The opt-in rate of the cookie bar shows how many consents I get. A high opt-in rate is good because it means I get a lot of consents.
If we want to measure it, we need a more precise definition.
Why you need to know the opt-in rate
The most important reason is that I need to know how much I can trust the measured data. There is a significant difference between having 30% of data in GA4 and 70%.
Marketing codes, which are key to the AI algorithms that drive your campaigns, are also linked to the consent given on the cookie bar. The opt-in rate therefore also affects campaign performance.
If you want to work with the cookie bar and optimize it, you will need to know the opt-in rate.
Oh, that definition
However, there is no clear standard definition of opt-in rate. You can find at least 3–4 different definitions online in a matter of moments.
However, it is always a ratio where the numerator is the number of clicks on “I agree to everything.” What the denominator is is not entirely clear. The number of visits? People? Something else?
If you use Google Analytics, you might think of the number of sessions. The problem is that if you don’t get consent on the first page, the number of sessions cannot be calculated correctly – you don’t have consent to create cookies.
You can use the number of people who saw the cookie bar. But here again, you run into the problem of how to determine the number of people when you don’t have consent.
You can look at the reports offered directly by cookie bar tools. For example, in CookieHub, you can use the number of sessions. Note that this is a completely different metric than sessions in GA4! CookieHub (and other cookie bars) considers a session to be the loading of the script that downloads the cookie bar. This is then stored in the browser for 24 hours, after which it is downloaded again. So you can only do one session per day on the website. Furthermore, it does not distinguish whether a person has already given their consent or not.
You can use the number of cookie bar views.
So what should you choose?
What do I want from the opt-in rate?
First, you need to clarify what you want from the cookie bar. Typically, it is:
To get as many people as possible to click “I agree to everything”
People to click on “I agree to everything” as soon as possible – ideally on the first page. Because if you don’t get consent on the first page, you lose key data for marketing.
And these two requirements must be described by the opt-in rate.
How I calculate the opt-in rate
I ended up calculating the opt-in rate as
Opt-in rate = count of “consent with all”⁄count of displays
Examples:
A person clicks “I agree to everything” right on the first page: Opt-in rate = 1⁄1 = 100 %
A person ignores banners on the first page and gives his/her consent on the second page: Opt-in rate = 1⁄2 = 50 %
There were two people on the website, the first rejected the banner, the second allowed it on the first page.: Opt-in rate = 1⁄2 = 50 %
There were two people on the website, both of whom rejected the banner: Opt-in rate = 0⁄2 = 0 %
I use this calculation method because it has two advantages:
The resulting metric meets the requirements—it deteriorates if people do not give their consent. At the same time, it deteriorates if people do not give their consent on the first page.
Measuring the opt-in rate in this way is simple—all you need is the number of clicks and the number of views. You can get both from GA4 connected to BigQuery if you send anonymous pings. A little scripting in GTM is usually enough to set it up.
At the same time, I don’t use the metrics reported by (otherwise) my favorite CookieHub. Because if you examine its exact definition, the results are misleading.
What next?
Check that you are measuring the opt-in rate on your website.
Find out what the definition of the opt-in rate you are measuring is (what you are actually measuring).
And always pay attention to the definition of metrics. Because the opt-in rate rate can be a completely different metric than the opt-in rate rate.
A court in Hanover, Germany, has ruled that the use of Google Tag Manager (GTM) violates the GDPR. This decision caught my attention because it does not concern a measurement or marketing platform, but GTM, which is supposed to be an “impartial trigger” for marketing codes.
What exactly was the issue? And what impact will this have on measurement?
The full text of the ruling is available on the Lower Saxony website. I am not a lawyer and I used Google Translate for the translation (I don’t speak German). Please do not take this article as legal advice, but as my view of the situation.
How the website measurement was set up
The exact solution is unknown, but it can be deduced from the defense:
The website used Google Tag Manager, which loaded immediately after the page was launched. GTM was set up to support Consent Mode 2. The default setting for all tags was “denied.”
A functional cookie bar was launched. I am not sure if it met the GDPR’s visual requirements for appearance (presence of all buttons, their size), but that is not the subject of this article.
Marketing and measurement codes were always triggered after consent was given.
I would describe this as the “standard setting” according to Consent Mode 2.0 and Google’s recommendations. This is how most standard websites are set up.
