVO as well, so that maybe that non-drupal solution can provide some ideas for this module as well for more cookie control regardless of whether it's GA or something else?

Yes, complying with EU-DSGVO is also a topic for us. We still don't know exactly what we will have to do, but it's in our to-do-list. Actually, answering to what the module should do to comply with the new rules would need some help from a legal adviser, which I'm not.

For the UX part though, I'm wondering if it's a good idea to block ANY cookie until agreement is received. Some cookies (like has_js) are not tracking cookies. And some cookies are required for the website to be usable (like the session cookie for some). If we add a cookie-blocker, it might be good to have a white-list feature.

And on a technical part, I don't know if we actually CAN block any cookie. There is no Drupal way to add a cookie, modules just have to use built-in PHP functions. So we cannot intercept the action to prevent it. For PHP, we might add some code at the very end of the code execution to reset the $_COOKIE variable to an empty array. For javascript-added cookies, I don't really know. It might be possible to add some code that regularly check for cookies and remove them if they exist?

First of all, I'm not a legal advisor, so anything I write here should not be taken as legal advise with regards to cookies.

I have the impression that the new EU-DSGVO regulation does not apply to a cookie that has the value "1" for "has_js", since there are no privacy issues related to that cookie; The Drupal site is not tracking the IP address of the user to see which percentage of users are using Javascript, and it doesn't infringe on anybody's privacy to set that cookie.

What the law does apply to are cookies like Google AdWords etc which are used to track the user across different sites and build a profile of their browsing habits which again are sold to advertisers. Any usage of cookies for analytics solutions would also need to comply.

There seems to be a lot of confusion around EU-DSGVO, and I feel that I need to read up a bit on it too. What I know is that each EU member country (as well as EEA) will implement their own variation of the law, which further complicates the issue.

I agree this is an important issue, which is why I gathered all the contributed patches here. I'm not sure though whether the current patches are the way to go. I think a broader solution will be the way to go, where the module takes care of which cookies to block, and offers a more flexible option where decisions are not delegated to submodules.

For javascript-added cookies, I don't really know. It might be possible to add some code that regularly check for cookies and remove them if they exist?

I think that will be the way to move forward on the issue, where we provide a white-listing admin page, and then check repeatedly in JS whether any cookies get set and then delete them.

Thanks guys, good to know that there are others as well looking to work out a good solution. I'm not a legal advisor / expert either, btw.

I agree, that purely functional cookies like "has_js" etc. aren't a problem as they don't store any personal data. Just mentioned it to point out, that the non-drupal solution has a way to deal with them as well, apparently, in case it becomes needed here too maybe.

Most of those "sources" seem to address Google Analytics in the first place and come up with the same "solution" so far: adding this code just before the GA tracking code on each page:

<script type="text/javascript">// <![CDATA[
// Set to the same value as the web property used on the site
var gaProperty = 'UA-XXXX-Y';

// Disable tracking if the opt-out cookie exists.
var disableStr = 'ga-disable-' + gaProperty;
if (document.cookie.indexOf(disableStr + '=true') > -1) {
  window[disableStr] = true;
}

// Opt-out function
function gaOptout() {
  document.cookie = disableStr + '=true; expires=Thu, 31 Dec 2099 23:59:59 UTC; path=/';
  window[disableStr] = true;
}
</script>

Plus the ability to actually disable GA usage by something like this within the privacy declaration

<a onclick="alert('Google Analytics has been disabled');" 
href="javascript:gaOptout()">Disable Google Analytics</a>

I thought maybe the cookie banner could also be a good place for it.

Not sure if it could provide some help / ideas...

The patch in #2954007: Add an opt-out and opt-in experience offers features to block scripts (such as Google Analytics) and also delete cookies when the user hasn't given consent. Can somebody take it for a spin and let me know what you think? The patch has been added to the -dev branches.

I opted for a more generic way of addressing this, rather than creating a ton of submodules for the various services that we want to block.

If you choose "Opt-in" as the implementation, you will be able to block scripts and have cookies deleted until the user gives consent. If you choose "Opt-out", it will allow all scripts to run, and cookies can be set, unless the user chooses the Decline option.

Hi,

with the latest 7.x-dev i have tried to disable the Google analytics js, but without any result.

The 3 (_gat, _ga, _gid) cookie appears always, no mater what the user does, or what the setting is.

