Sitecore Global Analytics Cookie and Cookie Consent
There a number of great cookie consent plugins/platforms available and most include an automated cookie blocking feature. This feature typically blocks any front end script files that create cookies that have not been classified as necessary or essential.
The Sitecore Experience Platform uses the SC_ANALYTICS_GLOBAL_COOKIE cookie to enable tracking of visitors usage of the site and drive personalisation and marketing features and therefore should not be considered as necessary by ICO standards and therefore should not be allowed without consent from the visitor, specifically the "statistics" category.
This cookie is created using server side code which automatic cookie blocking features are unable to restrict/block, so we need to a little more work!
Luckily, cookie consent platforms use a cookie themselves to store a user consent options which is sent with every request, using some custom code we can interrogate the cookie to determine if the SC_ANALYTICS_GLOBAL_COOKIE, or any others, should be allowed.
Let's use the Cookiebot consent platform as an example, the visitors consent option are stored in the CookieConsent cookie using the following JSON format:
{necessary:true,preferences:true,statistics:true,marketing:true}
The Sitecore Global Analytics cookie is created by the Sitecore.Analytics.Pipelines.StartAnalytics.CreateTracker pipeline, therefore we will need to insert our custom processor just before that. This is achieved with a patch file similar to below:
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
<sitecore>
<pipelines>
<startAnalytics>
<processor
type="MyNamespace.CustomProcessor" patch:before="processor[@type='Sitecore.Analytics.Pipelines.StartAnalytics.CreateTracker, Sitecore.Analytics']" resolve="true"/>
</startAnalytics>
</pipelines>
</sitecore>
</configuration>
The processor then interrogates the visitors consent options in order to decide if the tracking cookie should be allowed, for example:
if (IsCookieAllowed())
{
// If cookie already exists we must set to be expired as consent has not been given
if (HttpContext.Current.Request.Cookies["SC_ANALYTICS_GLOBAL_COOKIE"] != null)
{
var myCookie = new HttpCookie("SC_ANALYTICS_GLOBAL_COOKIE");
myCookie.Expires = DateTime.Now.AddDays(-1d);
HttpContext.Current.Response.Cookies.Add(myCookie);
}
args.AbortPipeline();
}
It should be noted that by aborting the tracker pipeline several Sitecore features will no longer work for this visitor, for example personalisation, device detection and any feature that uses the XConnect services.
The IsCookieAllowed() function above will vary by consent platform, using Cookiebot as an example the code would look like this:
using System.Web.Script.Serialization;
...
bool IsCookieAllowed()
{
HttpCookie CurrentUserConsent = Request.Cookies["CookieConsent"];
if (CurrentUserConsent != null)
{
switch (CurrentUserConsent.Value)
{
case "-1":
//The user is not within a region that requires consent - all cookies are accepted
return true;
break;
default: //The user has given their consent
//Read current user consent in encoded JavaScript format
JavaScriptSerializer CookieConsentSerializer = new JavaScriptSerializer();
dynamic CookieConsent = CookieConsentSerializer.Deserialize<object>(HttpUtility.UrlDecode(CurrentUserConsent.Value));
if (CookieConsent["statistics"])
{
//Current user accepts statistics cookies
return true;
}
else
{
//Current user does NOT accept statistics cookies
return false;
}
}
}
else
{
//The user has not accepted cookies - strictly necessary cookies only
return false;
}
For more information regarding handling server side cookies with Cookiebot see the developer guidance.
Feel free to get in touch if you would like help with your cookie consent implementation.