Between the lines…
The ruling includes a relatively extensive argument as to why the current solution is unsatisfactory. Here I have selected a few key points (I have taken the liberty of shortening them and editing them slightly for readability). I have also added my own interpretation.
Judgment: GTM is not a service expressly requested by website users, nor does it provide added value or functionality for the use of the website.
GTM cannot therefore be considered technically necessary for the functionality of the website.
Judgment: …GTM is necessary for economic reasons…, but this does not outweigh the rights of users…
GTM cannot be loaded in the legitimate interest. The question is how the court would assess this if we were not talking about Google’s tag manager, but one from another provider.
Judgment: Google Tag Manager is loaded from the domain www.googletagmanager.com
Whenever you load anything from anywhere on the internet, you always transfer your IP address, cookies, and information about your device. This is part of the technology on which the internet is built, and it cannot be changed. In other words, if you load GTM from the domain www.googletagmanager.com, you are always providing personal data to Google. What’s more, you are sending data outside the EU. And you are doing so even before giving your consent.
Judgment: The plaintiff uses the service for these purposes and claims that Google Tag Manager itself does not set or read cookies, but only the services managed by this tool.
In my opinion, the plaintiff may be right in principle; GTM should not read cookies without consent. However, you cannot see its code and cannot say with certainty whether it actually does so or not. When GTM is loaded, IP addresses, cookies, etc. are definitely transferred.
How to set up GTM
Use Server-Side GTM (SGTM) or Google Tag Gateway? Another tool? What is the right way to do it?
Unfortunately, the ruling does not specify this.
Simply inserting GTM is not GDPR compliant, regardless of whether you have Consent Mode 2.0 set up or not.
Let’s take a look at other options.
Google Tag Manager
We know that GTM is not technically necessary. We need a technical solution that will respect consent (first solution) or defend it as a legitimate interest (others).
You have several options for working with GTM:
Load GTM from the www.googletagmanager.com domain only after consent has been given. Block the script completely before consent is given. Some cookie bars allow this themselves. Or a programmer would have to help you with this. We respect the user’s consent to measurement. OK for me.
Use of Google Tag Gateway GTG was created as a project by Google and Cloudflare. Technically, requests go from the browser through Cloudflare, where they are redirected to the Google endpoint. However, I have not found anywhere that Cloudflare removes the original IP address, cookies, etc. In the event of a dispute, I think this is rather indefensible, i.e., for me, rather NO.
Using SGTM on Google Cloud If you host SGTM on Google Cloud Run, user data still goes to Google’s servers when GTM is loaded, even if it is your paid service. I’m not sure how the law would view this, but for me, it’s more of a NO.
Using SGTM hosted outside the Google ecosystem Here, I assume that you are able to wrap SGTM with a firewall and have control over exactly what you send where. For me, it’s more of an OK.
Use a proxy for GTM (or SGTM) and GTAG You can create your own “box” through which the request will flow, clean it up, and then pass the data on. OK with me.
Use an alternative to GTM on your own hosting There are several alternatives to GTM, such as european-alternatives.eu or omr.com. If I use an alternative tool, ideally on my own hosting, I believe this may be in my legitimate interest. OK with me.
Google Analytics 4 and Google Ads
Without consent, GA4 and GAds send “anonymous pings” to Google servers in Consent Mode 2.0 by default. They do not place cookies. However, as mentioned above, whenever you send anything over the internet, the user’s IP address and other cookies valid for that domain are always transferred. As a result, anonymous pings are not anonymous.
What to do next
Google Tag Manager is not technically necessary for a website. And with the default settings, you won’t be able to play it off as a legitimate interest either.
If you are a web analyst, keep in mind that Consent Mode 2.0 is no guarantee that everything is in order. And if you rely solely on this setting, then it may be time to rethink your approach. Especially if you manage measurements in Germany.
If you are a website owner, check how exactly you have your measurements set up. Can you really defend the configuration if you receive a letter from the authorities?
Have you heard of Google Tag Manager (GTM) measurement, which runs on a server? And did you know that it is the ideal way to speed up your website loading, increase your users’ privacy, or improve attribution evaluation for your marketing campaigns? Join us to find out what server-side measurement is good for and how it differs from classic measurement.