The setting is at Disable JavaScripts:

• sites/all/modules/google_analytics/googleanalytics.js
• https://www.google-analytics.com/analytics.js

What am i doing wrong? :)

Thanks for the feedback.

Unfortunately the script "https://www.google-analytics.com/analytics.js" is not loaded through Drupal but through inline javascript (view source to confirm this). You should be able to block features such as sharethis and addtoany. I didn't test Google Analytics specifically, although I see my comment seems to imply that.

I'll add a note to the interface to clarify how the feature works, and I'll also see if it's possible to add the patch from this issue to prevent Google Analytics from running until the user has given consent.

(Another option would be to anonymize the visitor's IP address from the Google Analytics configuration page, in which case you can no longer identify the user and there's no need to ask for consent.)

I just rerolled the patch #9 against 1.x-dev#2c144ff1, in case someone else wants to experiment with it also. However, as noted before, it doesn't prevent GA from placing those 3 cookies.

And IANAL either but I'm afraid that anonymizing the IP (or the last octet thereof, as GA does it) is not enough to avoid the need of asking consent: if google is able to combine the information from this and other sites even for non-logged-in-user, we might have to treat this information as personally identifiable information (PII) and ask for the consent. I'd be happy to be proven wrong in this, though.

Thanks for the help, jhuhta. The patch needs work.

We definitely need an option on the admin page to toggle the GA blocking on/off and the patch needs to be ported to 7.x.

Just tried the patch in #19 and from what I can tell, the GA cookies aren't placed until you consent by clicking the button - as you'd expect :) (contrary to the notes in #19).

+1 for a GUI option for this functionality though. It does make a sensible default but either way, it's nice to have visual confirmation that the module is configured to behave this way.

Thanks for the review @danbohea . I will add this patch (with a GUI) this week.

I just did the same patch for the latest commit of the dev branch.

I haven't tested yet the behaviour but by looking at the patch, I'm not sure it works everytime. The added library can possibly passes after the one from googleanalytics and if it's the case, it will set cookies. I think that depends on your module weight, so on some drupal installation, it might work or not. For me, it could be the explanation of what @jhuhta saw.

Again, this issue needs work before the feature can be committed.

We definitely need a GUI option on the admin page to toggle the GA blocking on/off and the patch needs to be ported to 7.x.

And we need to manage the weight of the module it seems, so that it loads either before or after (probably before) Google Analytics if the feature is on.

I have set the module weight to -10 which should make it run first.

Typo in the libraries.yml prevented the google_analytics.js from being loaded

From my testing this still sets the GA cookies before you comply. ga-disable-xxxx only disables tracking not setting of the cookie

According to https://www.datenschutz.org/google-analytics-datenschutz/ (german) and https://www.amazeemetrics.com/en/blog/google-analytics-gdpr-compliant, having google analytics enabled by default is still OK if you anonymize the data. But I guess well only know for sure after someone successfully (or not) sues someone ;)

However, what those sites describe is that you need an easy one-click opt-out possibility, e.g. on the privacy policy page or possibly directly integrated with the cookie message.

Also worth pointing out that many sites use google tag manager, in which case the google analytics key is not available through the settings, maybe it could be read from the ga object or so? Or alternatively an option in this module to set the key if google_analytics.module is *not* installed?

My understanding is that you can use Google Analytics without asking for consent if you anonymize the data.

I disagree with arbitrarily setting the module weight to -10. Instead we should check the value of the other modules and adapt to that. What would happen if another module comes along and set its weight to -20? :)

We also have another issue where the module weight should be set to a positive integer in order for blacklisting of scripts to work, so we would indeed need to set the weight of this module first (higher than all others), and then set Google Analytics to one higher than EU Cookie Compliance.

With regards to "However, what those sites describe is that you need an easy one-click opt-out possibility, e.g. on the privacy policy page or possibly directly integrated with the cookie message." please follow this issue #2954011: Offer a way for people to opt-out of tracking even if they opted in. We already offer opt-out as an option if you get the dev version of the module (or wait for me to tag another version, which will likely happen on Sunday).

What I mean is that the opt-out logic should/could integrate with google analytics and automatically set that disable cookie when you click on opt-out. So kind of what the patch is doing, but instead of trying to do it for the opt-in case automatically (which I don't think can work with those initial cookies, module weight is not relevant as the google analytics integration itself doesn't use module weights and couldn't care less about when the behavior exactly runs.

