search

grrr-amsterdam / cookie-consent

Cookie consent with accessible dialog, agnostic tag triggers and conditional content, script and embed hooks.
MIT License
63 stars 11 forks source link

Trigger required cookies at all times #3

Closed schoenkaft closed 4 years ago

schoenkaft commented 4 years ago

Just thought of this. Specifying required cookies of course means that they're 'required'. So these should fire/trigger regardless of consent (it's value can only be undefined or true).

In theory one could also avoid adding these cookie types to a consent trigger in GTM (or alternative), circumventing this way of triggering cookies. But I'd say our module should always let required cookies 'pass' and therefore fire the event for these cookie types because loading them the same way like optional cookies seems like a sane/consistent workflow.

This solution is quite basic, but it works. Does it make sense?

Fixes #2.

schoenkaft commented 4 years ago

But am I reading this correctly: if required cookies are specified, you immediately fire the update event, even though the user did not submit the cookie consent dialog? Is that legal? I get that they're required and so the user doesn't have a choice but to accept them, but shouldn't they at least confirm they've seen the dialog by submitting the thing? You, like a "I've read the terms and conditions" checkbox?

Hmm. I get what you're saying. There are two ways of 'looking at it'. And I think 'legal' is kind of a 'wassen neus' in this area anyway. I'd assume we're also checking all checkboxes by default, which is also a bit 'grey' (but only loading those optionals after submit). Else 95% of people will never enable 'marketing cookies' anyway, which kind of defeats the purpose of using any marketing for our clients. Most of the 'big guys' in the industry aren't even asking for any consent. I know this might give us mixed feelings, but in reality clients will probably be quite unhappy when nobody is being 'guided' to enable marketing cookies...

Anyway, back on topic: I was actually thinking of making this a configurable option, and there are of course ways to load the required cookies/trackers without those cookie type GTM triggers. Or fire them from code outside of the module. So we could also make this less dogmatic.

The reasoning: if I were 'the client', I'd assume that my anonymised Google Analytics would be loaded at all times. I'd say functional will never be loaded via GTM anyway, since it's usually not part of a marketing/tagging system. And the only other legally 'could-be-required' cookie type I could think of are anonymised analytics. As a client I would like to have insight in ALL visitors. Also bouncing ones who don't do anything with the cookie dialog.

So in the end cookies that are set to required should only be cookies that are legally allowed to be set without consent.

But we can discuss this internally. This at least removes some extra boilerplating in all projects incorporating this module.

martijngastkemper commented 4 years ago

Sending an update without user interaction is fine by me in this case. The main problem is, should this module be responsible for initializing scripts with required cookies. I think it shouldn't, because it creates a dependency. When you remove the cookie-consent module the website should still work. The required scripts should be loaded separately and required setting in cookie-consent is just a visual thing for the user. Changing required from true to false adds some extra work, but think that's acceptable.