(Sims) prevent cookie save before consent

[oliver-phet]

Discussed related to https://docs.google.com/document/d/1ucmlPT0W5o3-98YPA8XEr12Lg0eSF8rSaLGdfUtJZvA/edit#

Since the latest patch in #60, cookies are now being set on all tagged pages (including sims). This was inadvertent and we want disable setting cookies in sims by default.

[oliver-phet]

Testing link for latest patch here: https://bayes.colorado.edu/dev/olsonjb/cookietest1.html

[jonathanolson]

Patch:

Subject: [PATCH] Removing cookies?
---
Index: js/analytics/google-analytics.js
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/js/analytics/google-analytics.js b/js/analytics/google-analytics.js
--- a/js/analytics/google-analytics.js	(revision ca3844837dac4ee86a18d43ea27b2cfb7bd3fcf5)
+++ b/js/analytics/google-analytics.js	(date 1674850208789)
@@ -145,6 +145,10 @@
       function gtag() { ga4DataLayer.push( arguments ); } // eslint-disable-line no-inner-declarations,no-undef,prefer-rest-params
 
       gtag( 'js', new Date() );
+      gtag( 'consent', 'default', {
+        ad_storage: 'denied',
+        analytics_storage: 'denied'
+      } );
       gtag( 'config', phet.chipper.queryParameters.ga4 );
 
       // Dynamically load the script
@@ -160,6 +164,13 @@
     // For some reason, having dataLayer declaration here might have fixed the ability to use gtag.js and gtm.js at the
     // same time. Don't move without testing.
     window.dataLayer = window.dataLayer || [];
+    function gtmTag() {
+        window.dataLayer.push( arguments ); // eslint-disable-line prefer-rest-params
+    }
+    gtmTag( 'consent', 'default', {
+      ad_storage: 'denied',
+      analytics_storage: 'denied'
+    } );
     window.dataLayer.push( {
       simBrand: phet.chipper.brand,
       simName: phet.chipper.project,

[oliver-phet]

@jonathanolson this is looking good in my testing (various combinations of external test query parameters). Should we also do a 3rd party test (host on http://jonathanolson.net)?

[jonathanolson]

@oliver-phet can you test https://jonathanolson.net/phet/cookietest1.html?

[oliver-phet]

@jonathanolson I tested various configurations, with and without query parameters. Cookies aren't being saved and all the collect calls are firing as expected!

I think this version is good to go.

[oliver-phet]

@jonathanolson maybe hold off on publication - I'm doing some double checking and while I see collect calls in the console, I'm NOT seeing hits in analytics!

[oliver-phet]

@jonathanolson I'm still Googling, but it seems setting 'analytics_storage': 'denied', prevents hits from showing in analytics reports (GA4)!
https://stackoverflow.com/questions/64951848/google-analytics-consent-mode-beta-sends-data-but-is-not-reflected-on-dashbo
https://stackoverflow.com/questions/69393998/google-consent-mode-works-with-ua-but-not-ga4

[oliver-phet]

It seems clear that none of our data is personal data under GDPR.
From: https://www.termsfeed.com/blog/gdpr-google-analytics-ga4/
In practice, it's possible that none of your GA4 data (or Device IDs) will be considered personal data under the GDPR if you do the following:

• Use GA4 only in its default anonymized form
  PhET uses the default form and doesn't transmit any PII in any other dimensions (against Google To)
• Don't share GA4 data with Google Signals and other Google tracking platforms
  No data is shared. Google Signals/Google Ads is disabled for all PhET GA4 and UA properties
• Disable the advertising personalization feature in GA4
  Ad personalization is completely disabled for all PhET GA4 and UA properties
• Use the anonymized data collected through GA4 for aggregate statistical reporting purposes only
  That's what we do.

However, there still seem to be countries within the EU where explicit consent to analytics cookies is required before placing our GA cookies.

Simply put, some EU countries require websites to obtain explicit consent from users through cookie notice banners before placing analytics cookies on their devices, while others are more lenient with this requirement.

To put things in context, take the cookie consent requirement of Germany and the United Kingdom for example.

The German conference supervisory authorities published a guide that addresses cookie consent requirements for analytics tracking.

In short, the body decided that websites do not need to obtain consent through cookie notice banners before placing analytics cookies on devices unless the data gathered through these cookies will be transferred to a third party.

The United Kingdom, on the other hand, takes a different perspective on cookie consent.

According to the cookie guide released by the UK Information Commissioner's Office (ICO), websites must obtain consent from users through cookie notice banners before placing analytics cookies on a user's device.

That said, the ICO states that it is unlikely that formal action will be taken against violators for implementing low-risk cookies (e.g., first-party cookies) without obtaining consent.

However, we recommend that you play it safe and always seek user consent through cookie banners before implementing analytics cookies for UK residents.

To sum it up, your obligations with regard to providing a cookie notice banner when using GA4 will depend on the cookie laws in the countries where your users reside.

[jonathanolson]

Production deploys completed.

[oliver-phet]

Closing, tracking saving cookies/consent in https://github.com/phetsims/website/issues/1190