How standard measurement works
Most websites today use Google Tag Manager (GTM) to manage measurement. The GTM code is inserted into the HTML of the website, and when a user visits the website, the following happens:
The client browser (i.e., the website visitor’s browser) downloads the GTM code.
The browser processes the GTM code and runs other measurement codes from individual platforms (Facebook, Sklik, etc.) to which you want to send data from the website.
Most of the measurement codes from individual platforms run in this way download their own JavaScript code, which then finds and processes the data it needs and sends it to its platform.
Some measurement codes also wait for user actions on the website (such as downloading a file, scrolling, submitting a form) and then trigger further measurements.
As mentioned above, all of this runs in the client browser, which puts a relatively heavy load on it. Even basic measurement codes on websites are at least 20 KB per platform, but Facebook, for example, downloads as much as 130 KB of data when loading a website.
Processing takes some time, and sending increases the amount of data used by the page. This is a problem for many reasons – it slows down the loading of the website (especially on slower devices or mobile phones, the slowdown can be significant), it increases the volume of downloaded data (users with mobile phones with limited monthly data allowances will not thank you for this), it worsens your search ranking (speed is one of the key attributes for SEO), and measurement scripts have access to all information on the website and can theoretically do anything with it (even if it is personal data).
What is server-side measurement?
As the name suggests, server-side measurement is a way of using GTM where GTM is not part of the HTML page and does not run in the user’s browser. Instead, it runs on a server, such as Google Cloud. It is only on this server that the individual measurement codes are run.
The standard GTM remains in the client browser, which sends data to the server-side GTM. Only then does it handle sending data to platforms such as Google Analytics, Facebook, etc.
To run server-side GTM, you always need a machine—either your own or one in the cloud. And you need to adjust your measurement settings.
In addition to not forcing the user’s browser to download and send a lot of data, there are a number of other advantages that might interest you. Let’s take a closer look at them.
What are the advantages of server-side GTM?
Speed
Speed is generally very important for websites. Google has been mentioning it for years as one of the factors that influence a website’s position in search results. Fewer measurement codes on a page means higher speed and thus better search rankings and more visitors. By the way, try testing how much time it takes to process measurement scripts on your website using PageSpeed Insights – look for information about third-party code:
Example of how much time it takes to start loading measurement codes on a Alza.cz website
Data protection
If you enter sensitive data on a page (e.g., phone number, address, etc.), third-party scripts (Facebook, Sklik, etc.) embedded in standard GTM may have access to it. On the other hand, when measuring in server-side GTM, you can be sure that they will not access any data other than what you explicitly provide them with. This is because individual platforms only communicate with GTM on the server and cannot access the “raw” data collected by GTM in the client browser.
And by the way, whether we like it or not, platforms always see at least the user’s IP address. If you use server-side GTM, platforms cannot access it unless you provide it to them.
Reasonably set Content Security Policy
Your website can use Content Security Policy (CSP) security settings. This typically applies to websites that work with sensitive or personal data. This setting tells the browser which domains (Facebook, Google Analytics, Sklik, etc.) it can download and run scripts from. And you have to list them all here. Can you see the problem? If you use multiple platforms, your CSP settings might look like this:
And if you happen to forget to update something, oops…
In such cases, managing all domains is complicated, and it is easy to forget to add or remove something. By using GTM on the server, the list of domains is shortened, saving you some of the hassle.
Security
If you deploy a script on your website, it can do a lot of things to your website. Including unpleasant things such as changing the content of the website, redirecting it to another website, or sending sensitive data from the website to China. This can happen by mistake or through negligence. And believe us, we’ve seen plenty of similar things. This cannot happen with server-side GTM because the codes are on the server and cannot reach the user’s browser at all.
Data validation or enrichment
If you want to validate and correct data in some way, you have extended options in server-side GTM. This is also a suitable solution if you want to enrich data, e.g., with margins on specific products. Typically, you do not want to send this to platforms from client-side GTM, where anyone can access such information.
Data retention for attribution evaluation
If you are a marketer dealing with attribution over a longer period of time, switching to server side may be an advantage for you. Some browsers (Safari or Firefox) typically aggressively delete cookies that are not httpOnly (i.e., it is clear that they are intended for marketing purposes and not for the technical functioning of the website) after 1 or 7 days. On the server side, you store such cookies yourself, so you don’t have to worry about losing data from customers using stricter browsers.
