GDPR Requirements

Can an Arcade withhold tracking until a user consents to the use of cookies on the host’s website?

This is a more advanced use of Arcade and may require a developer on your team.

Companies implementing GDPR requirements are required to ask for permission to use cookies on their websites. Cookies are typically used to track user activities. Arcade’s tracker uses cookies to store unique user information and identify users. While the Arcade tracker cookie doesn’t store PII data, it is enough to be deemed personal information since it tracks the user's behavior on the website.

Websites that ask for permission to use cookies will present a small UI element that is typically unobtrusive but will notify the user that the website uses cookies. In the simplest case, a user can approve or deny consent to use cookies. In more complicated scenarios, the website may ask for permission to use different types of cookies (analytics, marketing, other types of tracking., etc).

Arcade tracks events like hotspots, and CTA clicks on the published Arcade. Those are used to generate data for the Arcade Analytics dashboard.

Since Arcades are embedded as an iframe on a website, they cannot automatically inherit or honor the consent provided to the host’s website. Ideally, Arcades should not have to ask for permission on their own—that would provide an odd user experience, especially if there are multiple Arcades on the same page.

Arcade’s Approach to “Do Not Track”

Arcade tracks user events (e.g., clicks within the Arcade, etc.) by default. These events are used to provide our customers analytics on their Arcades. We recognize that there may be times when the author of the Arcade might want to limit tracking information by anonymizing the IP or disable tracking completely. In many situations, the author may want to disable tracking until the user consents to cookie-based tracking on the host website. For this reason, we provide a few settings to limit or disable tracking:

Once you turn on Do Not Track, Arcade will no longer collect user clicks and page views within an Arcade. Analytics data will no longer be visible inside Arcade’s Analytics dashboard.

If your website asks for cookie consent from the user, Arcade can honor that consent, but it will require a little bit of code on your website.

If the user allows your website to use cookies for tracking purposes, you can let the Arcade know by sending each Arcade on your page a message to turn on tracking. Arcade will keep track of events that happen inside the Arcade even if Do Not Track is turned on, but it withholds sending those events to Arcade’s tracking server unless it receives consent from the host website.

Here’s a sequence diagram of how this works:

In order to send the message to the Arcade iframe(s) that the user has consented to the use of cookies, you need to send the following Javascript after the consent has been made:

var arcades = document.querySelectorAll("iframe[src*='demo.arcade.software']");
arcades.forEach(function(arcade) { 
  arcade.contentWindow && arcade.contentWindow.postMessage({ event: 'cookie-consent' }, '*');
});

Once the Arcade iframe(s) receive this message, all events that the Arcade has recorded up to that moment will be sent to the Arcade tracking server, and new events will be sent as well.

Some consent managers will reload any 3rd party iframes on the page after the user gives consent. In these cases, you may need to listen to the Arcade iframes load event to pass on the cookie-consent event. Here's some sample code on how to do that:

// Run this code when the page loads...

// If the user has consented to cookies, enable tracking for specific arcades
function handleArcadePageLoad(arcade) {
  // Wait a few seconds to make sure the iframe has completely loaded
  setTimeout(() => {
    // The userHasConsentedToCookies() function is your own function to check if the user has consented to cookies
    if (userHasConsentedToCookies()) {
      arcade.contentWindow &&
        arcade.contentWindow.postMessage({ event: "cookie-consent" }, "*")
    }
  }, 4000)
}

// Find all the arcades on the page
var arcades = document.querySelectorAll("iframe[src*='demo.arcade.software']")

// Add an event listener to each Arcade iframe
if (arcades && arcades.length > 0) {
  arcades.forEach(function (arcade) {
    arcade.addEventListener("load", handleArcadePageLoad.bind(_, arcade))
  })
}

This will allow tracking to work across page reloads as well.

Custom font selection is not available when tracking is disabled

Arcade uses the vast array of available fonts from Google Fonts. For customers concerned GDPR compliance and Google Fonts, font selection is disabled in the Arcade editor and theme settings if either tracking (listed as Do Not Track) or IP tracking is disabled. Arcade defaults to using the Inter font, which Arcade serves directly without any dependence on a 3rd party that may be tracking IPs.

PreviousSSO using SAML NextBilling and Subscription

Last updated 10 days ago

Was this helpful?