I assume a full opt-in solution would need to work similar to the loading of javascript files, just specifically tailored to google analytics (possibly implemented in the google analytics/tags module and not here), so that the whole thing is only triggerd when the user clicks on opt-in.. if a site wants that.

Changing module weight should‘t be required. E comes before G, so that this module already has a lower weight than google_analytics. If you need two weights in one module, this is a problem. But a hidden helper module can solve this...

Thanks hass. I will take a closer look later this weekend. We still need a UI for the feature though.

Just a question about coordination.

Should I add the GA ID to the Drupal settings array in GA module? I think this would safe you a lot of code to read and verify if the id is set and for me it is just one line that could be useful for other code, too.

I'm still asking me if I need to add code to GA module for better integration with EU Cookie Compliance module or all should be added here. Code wise and code separation wise it makes more sense to add the ga-disable in EU Cookie Compliance module as this module provides all other stuff like the consent and so on.

Moving to feature as it is a module and not support.

We can add it all here. That should be okay.

Hi, the module IT cookie compliance, which I maintain, already implements the cookie preemtive blocking, which was already required in Italy: the approach is to allow the user remove the javascripts which set cookies (GA is not alone), but also selected fields and blocks until the user accepts.
There is no port to Drupal 8 until now (See also Port to D8?) but maybe we don't need to have both modules now that the GDPR requires the preemptive block for all Europe.
Is there any plan to implement a similar functionality in EUcc?

@filippo.ledda - #2954007: Add an opt-out and opt-in experience attempts to implement cookie and script blocking. #2962641: Check for disabled scripts in page html_head further improves the blocking, but still needs work. My testing has been quite positive (especially modules like AddToAny and ShareThis - by no means have I tested every single module that adds tracking scripts and cookies), though I welcome any input you have based on your experience with the Italian module.

Hi, from my experience there are many ways that modules can use to add cookies. Apart from head js there are some cases in which they are added and live in some blocks or fields: think of google maps for example, or Facebook comments. In that case I preferred to give the user the possibility to control what to show when cookies are not accepted.
Feel free to reuse anything from my module which may help!

The approach this module now has taken is to provide a way for the admin to whitelist cookies. Any cookie not whitelisted is removed in a JavaScript loop that runs once every 5 seconds, unless the user consents.

Curious to learn more about how you gave the user the possibility to control what to show. Do you mean the admin, or the end user?

I meant the admin user: the strategy is to give the admin to set three black lists- js blocks and fields- which are not loaded on page server side until consent. The page is fully reloaded on consent to show the page with the restricted content included.
The idea to eliminate this page reload is cool, though seems difficult to implement in a general framework.

Oh, EUCC will not do any reloads when the user consents; instead the additional scripts are injected into the page, which seems to work quite well. I also offer a white list rather than a black list for cookies, so that the admin will have less to maintain. But will definitely take a look at your module to see if there's anything to learn, once all the other GDPR-features are taken care off.

@svenryen:

The approach this module now has taken is to provide a way for the admin to whitelist cookies. Any cookie not whitelisted is removed in a JavaScript loop that runs once every 5 seconds, unless the user consents.

You seem to try something impossible. You cannot remove cookies set by Google. Browsers do not allow this. This is cross domain protection as I know.

You're quite right. I remove all cookies set on the domain (which some modules do indeed set), and prevent black listed scripts from running. If the script is black listed, the script won't run and no tracking is done.

Yes, but the script-blacklisting then again doesn't work for google analytics/google tag manager because it is not a single script but an inline snippet, so the whole block then needs to be excluded and dynamically added (not sure if that's easily possible, so it might need the page-refresh approach for that?)

That's why we have this thread/issue. I'm going to add a special fix for GA, as addressed in these patches. I just haven't gotten around to it yet. I work on this module in my spare time, have a full time job and no sponsorship.

I'm just trying to help, not expecting anything :)

@svenryen & @Berdir thanks for your work on this. I'm just trying to group these issues together a bit better.

Why is an enabled ga-disable still creating cookies...? I have not verified yet, but it sounds wrong.

I just read an article in german CT magazine. They wrote that ga can still run if anonymize ip is enabled and you have the data contract signed with google. Cookies are allowed in this context. At least if adsense and Demographics and Interests support (formerly known as DoubleClick remarketing support) is not used. This is a short summary, but it is what has been written.

Sounds like 95% of users can relax.

Here's an improved patch that adds a UI option, sets a default setting and includes the script only if the option is enabled.

