GDPR implementation options

  • Updated
  • Optimizely Web Experimentation
  • Optimizely Personalization

Optimizely Experimentation provides several options that you can use to support different General Data Protection Regulation (GDPR) implementations in your Optimizely Web Experimentation or Optimizely Personalization projects. 

Disclaimer

This document is for informational purposes only and does not constitute legal advice. Readers should seek legal advice before taking action concerning the matters discussed herein.

You must use explicit consent for first and third-party marketing cookies. These methods apply to the following EU countries and work well:

  • Austria
  • Belgium
  • Czech Republic
  • Denmark
  • Finland
  • France
  • Germany
  • Ireland
  • Italy
  • Lithuania
  • Luxembourg
  • Portugal
  • Sweden
  • Switzerland

It may not apply to other EU countries, which do not require explicit consent for first-party cookies:

  • Spain
  • The Netherlands
  • Norway
  • Poland
  • Bulgaria
  • Croatia
  • Latvia
  • Romania
  • Global

Option 1: Disable Optimizely by default 

Disable Optimzely from running automatically by calling the optOut API or executing Optimizely's disable API call.

Use the optOut API

Use the optOut API to opt a visitor out of Optimizely tracking by disabling Optimizely Web Experimentation or Optimizely Personalization. You must execute the API call before the Optimizely snippet runs to stop Optimizely Experimentation or Optimizely Personalization from executing on the first page load.

  1. Add the following code above the Optimizely snippet to set the optimizelyOptOut cookie or use the optOut API. A common implementation for the opt-out API option is to set the cookie optimizelyOptOut through a consent manager.
    function getCookie(name){
    var match = document.cookie.match(name + '=([^;]*)');
    return match ? match[1] : undefined;
    }
    if (!getCookie('consent')) {
    window["optimizely"].push({
    "type": "optOut",
    "isOptOut": true
    });
    }
  2. Load the Optimizely snippet as normal.
    • Optimizely immediately checks for the optimizelyOptOut cookie. If the cookie:
      • = true – Optimizely does not execute further JavaScript.
      • = false – Optimizely executes the rest of the JavaScript and deletes the optimizelyOptOut cookie.
      • Does not exist – Optimizely executes the rest of the JavaScript.
  3. Implement code so that when a visitor consents, there is something your optOut logic can read from (cookie, local storage value, JavaScript variable, and so on) to know whether the visitor consented and execute the optOut API accordingly.
  4. Implement code to toggle the cookie from true to false (using JavaScript) or delete it (using JavaScript) when a user gives explicit consent.

Users see the control variation (the original content) until they consent.

For Optimizely Experimentation or Optimizely Personalization to start working, when explicit consent is given, you must:

  • Reload the page programmatically.
  • Wait until the visitor reloads the page.
  • Wait until the visitor goes to another page.

This option does not let you test on the first page viewed or the landing page when the user has not given explicit consent.

Use the disable API call

Use the disable API call before the Optimizely snippet runs to instruct Optimizely Experimentation or Optimizely Personalization to not execute and not track a site visitor when the snippet begins execution. The disable API call can stop the Optimizely snippet from running only if placed above the snippet like the preceding optOut API call or within the project's Project JavaScript.

Add the following code that checks if the visitor consented above the Optimizely snippet or within the project's Project JavaScript:

function getCookie(name){
  var match = document.cookie.match(name + '=([^;]*)');
  return match ? match [1] : undefined;
}

if (!getCookie('consent')) {
  window.optimizely = window.optimizely || [];
  window.optimizely.push({
    "type": "disable"
  });
}

The code must execute before the Optimizely Experimentation snippet or within the Optimizely project's Project JavaScript so that the disable API call does not execute if the visitor consents. If the visitor has not consented, execute the disable API call. Implement code so that when a visitor consents, there is something your disable logic can read from (for example, cookie, local storage value, JavaScript variable, and so on) to know that the visitor consented.

Users see the control variation (the original content) until they consent. For Optimizely Experimentation or Optimizely Personalization to start working, when explicit consent is given, you must:

  • Reload the page programmatically.
  • Wait until the visitor reloads the page.
  • Wait until the visitor goes to another page.

This option does not let you test on the first page viewed or the landing page when the user has not given explicit consent.

If the user has not given explicit consent, you can disable Optimizely and show a full page covering the original page. On this page, consent options are shown to the visitor for analytical tools that require consent, including Optimizely.

When the visitor consents, the page is reloaded, and the page displaying possible consent options is hidden and not shown again. Tools that the visitor has authorized should start working normally. An example page can be seen in Option 4: Use a tag manager.

Option 2: Do not automatically execute the Optimizely snippet 

Contact Optimizely Support to implement a change to your Optimizely snippet that causes Optimizely Experimentation or Optimizely Personalization to not run until the activate API call is executed.

After Support makes the change, implement logic that only lets the activate API call execute:

  • When the visitor has already consented upon page load.
  • (Optional) When the visitor consents.

Example activate API call:

window.optimizely = window.optimizely || []; 
window.optimizely.push({
"type": "activate"
});
Calling the activate API call when the visitor consents can possibly cause flickering if the visitor is added to a visible variation change.

Option 3: Load Optimizely but hold sending events 

Use the holdEvents and sendEvents API for granular control over the timing of when the Optimizely snippet sends events to the logging endpoint. By executing the holdEvents API before the Optimizely snippet loads by having it execute above the snippet or within the project's Project JavaScript, the snippet will:

  1. Bucket a visitor into the experiment (so they see the variation changes).
  2. Set an optimizelyEndUserId cookie on the visitor (if the project is not using Bring your own visitor ID (BYOID)).
  3. Hold all events from being sent to Optimizely until the sendEvents API is called, which can be coded to execute when explicit consent is granted. If explicit consent is not granted, those events will never be sent.
    • Events would still be collected and enqueued in the visitor's local storage of their browser before explicit consent is granted, but they will not be sent. Events are sent after explicit consent is granted, and the sendEvents API is called (including those with timestamps before consent is granted).
      Because queued events from using the holdEvents API are held in local storage, you should implement logic to erase Optimizely’s local storage object at the beginning of a session or earlier if a visitor has not consented yet. The browser's local storage space can become full if too many queued events are stored in local storage.

The benefit of this option is that users see the variation changes immediately without any tracking events being sent to Optimizely before consent. The downside is that this option may not meet your privacy requirements or legal interpretations of GDPR.

Option 4: Use a tag manager

Use a tag manager or a consent manager on your site. You can use conditional logic in the tag or consent manager to load the Optimizely snippet only if a visitor consents.

  • Users see the control variation (the original content) until they consent.
  • For Optimizely Experimentation or Optimizely Personalization to start working, when a user gives explicit consent, you must:

    • Reload the page programmatically.
    • Wait until the visitor reloads the page.
    • Wait until the visitor goes to another page.
  • This solution does not let you test on the first page viewed or the landing page when a user has not given consent.

You can not inject the Optimizely snippet if a user has not consented. Instead, you can display a full page covering the entire original page. On this page, consent options are displayed to the visitor for analytical tools that require consent, including Optimizely Experimentation or Optimizely Personalization. Tools that the visitor has authorized should start working normally. Because the original variation was never shown to the visitor, as a full page covered it, it lets you experiment on the first page viewed.