Can an Arcade withhold tracking until a user consents to the use of cookies on the host’s website?

Companies implementing GDPR requirements are required to ask for permission to use cookies on their websites. Cookies are typically used to track user activities. Arcade’s tracker uses cookies in order to store unique user information in order to identify a user. While the Arcade tracker cookie doesn’t store PII data, it is enough to be deemed personal information since it’s tracking the user's behavior on the website.

Websites that ask for permission to use cookies will present a small UI element that is typically unobtrusive but will notify the user that the website uses cookies. In the simplest case, a user can approve or deny consent to use cookies. In more complicated scenarios, the website may ask for permission to use different types of cookies (analytics, marketing, other types of tracking., etc).

Arcade tracks events like hotspot and CTA clicks on the published Arcade. Those are used to generate data for the Arcade Analytics dashboard.

Since Arcades are embedded as an iframe on a website, it cannot automatically inherit or honor the consent provided to the host’s website. And ideally, Arcades should not have to ask for permission on their own — that would provide for an odd user experience especially if there are multiple Arcades on the same page.

Arcade’s Approach to “Do Not Track”

Arcade tracks user events (e.g., clicks within the Arcade, etc.) by default. These events are used to provide our customers analytics on their Arcades. We recognize that there may be times when the author of the Arcade might want to limit tracking information by anonymizing the IP or disable tracking completely. In many situations, the author may want to disable tracking until the user consents to cookie based tracking on the host website. For this reason, we provide a few settings to limit or disable tracking:

Once you turn on Do Not Track, Arcade will no longer collect user clicks and page views within an Arcade. Analytics data will no longer be visible inside Arcade’s Analytics dashboard.

If your website presents a cookie consent to the user, Arcade can honor that consent but it will require a little bit of code on your website.

Honoring the user’s consent to use cookies within an Arcade

If the user allows your website to use cookies for tracking purposes, you can let the Arcade know by sending each Arcade on your page a message to turn on tracking. Arcade will keep track of events that happen inside the Arcade even if Do Not Track is turned on, but it withholds sending those events to Arcade’s tracking server unless it receives the consent from the host website.

Here’s a sequence diagram of how this works:

In order to send the message to the Arcade iframe(s) that the user has consented to the use of cookies, you need to send the following Javascript after the consent has been made:

var arcades = document.querySelectorAll("iframe[src*='demo.arcade.software']");
arcades.forEach(function(arcade) { 
  arcade.contentWindow && arcade.contentWindow.postMessage({ event: 'cookie-consent' }, '*');
});

Once the Arcade iframe(s) receive this message, all events that have been recorded by the Arcade up to that moment will be sent to the Arcade tracking server and new events will be sent as well.

Custom font selection is not available when IP tracking is disabled

Arcade uses the vast array of available fonts from Google Fonts. For customers concerned GDPR compliance and Google Fonts, font selection is disabled in the Arcade editor and theme settings. Arcade defaults to using the Inter font, which Arcade serves directly without any dependence on a 3rd party that may be tracking IPs.