GDPR Requirements

Cookie Consent & Tracking Control

Arcade provides several options for controlling tracking behavior, including honoring cookie consent prompts on your own website. This guide walks through how tracking works in embedded Arcades and how you can delay or disable it based on user consent.

Does Arcade use cookies?

Yes. Arcade’s analytics use a cookie to assign a unique identifier to users interacting with an Arcade. While this cookie doesn’t store personally identifiable information (PII), it is considered personal data under laws like GDPR because it tracks user behavior.

Arcade tracks actions like:

• Hotspot interactions

• CTA clicks

• Step progress

These events populate the Arcade Analytics dashboard.

Does Arcade automatically respect my website’s cookie banner?

No. Since Arcades are embedded in an <iframe>, they cannot automatically inherit or detect cookie consent from your website’s banner.

To align with cookie compliance requirements, Arcade offers a developer-friendly way to defer tracking until consent is granted.

How can I delay Arcade tracking until the user consents?

You can prevent Arcade from sending tracking events until your website explicitly signals consent.

Here’s how it works:

1. Arcade will continue recording events in memory, even if tracking is disabled.

2. Once consent is granted on your site, send a message to the Arcade iframe(s).

3. All previously recorded events will then be sent to the tracking server, and tracking will proceed as usual.

Example code:

jsCopy codevar arcades = document.querySelectorAll("iframe[src*='demo.arcade.software']");
arcades.forEach(function(arcade) { 
  arcade.contentWindow && arcade.contentWindow.postMessage({ event: 'cookie-consent' }, '*');
});

This can be triggered after your cookie banner registers consent from the user.

What if my consent manager reloads iframes?

Some cookie managers automatically reload iframes when consent is given. In that case, you’ll need to listen for when the Arcade iframe loads and then send the cookie-consent message again.

Example implementation:

jsCopy codefunction handleArcadePageLoad(arcade) {
  setTimeout(() => {
    if (userHasConsentedToCookies()) {
      arcade.contentWindow &&
        arcade.contentWindow.postMessage({ event: "cookie-consent" }, "*")
    }
  }, 4000)
}

var arcades = document.querySelectorAll("iframe[src*='demo.arcade.software']")

if (arcades && arcades.length > 0) {
  arcades.forEach(function (arcade) {
    arcade.addEventListener("load", handleArcadePageLoad.bind(_, arcade))
  })
}

This approach ensures tracking works correctly across page reloads and respects your users’ consent preferences.

What happens when “Do Not Track” is enabled?

If the Do Not Track setting is turned on in your Arcade settings:

• No user interaction data (clicks, views, etc.) will be sent to Arcade.

• Your Analytics dashboard will not populate with viewer data.

• Custom fonts from Google Fonts are disabled due to IP tracking concerns.

You can enable this under Settings > Privacy.

Here is a sequence diagram of how this works:

n order to send the message to the Arcade iframe(s) that the user has consented to the use of cookies, you need to send the following Javascript after the consent has been made:

var arcades = document.querySelectorAll("iframe[src*='demo.arcade.software']");
arcades.forEach(function(arcade) { 
  arcade.contentWindow && arcade.contentWindow.postMessage({ event: 'cookie-consent' }, '*');
});

Once the Arcade iframe(s) receive this message, all events that the Arcade has recorded up to that moment will be sent to the Arcade tracking server, and new events will be sent as well.

Some consent managers will reload any 3rd party iframes on the page after the user gives consent. In these cases, you may need to listen to the Arcade iframes load event to pass on the cookie-consent event. Here's some sample code on how to do that:

// Run this code when the page loads...

// If the user has consented to cookies, enable tracking for specific arcades
function handleArcadePageLoad(arcade) {
  // Wait a few seconds to make sure the iframe has completely loaded
  setTimeout(() => {
    // The userHasConsentedToCookies() function is your own function to check if the user has consented to cookies
    if (userHasConsentedToCookies()) {
      arcade.contentWindow &&
        arcade.contentWindow.postMessage({ event: "cookie-consent" }, "*")
    }
  }, 4000)
}

// Find all the arcades on the page
var arcades = document.querySelectorAll("iframe[src*='demo.arcade.software']")

// Add an event listener to each Arcade iframe
if (arcades && arcades.length > 0) {
  arcades.forEach(function (arcade) {
    arcade.addEventListener("load", handleArcadePageLoad.bind(_, arcade))
  })
}

This will allow tracking to work across page reloads as well.

What about GDPR and Google Fonts?

Arcade uses the vast array of available fonts from Google Fonts. For customers concerned GDPR compliance and Google Fonts, font selection is disabled in the Arcade editor and theme settings if either tracking (listed as Do Not Track) or IP tracking is disabled. Arcade defaults to using the Inter font, which Arcade serves directly without any dependence on a 3rd party that may be tracking IPs.

If tracking or IP tracking is disabled:

• Arcade disables font selection in the theme and editor settings.

• Instead, we default to the Inter font, which is hosted directly by Arcade to avoid triggering third-party font loads.

This ensures full compliance with GDPR and similar regulations.

Summary: How to respect cookie consent in embedded Arcades

Still have questions?

Reach out to [email protected] if you'd like help integrating consent controls with your specific cookie management platform.