HUGO

Building a cookie consent opt in function for Hugo

A customer, or rather the lawyers, insisted on a cookie consent feature. They only have Matomo on the sites. With Matomo privacy settings set to the sane defaults I personally do not believe GDRP applies but lawyers are not fond of words like “believe”.

I built a opt in function that only activates Matomo once the user clicks “Accepts”. If the user does nothing or clicks “Decline” Matomo stays inactive.

This is all implemented in my Zen theme.

First I added a partial with the cookie consent banner.

Then a cookie consent javascript that set the cookie and show hide the banner.

I used the js.cookie lib to handle cookies.

The tracking javascript needed to be updated to take the visitors choice in to account. I implemented his for Matomo (tested) and Google analytics (not tested since I do not use it).

Support for other services should not be that hard to add in a similar maner.

At last some CSS to make it look like something.

Very intereseted to here how others have solved this!

3 Likes

I now use only plausible.io, a real privacy stats and no need for cookie consent.
And there is a smooth and dead simple integration (hugo theme or hugo module) with hugo.

2 Likes

I ditched Google Analytics several years ago and replaced it with my self-hosted Matomo server (was named Piwik before). With adequate configuration, no need for cookie consent anymore.

And @frjo if privacy is your concern, you can find useful information about setting up matomo.org (vs out of the box plausible.io) here

It is not I who believe a cookie consent funktion is needed in this case, it is the lawyers. Customer is in USA and they do love their lawyers over there.

For my own sites I run a self hosted Matomo instance since many years.

Plausible looks really interesting, simple and very lightweight. Matomos script is 22 Kb and that has always bugged me, Plausibles 1Kb is very tempting. But Node and Docker is not my favourites…

Well, I don’t know what is your traffic, but for all the site I manage I pay $48/year (10K/month pages) for the paid service.
And they are very convenient because on summer the site for my daughter’s campsite reach 25K pages/month and they keep me on the basic plan as yearly average is < 10K pages.

And with my hugo integration, it is trivial to manage on the hugo side, especially if you use it as a module.
It is a really good price for doing nothing on the hosting for such a great product.
My way to support free software (and sponsoring Bep :slight_smile: )
But I understand sometimes you prefer to control your own production environnement.

Anyway, have fun with hugo :slight_smile:

I would like to join this religious discussion by adding my two atheist cents:

The GDPR is about tracking IDENTIFIABLE INFORMATION of visitors of your website. So tracking repeated visitors makes you IDENTIFIABLE in sense of “that guy was already here”. (the mildest case of reasons why one would track you, I won’t go into details about other ones here)

The problem is, that politicians are not web developers. So they grasp the issue with their limited minds and put a term on it. That is how we got to “Cookie Banners”. Because back in the old times we just set a cookie and read it when someone visited our websites and said, oh hey, that’s them, they loved orchid part of our website, so let’s show them orchids in the sidebar.

BUT:

As soon as politicians will find out, that you can use Google Analytics with localstorage and without cookies and still find out that you are who you are they will “amend” their laws. That is why lawyers tell you all to add “a cookie banner” to your website and not an info about you tracking their activity on your website.

Lemme repeat: IDENTIFIABLE INFORMATION. That does not mean something along the lines of “hey, it’s @davidsneighbour and he visited this and that page and purchased this and that good” but a more generic “hey, this user was here before and visited this and that page and purchased this and that good”. Which is enough to just show you other products from the categories “that user” visited before.

Visit a porn website and check out the code (type the url, close your eyes, press enter, type Ctrl-Shift-J look at the side where the devtools show up ;), sorry, but porn websites are a treasure trove of “how can I code around privacy rules these days”). They can identify you by the size of your view port, via local storage, via browser history, via browser cache (well not anymore since the latest Firefox version and the next Chrome version). If one wants to track you they will find a way. And THAT is what GDPR is about, the rule that you have to tell your visitors that you don’t care and want to see EVERYTHING.

I am pretty sure, that plausible.io does not use cookies and thus by using terms like cookie consent won’t need any. They still track identifiable information. There is NO way to track “unique” visitors versus “total pageviews” without setting something and tracking that information about multiple page views.

“Politics” will catch up and word these laws better. Until then, if you operate your site in one of the countries that are covered by these laws, you just have to do MORE than is required, because there is always some a**h**e that interprets the laws their way and tries to make money out of it. That’s a hobby of German lawyers for instance. You post a photo of a piece of bread and the next day you have a letter from some lawyer in your mailbox.

RANT OVER.

PS: Saving your visitors request to NOT use cookies in a cookie. Just saying :wink: hihihi.

OK, so atheist complement here :slight_smile: Yeah, I agree on almost everything.

Just on what is “collected” with plausible (source their web site):

  • Generate a random string of letters and numbers that is used to calculate unique visitors on a website and we reset this string once per day.
  • All the data is isolated to a single day only. There is no way to know whether the same person comes back to a site on another day. This means the hash id not an identifier thru days.
  • Do not track people across websites and apps that they visit. All the data is isolated to a single website only
  • Do not share, sell or send your website data (and should be useless because reset everyday)

I guess this enlight what you call “collecting information”

[EDIT]
PS : This means that using plausible we accept wrong (in a certain way) numbers.
For example the same 100 people, visiting every day for 10 days, will give 1.000 unique visits and not 100.
But at the same time, the plausible script is call way more than the GA one, very often blocked.

1 Like

Let me make a “bold claim” and let’s put this topic into our calendars and revisit it in 5 years. “The law” will catch up until then.

Saving my visit for only 24 hours is honorable, but my very criminal mind has some ideas what can be done in 24 hours :smiley:

The law in Germany is even wilder. We have to add to the privacy declarations, that our webserver is (by default) logging times and visited pages for a certain amount of time (serverlogs), even if those definitely don’t track IPs or userids.

There will be a time where you can’t put anything online without it being intrinsic clear that things are logged. Maybe then we can hide this whole legal talk on a page behind a link somewhere. For now I just removed that whole cookie-banner thingie from my site and still track with Google Analytics :wink: If they come for me I will point to ignorance.

I am playing around with using only GA’s noscript-image tag by the way. That is very powerful in itself, but what we (developers?) want to track is basically what devices come, what functionality do they have, how large are the screens. As soon as you cut out the whole where do they come from and what pages did they load thing it might be more in the non-identifiable region. It will still “tick” some people off that would want me to not know what device they use to read my unimportant thoughts of the day.

Internet people are weird.

1 Like

Well … the problem is not what You collect, but what Google/Alphabet collects and sell thru GA.

And that doesn’t looks good for your visitors. At all.

PS : So. I take back my " agree on almost everything" from my previous post. :wink:

3 Likes

Hehe, yeah. you are right…

But with the image-only tracking it will track only what I tell it to track. Like screensize, devices and that stuff. You can cut out the whole identifiable tracking because you have to set all parameters yourself:

You are still the one responsible to add a random slug as userid.

This topic has veered away from Hugo-specific discussion, so I am closing.