100% data measurement
If you wish, you can send data to server-side GTM directly from the server rather than from the client browser (see image below). This allows you to access virtually all data.
Please note, however, that when processing personal data, you must still comply with GDPR and respect the user’s wish not to be measured. In other words, it is not appropriate to bypass user consent by downloading data directly from the web server.
Why not server-side GTM?
Of course, there are also disadvantages to using server-side measurement.
Price – as mentioned above, in order to run server-side GTM, you always need a machine – either your own or in the cloud. Both approaches cost money. With Google Cloud, for example, the price will most often range from free (for small websites) to $1,000 per month (for websites with tens of thousands of visits per day). On top of that, you have to add the costs of commissioning and more complex measurement adjustments, which require a programmer or analyst.
It does not work for all platforms—not all platforms currently support server-side measurement and require browser execution, such as Sklik. Among frequently used platforms, server-side measurement is supported by Google Analytics, Facebook, Mailchimp, and several others. So you often end up in a situation where only part of the code is in the server container, while the rest remains in classic GTM. However, even just part of the measurement running on the server side may make sense for you – consult with your analyst.
We assume that in the future, support for the platform will bem přibývat a server-side bude dávat čím dál větší smysl.
Does this make sense to me?
Can’t imagine if this is for you? We think it definitely is if:
You send data to a large number of platforms (most often different GA accounts), which slows down your website.
You need to work with extremely sensitive data (e.g., social security number, ID card number, etc.) and want to protect it.
Many of your visitors use Safari or Firefox, which complicates long-term attribution.
You need to operate with product margins in your evaluations.
You need server measurement codes (typically for affiliate platforms), but you don’t want to bother programmers with it all the time.
Do you see yourself in some of these cases, but you’re still not sure if a server-side solution is right for you?
Let us know! We will discuss the pros and cons in your case with you, and if it makes sense, we will be happy to help you set up server-side measurement.
The Chamber of Deputies has passed an amendment to the Electronic Communications Act. This brings fundamental changes to the use of cookies on websites. Although the law is still awaiting the president’s signature, it is likely to come into force on January 1, 2022. What does this mean and what needs to be done before then?
What exactly is changing?
Until now, the Electronic Communications Act has applied the opt-out principle, which means that when a user visits your website, you notify them that you use cookies, but you start using them immediately after they arrive on the website. Typically, this takes the form of a banner stating “This website uses cookies. By using this website, you agree to this practice.”
Users will now be required to give their explicit consent to the use of cookies, e.g., by clicking on the “I agree” button, etc. Only then can cookies and other similar technologies be used. This is how the idnes.cz server handles consent:
Notes:
The law also applies to similar technologies, such as browser storage, etc. It is therefore not possible to simply replace cookies with another technology that stores data on the user’s computer.
The law does not apply to technically necessary cookies, such as those required for logging into a service or saving an e-shop shopping cart.
What does this mean in practice?
Cookies are used by many tools on the web. These include, for example:
measurement tools – Google Analytics, Hotjar, Smartlook, etc.,
remarketing platforms – Google Ads, FB pixel, Sklik Remarketing, etc.,
conversion codes – Google Ads, FB pixel, Sklik Remarketing, etc.,
videos embedded in websites – YouTube, Vimeo, etc.,
social media buttons for sharing or commenting – FB like box, etc.,
and more.
All these platforms and tools will need to be modified so that they do not use cookies without users’ consent. If you manage a website or e-shop, you will almost certainly have a lot of work ahead of you.
However, in addition to the technical adjustments themselves, the change will have other consequences. Some users will not give you their consent to use cookies (and you can assume that this will be more than 50%, which will have further consequences), and some of these consequences can already be predicted:
Drastic reduction in the performance of remarketing and RTB campaigns – you will not be able to target remarketing ads to users who have not given their explicit consent. In practice, this could be half of all users in the best-case scenario. Operators are trying to work around this, e.g., AdFom has introduced the concept of First-Party ID.
Inaccurate data in Google Analytics – even without cookies, you can run Google Analytics code, but users without consent will appear as single-page visits (bounces). Each additional page will be considered a new visit and a new user. It will therefore be quite difficult to evaluate conversion measurements even within sessions, and multifunnel will be almost impossible.
