Google analytics cookie control with zara?

Hi there,

I thought when using zaraz and google analytics 4 there will be no cokkie stores on user’s browser. However this doesnt seems to be the case 3 cookies are being stored in user’s browser.

is there a method to control the cokkies and hold it via zaraz for all cookies untill consent is given?

How you manage GDPR cookie banner for cookies loaded via zaraz?

Thanks

What’s the URL that’s setting these cookies?

Hello @kepona2732

I thought when using zaraz and google analytics 4 there will be no cokkie stores on user’s browser. However this doesnt seems to be the case 3 cookies are being stored in user’s browser.

Right.

When you use Zaraz + GA4 Tool the execution of Zaraz initiator-script saves 3 first-party (related to your domain) cookies :

  • _ga4sid - value : session ID - set from www.YOURDOMAIN - Expiration : Session

  • _ga4s - value : 1 - set from www.YOURDOMAIN - Expiration : Session

  • _ga4 - value : UUID v4 - set from YOURDOMAIN - Expiration : 2028-12-31T23:59:59.000Z

is there a method to control the cokkies and hold it via zaraz for all cookies untill consent is given?

You can do so by changing how you’re loading Zaraz initiator-script :

  1. Disabled Zaraz initiator-script auto-inject from Zaraz / Settings menu

  2. Manually loaded Zaraz initiator-script in all the webpages to be tracked via GA4

  3. Set the initiator-script standby - according to the cookie-wall/banner solution in use - in order to prevent its execution until the visitor allows the analytics usage from the consent-banner

.
Besides the cookie-notice/banner, keep anyway in mind that - according to current situation, because of Schrems II and of the latest decisions of some EU DPAs - you have GDPR-compliance of Zaraz + GA4 Tool for data-transfer to Google measurement-servers only when :

  • All options in Zaraz / Settings / Privacy have been enabled = removal of PII from URLs/User-Agent + no-referrer + IP address anonymization

  • Data Sharing / Linked Products / User-ID / Signals have been disabled in your Google GA4 admin settings for account / site property

  • “Hide Originating IP Address” option has been enabled in Zaraz GA4 Tool settings

  • Client ID override by manually setting the same for all visitors (custom field into Zaraz GA4 Tool settings) or - even better - using your own script to generate the clientId / cid for the visitor & make it available to Zaraz pageview/event track calls via zaraz.set() API.

.

1 Like

Hi @RawMain

Thanks for such a detailed and on point response.

The issue with this is that i cannot control or differentiate analytics and marketing cookies. For example i can only control when to run zaraz, while cookie banner request consent with options of

  • neccessary cookies
  • analytics cookies
  • marketing cookies

when running zaraz it is going to run all tools which are added like google analytics and facebook pixel. So basically i have only 1 option to either run or block zaraz without the neccsary control over tools added via zaraz. :frowning:

If i have all the suggested privacy setup as suggested by you. Then do i still need a cookie consent or it is GDPR compliant by default?

Thanks again for taking the time :pray:

Hello @kepona2732

Thanks for such a detailed and on point response

You’re welcome :wink:

The issue with this is that i cannot control or differentiate analytics and marketing cookies.

You can individually manage the creation and storage of cookies for Zaraz tools by using Zaraz blocking triggers.-> you just need to set the triggers according to the cookie-wall/banner implementation you’re using.

Zaraz blocking triggers allow you indeed to block tools’ actions according to no-regex-match rules against the values of DataLayer variables or Cookies (property {{ system.cookies.NAME_OF_COOKIE }}).

.
Let’s take for instance a cookie-wall/banner implementation, which stores 3 different cookies - e.g. necessary / analytics / marketing - with yes/no values - according to the selected choices :

User's Choice              | necessary | analytics | marketing |
---------------------------+-----------+-----------+-----------|
Only Necessary             | yes       | no        | no        |
plus Analytics             | yes       | yes       | no        |
plus Marketing             | yes       | no        | yes       |
plus Analytics & Marketing | yes       | yes       | yes       | 

According to such scenario, first let’s create the following 2 triggers into Zaraz / Triggers section :

  1. Trigger name : Block_Analytics
  • Rule Type : match rule
  • Variable Name : {{ system.cookies.analytics }}
  • Match operation: Not matches regex
  • Match string : ^yes$
    .
  1. Trigger name : Block_Marketing
  • Rule Type : match rule
  • Variable Name : {{ system.cookies.marketing }}
  • Match operation: Not matches regex
  • Match string : ^yes$

.
Then, to conditionally block all actions in a tool, you just have to configure the related Blocking Trigger on every action, that belongs to that tool :

  • Google Analytics 4 → pageview + any other actions → Blocking Trigger = Block_Analytics
    If/when Block_Analytics is triggered, Zaraz Google Analytics 4 tool won't be called by Cloudflare workers & the _ga4sid / _ga4s / _ga4 cookies won't be set.
    .
  • Facebook Pixel → pageview + any other actions → Blocking Trigger = Block_Marketing
    If/when Block_Marketing is triggered, Zaraz Facebook Pixel tool won't be called by Cloudflare workers & the _fbp cookie won't be set.

As you can see, in the end it’s just a matter of right creating those 2 Zaraz triggers - according to how your cookie-wall/banner implementation logs/stores users’ choices.

.

If i have all the suggested privacy setup as suggested by you. Then do i still need a cookie consent or it is GDPR compliant by default?