Patch for D7 will follow.

Ignore #52. The setting wasn't saved to the database. Here's a better patch.

Port to 7.x

I‘m sorry, but this code has many bugs. Please never change weight of ga. I cannot know this and have no idea how to support. Additionally I believe your code may runs after ga code. That means blocking ga will fail. At least there is no guaranty it runs in correct order if you use external js files that are added after my ga code. You need to use inline js and need to prepend to ga code.

D8 review:

1. +++ b/eu_cookie_compliance.module
   @@ -267,6 +267,18 @@ function eu_cookie_compliance_page_attachments(&$attachments) {
   +    if (\Drupal::moduleHandler()->moduleExists('google_analytics')) {
   

   I suggest do check this module exist only once.

2. +++ b/eu_cookie_compliance.module
   @@ -267,6 +267,18 @@ function eu_cookie_compliance_page_attachments(&$attachments) {
   +      if ($ga_config = \Drupal::config('google_analytics.settings')) {
   ...
   +        }
   

   preg_match('/^UA-\d+-\d+$/', $id) is how it is checked in GA module. Current logic does not know if the string is empty.

3. +++ b/eu_cookie_compliance.module
   @@ -267,6 +267,18 @@ function eu_cookie_compliance_page_attachments(&$attachments) {
   +          $ga_id_is_set = TRUE;
   

   Not needed, if preg_match('/^UA-\d+-\d+$/', $id) returns TRUE it is correct.

4. +++ b/eu_cookie_compliance.module
   @@ -274,6 +286,10 @@ function eu_cookie_compliance_page_attachments(&$attachments) {
   +    if (\Drupal::moduleHandler()->moduleExists('google_analytics') && $ga_id_is_set && $config->get('disable_google_analytics') && $config->get('method') != 'default') {
   

   Module exists should be done once only.

5. +++ b/js/google_analytics.js
   @@ -0,0 +1,5 @@
   +(function ($, Drupal, drupalSettings) {
   +  if (drupalSettings.eu_cookie_compliance.GA_id && !Drupal.eu_cookie_compliance.hasAgreed()) {
   +    window['ga-disable-' + drupalSettings.eu_cookie_compliance.GA_id] = true;
   +  }
   +})(jQuery, Drupal, drupalSettings);
   

   External JS file runs after GA inline code. Only safe way should be altering 'google_analytics_tracking_script' attachment.

D7 review:

1. +++ b/eu_cookie_compliance.install
   @@ -262,18 +262,32 @@ function eu_cookie_compliance_update_7006(&$sandbox) {
    function eu_cookie_compliance_update_7007(&$sandbox) {
   

   There is no sandbox run.

2. +++ b/eu_cookie_compliance.install
   @@ -262,18 +262,32 @@ function eu_cookie_compliance_update_7006(&$sandbox) {
   +function eu_cookie_compliance_update_7008(&$sandbox) {
   

   There is no sandbox run.

3. +++ b/eu_cookie_compliance.module
   @@ -314,6 +314,16 @@ function eu_cookie_compliance_page_build(&$page) {
   +      if ($id = variable_get('googleanalytics_account')) {
   +        $ga_id_is_set = TRUE;
   +        $data['variables']['GA_id'] = $id;
   +      }
   

   preg_match('/^UA-\d+-\d+$/', $id)

4. +++ b/eu_cookie_compliance.module
   @@ -323,6 +333,11 @@ function eu_cookie_compliance_page_build(&$page) {
   +      drupal_add_js(drupal_get_path('module', 'eu_cookie_compliance') . '/js/google_analytics.js', array('type' => 'file', 'scope' => $script_scope, 'group' => JS_THEME, 'weight' => 100));
   

   Code runs too late.

5. +++ b/eu_cookie_compliance.module
   @@ -620,3 +635,40 @@ function eu_cookie_compliance_store_consent($type) {
   +  // Set weight of Google Analytics to this module + 1.
   +  db_update('system')
   +    ->fields(array('weight' => $weight + 1))
   +    ->condition('name', 'googleanalytics', '=')
   +    ->execute();
   

   Do not change my modules weight, please. There is no comment why this is needed, too. This can have negative / breaking effects on other modules that depends on GA.

