Deleting cookies after user changes consent

Consider this: a user enters my site and approves all cookies. A few moments later he changes his mind and changes his selection. He now approves only the most basic cookies.

Will Piwik Pro delete the first set of cookies? When I test this out on my site, the total number of cookies does not drop.


HI @katanka
Cookies are one of the ways of capturing users’ interactions with the site, but users don’t consent to cookies. The consent users grant or deny refers to the use of data you may or may not capture from the user’s visit.
When it comes to your question: a change of customer consent should result in a change in the data you capture and process, not necessarily the number of cookies your page produces. Other words: visitors decide if you can utilize data from your cookies.
Please visit our Help Center’s Privacy section for more information on how to manage users’ privacy.

Hi, thanks a lot for your reply! However I’m not entirely convinced.
In Belgium we need explicit consent for cookies. Only cookies that are deemed necessary for the visitors (not the siteowner) can be placed without explicit consent.
In a recent case, the Belgian DPA issued a €50.000 fine to a Belgian publisher. In the decision, you can read that the DPA inspector just counted the amount of cookies before accepting, after accepting and after changing the consent. See (articles 154 - 161)
Best regards.

HI @katanka ,
Thanks for the background. Let me consult to be sure of the answer you need. I’ll get back to you when I have the full picture.

If you approved cookies in consent manager and as a result several tags were launched e.g. from Google Ads for the purpose of remarketing, Piwik PRO (nor any other tool as this is technical limitation) will not be able to delete them (especially http only and third-party cookies).

You can set a tag that will run and check the consents given (and if withdrawn) delete certain cookies that can be accessed from JavaScript (but you won’t be able to deal with http only and third party cookies this way). We will submit a feature request to our product team to see if this can be a bit simplified for the end users.

For analytics you can also use a full cookieless mode (even if consent is given) and this way you won’t have an issue with users who withdrew their consent as no data will be stored on end users device.

Local storage is considered equally as cookies. Is what you are saying @maciej that the local storage is cleared once the consent changed to deny?

Can you give us an update anyhow on this topic? I need to make a decision whether I will write a cleanup script or wait until you guys came up with a feature to simplify this.

If you use the cookieless mode turned on, then neither cookies nor local storage is used for analytics unless visitor gives consent for it.

If you have consent banner turned on, we will use necessary cookies to store consent decision as otherwise you would see the banner every time you refresh the page. We will not set the visitor cookies nor local storage unless the visitor gives the consent for it.

To illustrate, please see the screenshots with the two settings I am referring to:

1. Analytics only with visitor cookies turned off - no cookies/local storage used:

2. Consent manager turned on, but cookies turned off- cookies/local storage used only to store the consent decision. Cookies will be used for visitor tracking only after consent is given by the visitor.

I am aware of that. But the question is: what happens after step 3 with cookies/local storage:

  1. Visitor gives consent
  2. Cookies and/or local storage is in use
  3. Visitor reviews consent and chooses to deny all

Hi. We store “reject state”. It’s done so to block displaying the consent popup.

Yes I know, but why don’t you remove unnecessary cookies / local storage afterwards?
Is there an API endpoint to do so? Or do we need to do that manually?

As for the analytics, you can use this method: API — Piwik PRO Analytics Suite 16.33 documentation

But I agree that it could be improved to make it easier to implement. Adding it to our backlog.

1 Like

Are there any upates on simplifiying the deletion of cookies if the consent settings were changed by the visitor? Or is there a guide available on how to implement a cleanup script to delete cookies the visitor changed consent for?