Such privacy-setup

  • Privacy-focused GA4 admin settings for account / site property
  • Self-generated client ID
  • Client’s hidden+anonymized IP address
  • Anonymized user-agent
  • Stripped PII from URLs

for Zaraz global settings + Google Analytics 4 tool ensures only GDPR + Schrems II compliance for the data-transfer to Google measurement-servers.

You still need user’s consent owing to the previous transfer of personal data to Cloudflare.

Besides, such consent-requirement applies without distinction to any Cloudflare plan = it even applies to Enterprise plans with EU-region settings for Data Localization Suite products (Regional Services, Customer Metadata Boundary, Geo Key Manager).

.
Therefore, even though your host is EEA or CH or UK located & you’re using Zaraz GA4 Tool with the right privacy-setup for Google-transfers’ GDPR+Schrems II compliance, you still have to :

  1. Provide users with the references of Cloudflare EU SCCs & DPA plus additional safeguards (those ones currently provided by Cloudflare - according to your plan - together with the privacy-setup details for Zaraz proxy-ing of Google Analytics 4 collections).
  • &
  1. Require the user’s consent in order to enable the analytics collection
1 Like

Thanks @RawMain

This was really hlepfull will follow these steps now. Do you know of any live site or demos of a similar setup?

Google analytics does provide privacy setup option However when using zaraz i only have the option to add analytics id. Do you know if i can customise the google analytics code directly in zaraz. Modifing below code simply stop google from sotring cookies.

ga('create', 'UA-XXXXX-Y', {
  'storage': 'none'
});

using zaraz can i actually modify the code of google analytics ?

Thanks

Hello @kepona2732

This was really hlepfull will follow these steps now. Do you know of any live site or demos of a similar setup?

I’m still testing such privacy-focused setup in staging environment only, as other people are doing as well.

It hasn’t been implemented in production environment yet - mainly because :

  1. The new privacy features & settings for Zaraz tools have been released just over a month ago - on June 15th.
    Further details on the related announcement by @yair-dovrat & @yoav_zaraz .
    .
  2. Zaraz is still in development / beta & it manages all tools (including GA3/GA4) 100% server-side.
    Some tools’ features aren’t available out of the box (for performance reasons and/or because they require browser-originating information) = workarounds through custom scripts/triggers.
    .
  3. GDPR + Schrems II compliance challenges.
    Even with the client-side generation / dynamic-override of cid (GA3 / GA4 Client ID), Cloudflare Free/Pro customers can run into situations of GDPR +Schrems II non-compliance, if/when the IP address and the browser’s user-agent is sent to an US-based CF worker.
    .
    .

Google analytics does provide privacy setup option

Google just provides instructions to manage the generation and persistence of the clientID - both as a cookie and in other ways (localStorage or workers).

Besides, just switching from cookie to cookieless ,without changing the personal-data handling & collection, doesn’t change the privacy level at all = if the collected-data aren’t aggregated & anonymized and/or there are EU SCCs, you still have to ask/get the user’s consent to enable the analytics scripts.

.

when using zaraz i only have the option to add analytics id. Do you know if i can customise the google analytics code directly in zaraz. Modifing below code simply stop google from sotring cookies

Zaraz tools are NOT cookieless by design = you can read/check some details about it here - in the paragraph “A new way to build third-parties”.

Such GA4 3 cookies are generated/set indeed by Cloudflare Zaraz (not by Google). Cloudflare uses the _ga4 cookie-value as visitor-id for Zaraz tool & the worker forwards the cid value to Google measurement-servers…

Zaraz Google Analytics 4 tool allows the following configurations out of the box for cid management :

  • _ga4 = cid → no override
    Zaraz worker use the same UUIDv4 value for both.
    .
  • _ga4 != cid → server-side constant override
    On the Google Analytics tool settings page click “add field” and choose “Client ID”. To override the Client ID, you can insert any string as the field’s constant value.
    The value and expiry of _ga4 cookie won’t change. Zaraz worker will take care of overriding the cid value with the saved string - before sending the payload to Google measurement-servers

.
At the present time there is no official feature-support for the third the configuration, which is the most compliant with GDPR + Schrems II guidelines = client-side generation / dynamic override (the client generates the cid hash using its own algorithm & forwards it to Zaraz worker).

However, it can be enabled through workaround :wink:.

In No-Override config Zaraz worker first creates & sets the _ga4 cookie on the initiator call, then copies the _ga4 value as cid field into the payload.

So you can anyway generate your own clientId hash on client-side & override the _ga4 value (and its expiry too) set by Zaraz initiator script.

.
Since other users could be interested into it, I’m leaving the references of the code (link to Github gists), that I’m using for Zaraz UA/GA3 + GA4 dual-tracking checks in staging environment.

It can be used also for single-tracking UA/GA3 or GA4 = just comment or remove the line, that sets the unneeded cookie.

  • cid hash based on location host + user-agent + language + creationTime = meets the levels of variability and collision - required by the GDPR + Schrems II compliance guidelines

  • expiry set at 30 days from creationTime

  • if dual tracking UA/GA3+GA4 enabled, same cid value & expiry for both _ga and _ga4 cookies = it allows to easily retrieve all analytics/measurement data through Explore Users panel or User Activity API - useful for inspection and GDPR DSAR checks.

.
self_CID

1 Like