6. +++ b/js/google_analytics.js
   @@ -0,0 +1,5 @@
   +(function ($, Drupal, drupalSettings) {
   +  if (drupalSettings.eu_cookie_compliance.GA_id && !Drupal.eu_cookie_compliance.hasAgreed()) {
   +    window['ga-disable-' + drupalSettings.eu_cookie_compliance.GA_id] = true;
   +  }
   +})(jQuery, Drupal, Drupal.settings);
   

   External JS runs after inline JS.

Hello,

is there a way to block Google Adsense Ads as long as the user has not accepted?

When I enter Google Adsense's Javascript (http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js) in the "Disable Javascript" field of EU Cookie Compliance, the ads still show...

Or is there perhaps a way to hide some blocks (with ads) as long as the user has not accepted?

".install" file bugs with $sandbox will be fixed in #2974223: Install file code review / Update 7006 may break module together with many others.

This is a first try to cleanup code. Fully untested and incomplete. FIXME comment added.

Hi everybody,

This solution works really good. It adds support for eu_cookie_compliance to google analytics module.
https://www.drupal.org/project/google_analytics/issues/2971644

Hi @hass! Thanks for your input. Can you agree that we just revert this commit and get back to it later? There seems to be a patch for the GA module that can be applied by anybody that wants to block GA right now. (Thanks @lexsoft for the link.)

@svenryen The patch mentioned in #64 is for D7 only.

@danbohea - if you would like to see some movement for this issue, please help drum up some manpower to assist writing patches. We can't use my patch due to the objections from hass and I'm currently a bit busy with other GDPR tasks that are overdue.

Righto. I was just trying to highlight an important detail that appeared to me to have been missed but yeah, I get it...

It's very stupid that the comments are mixed up for D7 and D8. For D7 I can recommend #64 as it works like a charm! Great! It's not a patch for the "EU Cookie Compliance" module but for "Google Analytics" module itself.

Nice to see this issue progressing, thanks to all of you! :)

It looks like this feature has been reverted but still appear in the settings ("Disable JavaScripts" field).

By the way, it should be said in the settings that the "opt-in" method is currently not fully-handled by the module and needs custom development to actually block tracking cookies. Because this method shows a disagree button ("no thanks") which has no sense if tracking cookies are still set.

And what about a default value for the disabled javascripts? (might be a separate issue?) Like these:
https://www.google.com/recaptcha/api.js
https://www.google-analytics.com/analytics_debug.js
https://www.google-analytics.com/analytics.js
https://www.googletagmanager.com/gtm.js
Or even handle wildcards?

The disable Javascripts field is something entirely different than the patch that was reverted.

As we don't know in advance what modules the admin has installed on their site, we obviously can't provide a default list of disabled javascripts, as these javascripts would then all run when the user consents (possibly running code that the admin never intended).

@svenryen All right, now I understand why default values would have no sense. And yes, I just had a look at the revert commit which is only about Google Analytics. Sorry for the confusion. I'll make sure there is a bug with the disabled js feature (also mentioned here by swms), and if so I'll submit a separate bug issue.

I have the same problem with Matomo, which sets cookies regardless the EU Cookie compliace module settings.

Should there be a seperate issue or will this be solved within this thread?

What settings are you using to prevent matomo from running and setting its cookies?

This need to be solved in a generic way that works for every module.

There should be an issue summary, because it is unclear what the problem is precisely and what the proposed solution.

First of all the eu module should only provide an API. In ga and matomo we use the api than an integrate with eu module. The eu module should not try to change ga module.

There's a proposal in this issue #2985619: [2.0.x][PP-1] Support firing different events on accept and decline on events the module could fire. Would that be useful, hass?

For Matomo we are currently preventing the tracking the same way as for the google analytics module.

Inside the code before field we enter

if (!Drupal.eu_cookie_compliance.hasAgreed()){
  _paq.push(['requireConsent']);
  _paq.push(['disableCookies']);
}
if (Drupal.eu_cookie_compliance.hasAgreed()){
  _paq.push(['setConsentGiven']);
}

Would be nice though, if this step could be solved directly if eucc and ga/matomo are installed.

I do not know. Maybe with behaviors? The very best would be if core provides the api like wordpress.

@ABeier: Do you mean the custom javascript code in the matomo module settings?

Inside the code before field we enter

@demonde: Exactly. The first field for custom javascript code that will be injected before the push.

@ABaier: Ok, thanks.

But this makes it neccesary to use the Reload page after user clicks the "Agree" button. option of the EU cookie compliance module because otherwise the first page of the visit will not be tracked.

