Documentation > UCP Implementation Guide > Prior Consent

Script Support

In general, when a script is written to a web page it automatically executes. However, this behavior should be avoided for non-essential scripts, due to prior consent. Instead, you need to write them out after consent is detected. All scripts need to be refactored and tested.

Prior Consent Callback


Our script contains the following callback method:  window.evidon.priorConsentCallback().  That method will get executed one time per page flow when consent is detected.  We detect consent in the following ways:

  • The user executes a consent action (Accept button click, etc.)
  • A returning user has already consented, and we detect the _evidon_consent_cookie
  • The site a user is on does not have consent enabled (ex:  “acme.com” for someone in the US vs someone in the EU)

 

In all those cases, our consent callback will fire.  This provides you a central mechanism for watching for consent and taking the appropriate actions.

Examples of Script “Refactoring”


This section provides some examples of how scripts can be refactored to enable prior consent.  It is by no means comprehensive, just meant to give some basic guidelines and suggestions.

Standard Advertiser Script

In the simplest form you may have several scripts that look like the following:

<script src=https://acme.com/runads.js></script>

To handle this, you just need to refactor the script so it is added to the DOM after consent.  An example would look like this:

var d = document, sn = 'script', f = d.getElementsByTagName(sn)[0];

if (!f) f = d.head;

var s = d.createElement(sn);

s.async = true;

s.id = scriptid;

s.src = url;

f.parentNode.insertBefore(s, f);

To simplify this, we have a function in our script called append() that can be called to run this logic.

Google Tag Manager / Google Analytics

One of the ways you can stop these from loading immediately on page execution is to turn the script from a self-executing script into a script function you can call.  Google provides separate scripts for GTM and GA, and these are set up differently. The following is an example of this using GTM, but GA behaves almost exactly the same, as do a number of other script tags.

Here is the standard script provided for GTM:

<script>

(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':

new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],

j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=

'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);

})(window,document,'script','dataLayer','GTM-XXXXXX);

</script>

 

To make this consent friendly make the following changes.

  1.Change it into a function.  Notice we have remove the open/close () and given it a name.

function gtm(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':

new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],

j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=

'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);

}

 2. Call that new function from the consent callback:

gtm(window,document,'script','dataLayer','GTM-XXXXXX);

Other script formats

There are many variations of scripts in the wild.  Some vendors provide multiple scripts, some that are dropped in the header and others that are dropped in the body.  It will take some trial and error to get these set up, but so far, we have not encountered any scripts that can’t be successfully formatted to support prior consent.

Testing Prior Consent


You will want to verify you are blocking all non-essential tech from executing on your web site, since failure to do so can cause a GDPR violation.  When we test, we use a browser extension called “Ghostery” to look at the list of 3rd party vendors running on a page. There are probably other browser extensions that do the same thing.

Using this extension, we look at the list of vendors/tech that are added to the page when it loads and when we do some basic page interaction (scrolling for example).  Then we click on the “Accept” button to trigger a consent and look at the vendors/tech that are on the page post-consent.

This will allow you to verify both the appropriate prior consent setup as well as verify that all of the technologies you implement are successfully added to the page post-consent.

Connect with Crownpeak