The end of campaign evaluation in marketing platform interfaces – the number of conversions recorded in conversion codes (Google Ads, Sklik, Heureka, Zboží, etc.) will be significantly distorted. Data for campaign optimization will be difficult to use in platforms.
Impact on affiliate platforms and their partners – they use cookies to credit the commission to the partner who brought in the conversion. So, in the best case scenario, partners should lose 50% of credited conversions. We expect them to switch to a different method of crediting conversions, such as using discount codes.
The problem with campaign evaluation
Google Analytics will have a problem with data in terms of how conversions from individual sources will be evaluated. Let’s imagine a situation where a user comes to the website from Google/CPC, browses through four pages, and makes a purchase on the website. This may now look something like this:
Now (with cookies), we can see in GA where the user came from and how much they spent during that visit. But what will happen during the consent period? Let’s take two examples:
User does not give consent
In the same case where we display a cookie bar on the home page to the user, but the user clicks “I do not agree”:
Google Analytics sends pings to the server, which carry information about whether consent has been given or not. If I don’t receive cookies, the entire session will not appear in Google Analytics.
The user gives consent on the second page
Okay, but what happens if the user agrees, but not immediately on the first page?
In such cases, we still lose information about the original source. Consent must therefore be obtained as soon as possible. If the user does not give consent on the first page, this will have a significant impact on campaign evaluation.
Google Analytics 4 can partially fill in the gaps in the data—for conversion tracking, it can assign some conversions to their sources based on conversion modeling estimates. Data on visitor behavior (which pages they viewed, website flow, etc.) will be missing. In Universal Analytics, all data will be missing.
Co je třeba udělat?
Čeká vás určitě několik základních kroků
Mapování – je třeba si sepsat, jaké vlastně používáte nástroje a jaké tyto nástroje využívají cookies. Dále je třeba sepsat si interní procesy, které využívají tyto nástroje, a popsat jak se jich úpravy dotknou.
Nasazení nástroje pro sběr souhlasů – můžete vybrat nějaký z existujících (většinou placených) nástrojů, nebo vytvořit vlastní.
Technická úprava měření a marketingových platforem – bude třeba upravit spouštění marketingových platforem tak, aby respektovaly souhlas uživatele. Pokud používáte Google Tag Manager, bude to pro vás jednoduší. Pokud ne, doporučujeme s tím začít.
Technická úprava webu – typicky se jedná a videa vložená na vašem webu, FB a jiná sdílecí tlačítka apod., která vkládají do webu přímo vaši programátoři. Bude třeba, aby to nedělali. A např. místo videa zobrazili statický obrázek, video pak načítali teprve po kliknutí uživatele.
Úprava procesů – optimalizujete kampaně? Děláte reporty z Google Analytics? Zamyslete se nad tím, jak toto budete dělat nově.
Papírování – doporučujeme při této příležitosti revidovat, jestli máte uzavřené smlouvy se subjekty, které zpracovávají vaše data (nebo k nim mají přístup).
What needs to be done?
There are several basic steps you need to take
Mapping – you need to write down what tools you actually use and how these tools use cookies. You also need to write down the internal processes that use these tools and describe how the changes will affect them.
Deploying a consent management tool – you can choose one of the existing (mostly paid) tools or create your own.
Technical modification of measurement and marketing platforms – you will need to modify the launch of marketing platforms so that they respect user consent. If you use Google Tag Manager, this will be easier for you. If not, we recommend you start doing so.
Technical modification of the website – typically, this involves videos embedded on your website, Facebook and other sharing buttons, etc., which are embedded directly into the website by your programmers. They will need to stop doing this. For example, instead of a video, they could display a static image and only load the video after the user clicks on it.
Process modification – do you optimize campaigns? Do you generate reports from Google Analytics? Think about how you will do this in the future.
Paperwork – we recommend taking this opportunity to review whether you have contracts with entities that process your data (or have access to it).
Don’t wait!
The regulation comes into effect on January 1, 2022, and setting up cookie bars is not a matter of a few minutes’ work. It will also take you some time to experiment and test how the data collected in the new way will look and which cookie bar formats bring you the highest opt-in rate. Get started as soon as possible!
.png)