Also the EU cookie compliance JS must be in the head while the Matomo JS must be in the foot in order to make it work in my case.

You are right, in both cases – but that's at least a way which works for now.

Hello;

After many tries I'm uninstalling google_analytics module and inserting the code myself as the only solution. There are many issues and proposed solutions, buit for me (using latest versions of everything: core 8.5.5, ga 3.x and eucc 1.x-dev) none of them work and I always get the worng loading order of javascript and therefore can't evaluate Drupal.eu_cookie_compliance.hasAgreed().

Can anybody please point at the current state of this issue for Drupal 8? Solutions and proposals for 7.x and 8.x are scattered an mixed together and, in the end, I don't know if there is a working solution I didn't managed to find.

Many thanks!

@idiaz.roncero. We have tried including a patch that would load EU Cookie Compliance before Google Analytics, but the maintainer of the GA module objected (as can be seen in #58), so currently there's no sight of a straight forward solution. The patch was later reverted.

My working solution (without some patching) is
adding the following Code to the 'Code before' field of google_analytics:

var gaCode = 'UA-12345-122';
window['ga-disable-' + gaCode] = true;
if(document.cookie.valueOf('cookie-agreed') === "cookie-agreed=1") {
  window['ga-disable-' + gaCode] = false;
}
// just for testing:
console.log("tracking disabled?", window['ga-disable-' + gaCode]);

If you activate the google_analytics debug mode, you can see if it works as expected.

In case someone is interested, the patch mentioned in #64 for D7 as been ported to D8: https://www.drupal.org/project/google_analytics/issues/2917905

@Jehu #90 thank you, enabling Google analytics with your solution works for me. Although I needed to change the cookie-agreed value to 2 here
if(document.cookie.valueOf('cookie-agreed') === "cookie-agreed=1")
if(document.cookie.valueOf('cookie-agreed') === "cookie-agreed=2")

Just an idea. But how about providing a jQuery event whenever the user gives consent, or the consent was already given. This way all the tracking JS only need to modified to do their tracking when they receive this event. There would be no need to whitelist/blacklist JavaScripts then.

tortoil, that's a great idea. I would like to recommend that we branch out that request in a new issue, since there's currently no resolution to this issue, unfortunately.

@Torotil: this was exactly what i suggested earlier. Drupal behaviors may do the trick.

I’ve started #3022638: Use JS event to load tracking scripts once opt-in is given. and put all the code I currently use in there.

i was having same problem. GA script are loaded before eu compliance.

line 374 of googleanalytics.module:

++drupal_add_js($script, array('scope' => 'header', 'type' => 'inline', 'group' => JS_THEME, 'weight' => 101));
--drupal_add_js($script, array('scope' => 'header', 'type' => 'inline', 'requires_jquery' => FALSE));

@ABaier i've tried the solution you've proposed but it seems that the script(matomo) is being loaded before eu_cookie_compliance.js.
I get the following error:

Drupal is not defined

I have not read every comment but checked attached patches. I 've made a patch with a different approach (sounds more simple to me) (I've seen the idea in a particular issue but can't retrieve which one). Here is the patch (against 1.5 version):

diff --git a/js/eu_cookie_compliance.js b/js/eu_cookie_compliance.js
index 38e8f0e..9a60a54 100644
--- a/js/eu_cookie_compliance.js
+++ b/js/eu_cookie_compliance.js
@@ -250,6 +250,7 @@
 
     if (!euCookieComplianceHasLoadedScripts) {
       euCookieComplianceLoadScripts();
+      Drupal.eu_cookie_compliance.triggerScripts();
     }
 
     if (typeof euCookieComplianceBlockCookies !== 'undefined') {
@@ -397,6 +398,12 @@
     return (cookieEnabled);
   };
 
+  Drupal.eu_cookie_compliance.triggerScripts = function () {
+    var event = document.createEvent('Event');
+    event.initEvent('tracking-allowed', true, true);
+    document.dispatchEvent(event);
+  };
+
   // Load blocked scripts if the user has agreed to being tracked.
   var euCookieComplianceHasLoadedScripts = false;
   $(function () {
@@ -404,6 +411,7 @@
         || (Drupal.eu_cookie_compliance.getCurrentStatus() === null && drupalSettings.eu_cookie_compliance.method !== 'opt_in')
     ) {
       euCookieComplianceLoadScripts();
+      Drupal.eu_cookie_compliance.triggerScripts();
       euCookieComplianceHasLoadedScripts = true;
     }
   });

Then a "tracking-allowed" event can be added in a custom module as soon as the contrib module has proper hooks.

