GDPR cookie consent script (open source)

There’s no need to reiterate much about GDPR law and everything that came with it. In one moment nobody didn’t care about it like it’s just another obscure and annoying EU law. Then few weeks before actual enforcement date, the most companies started to implement some kind of implementation.

The major issue was consent requirement for advertising profiling cookies. Even the biggest advertising agencies like Google’s AdSense waited last minute to roll out some useful code and tips regarding profiling and cookies. Not to speak that almost all other advertising companies are even worse. It seems that everyone is waiting to see some reactions from EU enforcement bodies and in the meantime pushing their tech in the same fashion.

So what are your choices regarding GDPR law?

There are few:

  • You can ignore it
  • You can partially comply with it
  • You can fully comply with it

There are quite a lot of webmasters who say: “I don’t have EU visitor so I don’t care”. This is a bold statement, hardly true for an open public website, but if there won’t be any enforcement those people might become the smartest.

The gray zone of partially complied websites is the largest, and compliance varies from those who only put cookie notification without any possibility to deny consent, to those who are categorizing cookies on “mandatory” ones and “non-mandatory”. The options are even pre-checked. Even big G is doing that all over the place.

GDPR law is clear, no mandatory cookies and no pre-checked options. So obviously it’s far from full compliance.

The third option is … well … non-existent in the wild. Even if you are running a website on your own code and made sure no cookies were set you might have ad or analytics partners whose code you can’t control. Maybe you can if you remove their code but that’s not the point.

Fortunately, there is a solution, good enough to consider yourself fully in compliance with GDPR, at least when it comes to third-party Javascript code running on your website.

It’s two parts Javascript code. The first part you should put before any other JS code on your pages. It’s basically cookie proxy which intercepts all cookie setting requests made by various third-party scripts and actually setting those cookies only after it gets user’s consent. The second part is just DOM overlay which actually can’t be created so early in the page rendering sequence. The code would be so simple if there’s no Safari which requires additional handling since it does not allow cookie proxy technique. There’s also a configuration to limit script for EU timezones only (and DST setting which helps to filter a bit more precise). It’s not perfect but if you are going to filter visitors based on the country it as fast as you can get and believe me that’s what you want.

You can get the code on GitHub.

8 thoughts on “GDPR cookie consent script (open source)”

  1. Thank you a lot for trying to help us!

    I’ve installed the scripts in the head before all scripts and in the body, all as appropriate. On the browser level it seems to work, but the AdSense ads and their cookies are being loaded and set too (before consent). Also, the https://www.cookiemetrix.com website shows that: “Seems that this page does not comply with EU Cookie Law” + “No Banners Found – Seems that on this page there isn’t a banner showed to the user’s first visit.” + “Stored Cookies Found – On this page there are also third-party stored cookies.”

    Maybe because there’s a code that makes it work only for EU? Is there a way to disable that and make it work everywhere?

    Thank you in advance for your time!

    1. Yes, EU filter is the reason why you’re still getting cookies. I’m just going to update code so you’ll be able to make it active regardless of the location.

        1. Thank you, now it’s working as needed!

          One last question:

          I need to pause AdSense requests together with the loading of your cookie script, google provides a way here: https://support.google.com/adsense/answer/7670312

          It says (for my case):
          When using AdSense or Ad Exchange asynchronous ad code:

          1. Before consent, use:
          (adsbygoogle=window.adsbygoogle||[]).pauseAdRequests=1
          to prevent the tag from sending ad requests. You must do this before triggering any ad requests by using
          adsbygoogle.push(…).

          Set up your ad slots using calls to adsbygoogle.push(…) as usual.

          2. At the time of given consent, use:
          (adsbygoogle=window.adsbygoogle||[]).pauseAdRequests=0
          to resume sending ad requests.

          How, or, is it possible to include the above codes in your script?

          Again, thank you in advance for your time and your help, I really appreciate it!
          If the above codes will be included in your scripts, it’s gonna be the best solution worldwide.

          1. OK I think I did it.

            I’ve added the “(adsbygoogle=window.adsbygoogle||[]).pauseAdRequests=1;” right after the
            CM_cookieManager = (function() {

            And the “(adsbygoogle=window.adsbygoogle||[]).pauseAdRequests=0;” right after the
            consent: function () {
            //console.log(‘received consent’);
            if (intervalId !== -1) {
            clearInterval(intervalId);
            }

            Now it’s working exactly as it should be. The only cookie that passes through and gets installed (before consent) is the cookie “NID” from domain “.google.com” and path “/”.
            I’m not sure if this could be a problem for gdpr, but for sure now the script is way better 🙂

            Have a nice day!

  2. **Update**
    A fix:

    In my last reply I didn’t do it correctly, because the ads were unpaused only at the time of consent, and after consent + refresh (with the consent cookie installed appropriately as “1”) the ads were continued to be paused. So I fixed it by taking again your original script and added Google’s code like this:

    In the cm-head.js
    I added Google’s code to pause the ads from loading, here:

    start: function () {
    if (document.cookie.indexOf(‘CM_cookieConsent=1’) === -1) {
    (adsbygoogle=window.adsbygoogle||[]).pauseAdRequests=1;

    And in the cm-body.js
    I added Google’s code to stop the pause when consent is given, here:

    var iConsent = function () {
    CM_cookieManager.consent(true);
    document.body.removeChild(cookieAlert);
    (adsbygoogle=window.adsbygoogle||[]).pauseAdRequests=0;
    }

    So now it’s correct and works as expected.
    In the same way publishers can choose to add “(adsbygoogle=window.adsbygoogle||[]).requestNonPersonalizedAds=1” on dismiss or accept button, as appropriate for their needs.

    Your code is awesome. It solved a headache that I’ve had for weeks! Thank you!

  3. Is there a way to avoid some specific cookies from being deleted with this script? For example the _gat, _gid, and _ga. I need to keep them running, I want to block only third party cookies.

    1. It’s not recommended but it’s possible. I have that patch however it is bit slower with white list. I’ll send you patch.

Leave a Reply

Your email address will not be published. Required fields are marked *