One of my clients has a cross domain analytics set up. Everything works well, but there are different behaviors when user gives full cookie consent and when he allows only strictly necessary cookies.
- Behavior in case of full cookie consent: GA stores data into cookies i.e. _ga cookie _ga_ID can be found in console cookie tab.
- Behavior in case of only strictly necessary cookie consent:Â GA stores some data in URL, for example:
https://www.example-page.com/?_gl=1*XXXXXXX*_up*MQ..*_ga*ZZZZZZZ.*_ga_YYYYYYY*YYYYYYY..
According to google documentation the second case is default behavior. And cross domain measurement is working when _gl param is added to url.
What I do not understand is why are URL params not added everytime and only when some cookies are not accepted, so I would like to get better understanding of this.
There is also a possible issue which I do not understand and that is: GA params are added to url also when user is just switching between subsites in the same domain i.e. from http://www.example-page.com/home-page to http://www.example-page.com/about-page. If I understand correctly this should not happen as I am staying within domain.
The questions I am most interested in are:
- How is GA determining if it should store its data as cookies or push it to url?
- Where are these parameters stored before user redirect first time? Is it part of datalayer / google_tag_manager global variables?
- Is there way to store the params somewhere else than in url when full cookie consent is not granted?
- Is adding of GA params to url even when staying withing same domain a correct behavior?
Project details: Site is running on WordPress and use OneTrust for cookie management.
EDIT: Issue with URL resolved. In my case this issue was caused by update of consent mode template (gtm-templates-simo-ahava). Reverting to previous version fixed the problem. Possible cause of the problem can be maybe connected to this pull request in template repository
Pushing the data to url is the mechanism of cross-domain tracking. You set a list of domains that cross-domain tracking should work for. This is likely your problem here. You’re not supposed to set subdomains, only TLDs in vast majority of cases.
This data is stored in cookies before the user goes to a different domain. If cookies are deleted, then it’s stored in the JS scope of the GA library. This implies that they would be erased and regenerated on JS context loss. Loss on a page unload, regeneration on a page load.
Well. Yes. But very tricky and expensive. And the immediate question is why would you do that. This would defeat the purpose of blocking the cookie. Natively, GA doesn’t support other methods of passing the value, but if you’re into tinkering, you can either store the value on your backend and then retrieve it, using some “primary functionality” cookie. Another option is using third party server’s cookies, but that would defeat the purpose even more.
No, it’s most likely a mistake.
Now, you really asked all the right questions, so I don’t have much to add, except that disabling your primary anonymized behavioral tracking is usually a lazy “safe” choice. And lazy here implies wrong.
Normally, larger corps don’t block primary tracking. They only block third party marketing-related tracking. Basically, pixels. They consider their main analytics part of the primary functionality, which is a strong case given that main analytics data is often used in debugging, performance measurement and even for app security audits.
Finally, using onetrust or a similar solution to completely manage your tracking is sub optimal. They basically just destroy all “offending” cookies all the time. This will mess up your behavioral data very significantly.
The proper way to use consent management systems is declaring user consent choice in your tag management system and then in it, block rules/tags from firing in case the consent is not given. You normally just carefully block marketing tags there based on consent. Remember, consent management systems are only deleting cookies. Because that’s trivial. They don’t block network requests. Absence of cookies may not prevent the data from being sent, often even uniquely identifying the client, using the primary cookie’s user id, allowing to match the activity to the backend database.