For the "google tag" module it is done as follow for instance:

function <module>_google_tag_snippets_alter(&$snippets) {
  $snippets['noscript'] = '';
  $snippets['script'] = "document.addEventListener('tracking-allowed',function(){{$snippets['script']}});";
}

What do you think of this approach?

(EDIT: fix event.initEvent with default values for ie11)

Issue with patch on google_analytics module : https://www.drupal.org/project/google_analytics/issues/2917905

Hi all,

as I've just read, "Cookiebot" now adds a JavaScript (must be first in head) to block all Cookies automatically without any adjustments to the site itself.
See
https://www.cookiebot.com/en/automatic-cookie-control/
https://www.cookiebot.com/en/help/

If that can be truely done in a paid solution, it should also be possible in an open source solution, shouldn't it?

I did a quick research and found: https://github.com/brainsum/cookieconsent /Demo: https://brainsum.github.io/cookieconsent/
which seems to implement a solution like that?

This personalized (try it now!) GDPR and ePrivacy Directive (aka. ePR) compliant script can block even 3rd party cookies without needing to refactor your website / web app.

Should we proceed in a separate issue? What does the EU Cookie Compliance maintainer think? :)

maybe make this a submodule?

#90 works fine, although it evolves up to GA not tracking the very first page visit until the consent is given and a page refresh / redirect has been executed.

(Because the script only tries to initiate the cookie once per pageload)

Currently, on 8.x the cookies are deleted after they are loaded, What is the plan for this issue on Drupal 8 to prevent it from being loaded before accept?

I'm using #90, in 8.x-3.0, and only the first visit after consent is tracked in GA. In console "tracking disabled? false" for the first visit (after consent) but subsequent visits "tracking disabled? true".

The GA cookies have an expiry date in the past but are not getting refreshed for each page visit. Do we need to be using 8.x-3.x-dev for this to work?

update: cookie-agreed=2 exists for these subsequent visits, but tracking is disabled.

As a fix for @alangallery (comment #106), you need to change the if-clause in the code in #90 to:

if(document.cookie.valueOf('cookie-agreed').indexOf("cookie-agreed=2") != -1) {

The original code does not work because valueOf('cookie-agreed') returns "cookie-agreed-version=1.0.0; cookie-agreed=2"

For guys here using categories with one dedicated to Google Analytics (let’s name it gastats in this example) you can use the following code:

window['ga-disable-UA-1234-1'] = !document.cookie.valueOf('cookie-agreed-categories').includes('gastats');

This works because EU Cookie Compliance stores each agreed / ticked categorie machine name in the cookie-agreed-categories cookie value.

Mind the ! and remember to change your GA id and the categorie machine name by your own values.

For a fairly simple solution that does not require handling any logic, here's what I've come up with:

1) To prevent loading of Google Analytics script (via the google_analytics module), I've added the following in the "Disable javascripts" textarea:

https://www.googletagmanager.com/gtag/js
modules/contrib/google_analytics/js/google_analytics.js

2) For any other javascript such as Facebook Pixel, I found the simplest way was to create a seperate javascript file in my Drupal theme folder (in my case named facebook-pixel.js) to house the third-party script. I then pasted the Facebook script (without the script and no script tags) since we're not adding it to HTML now. This method allows for easily disabling the script by adding it in the "Disable javascripts" textarea as well. I do not import my facebook-pixel.js file in any of my templates and let the EU Cookie Compliance module handle the import. Here is the relevant line I've added to "Disable javascripts" for reference:

themes/custom/my_custom_theme/js/facebook-pixel.js

#110 works but only with Google Analytics version 8.x-3.1, not with 8.x-2.5, so be sure to use the v3 series of this module.

#110 works well, however there is an issue. If you want authenticated users to have agreed to cookies by default, but hide the banner for them, the scripts won't load.

Hi, Should I use 2.dev of this module, and google analytics 4.dev to get this working together for Drupal 10?
And what is the content of FB: facebook-pixel.js please from #110?
Thanks for your reply in advance, greetings,

The comment in #110 works perfectly (I only use the GA portion).

Thanks!

This is tagged into version 2 of the module, most likely this will never happen, so i am closing this issue.

I wish to thank everyone who contributed for their work in the process.