How to configure EU Cookie Compliance module to work with Google consent mode v2?

Introduction

Google offers good tools for website owners, most known are Google Analytics and Google Ads. These tools are not banned in the EU, but in default settings, they do not comply with GDPR rules, and websites in the EU must ask for consent before placing tracking cookies on the page. This means all sites that add any tracking cookies on the page, whether it is by a site itself or a third-party service, the user must be able to grant or deny tracking.

There are multiple cookie-related modules available. The most well-known one is EU Cookie Compliance, but the COOKiES module also seems to be gathering popularity. In this article I'm concentrating on the first module and how to make it compatible.

Requirements

First, check how the existing integration works. Existing implementations may contain surprises.

You will need two additional modules - EU Cookie Compliance GTM and Google Tag. Most likely you have the Google Analytics module installed as well, but it seems to be deprecated and existing sites should move over to the Google Tag module.

You also need the Google Tag Manager (GTM) container code.

Install modules with composer:

composer require 'drupal/eu_cookie_compliance_gtm:^2.1'

It also should install the Google Tag module, because it depends on it. You can enable the modules

drush en eu_cookie_compliance_gtm

Currently, the EU Cookie Compliance GTM module also needs this patch. Hopefully, it will be merged soon.

Configuring cookie categories

Open EU Cookie Compliance settings at /admin/config/system/eu-cookie-compliance/settings

The first thing you want to change or check is the consent method setting - it must be "Opt-in with categories".

If this is done, we need categories, if there is none yet. Categories can be added here: /admin/config/system/eu-cookie-compliance/categories

Create as many categories as needed - you need to be aware of all the cookies your site has and what type they are. For example, almost all sites have essential or functional cookies and these could be mandatory. In the context of consent mode v2, we are interested in analytical/statistical and advertising/marketing cookies. The main part here is to fill the GTM data field, which tells which type of consent is given with this category.

GTM data accepts data in JSON format and it has @status placeholder which will be replaced by the user consent value based on the selected categories. In my case, there are two categories - statistical and marketing cookies and in that case, the parameters look like this:

Statistical

{
    "analytics_storage": "@status"
}

Marketing

{
    "ad_storage": "@status",
    "ad_user_data": "@status",
    "ad_personalization": "@status"
}

Also, make sure that these categories are unchecked by default because the user must make a conscious choice to choose them - either selecting manually or clicking allow all button.

Cookie automatic-removal

I'm not sure if relying on this functionality is allowed in GDPR, but it can be used as a failsafe just in case. I think it is possible to assume Google is not violating user privacy and we can safely run GTM scripts on the page. This option in the settings assumes you categorize/define (depending on if categories are used or not) all cookies on the page or you turn it off.

The safe option is to keep it enabled and categorize the cookies. There are a lot of cookies and putting together the list can be complicated. My best list should contain everything you need.

statistical:FPLC
statistical:AMP_TOKEN
statistical:FPID
statistical:GA_OPT_OUT
statistical:_dc_gtm_*
statistical:_ga*
statistical:__utm*
statistical:_opt_*
statistical:_gid
marketing:id
marketing:__gads
marketing:_gcl*

While these cookies have their purpose, for example, some of them are functional cookies, we need to tie them together with the service category, there is no point doing it otherwise and it will complicate or simply doesn't work.

Google Tag configuration

Configuration can be found here: /admin/config/services/google-tag

You should use the Google Tag Manager container code and after inserting that, you can see a new Advanced settings fieldset below. There is an option, that must be enabled - it will send default consent to GTM, which prevents from setting cookies by the Google Analytics or other Google marketing tools.

Testing the consent flow

To test how consent works, it is a good idea to use Google Tag Assistant, which helps to understand, what requests and data are sent to GTM. There's also a browser extension available.

When opening the website with Tag Assistant, then on the left there are many things happening. What we are concerned about is everything related to consent. Currently, the modules are setting the default state to denied but will tell to Tag Manager to wait for consent update (500ms), more described on Google documentation. The second "Consent Default" is the update itself. An example of the request can be seen below.

After the user gives consent (or denies), a new Consent Update will be sent and the last column of the state table will be filled with consent values.

If there are any issues, the tool will show them. It may show that the consent state was read before the default was set, which may indicate that the Enforce Privacy Consent Policy was not turned on or something on the Google Tag Manager side is not waiting for the consent trigger.

Summary

Using the EU Cookie Compliance module is possible in the context of implementing consent mode v2. All sites using tracking cookies should implement some kind of consent form and respect user decisions. It will cripple the statistics, so they are not accurate enough.

If implementing consent seems complicated or you wish not to annoy users with some banner or modal popping up, then cookieless analytics is a thing to check out. For example, Matomo has this possibility and there are other paid services as well, if a general idea of site traffic is needed.