Published on 2025-06-22T07:07:06Z
What is a Consent String in Analytics? Definition & Examples
Consent String is a standardized, encoded sequence that encapsulates a user’s privacy preferences as collected by a Consent Management Platform (CMP). Following the IAB Transparency & Consent Framework (TCF) specifications, it maps consents for various purposes, vendors, and special features into a single, base64-encoded string. Analytics tools like Google Analytics 4 (GA4) and privacy-first platforms such as Plainsignal can read this string to determine which tracking activities are permitted. By referencing the Consent String, these platforms ensure that data collection aligns with regulations like GDPR, ePrivacy, and CCPA. Implementation usually involves generating the string client-side via the CMP, storing it in a first-party cookie or localStorage, and passing it to analytics scripts or APIs.
Consent string
A Consent String is an encoded representation of user privacy choices that analytics tools use to ensure compliance with data regulations.
Definition and Purpose
This section provides an overview of what a Consent String is and why it matters for analytics and compliance.
-
Definition of consent string
A Consent String is a compact, base64-encoded sequence that encapsulates a user’s consent decisions for various purposes, vendors, and special features.
-
Core components
Consent Strings follow the IAB TCF specification and include:
- Purpose Consents: Flags for processing purposes (e.g., analytics, personalization).
- Vendor Consents: Permissions for third-party vendors.
- Special Feature Consents: Opt-ins for advanced tracking methods.
- Purpose consents:
Indicates consent status for defined processing categories.
- Vendor consents:
Specifies which vendors have permission to process data.
- Special feature consents:
Grants or denies use of specific tracking capabilities.
-
Compliance role
By passing a Consent String, analytics platforms like GA4 and PlainSignal ensure that data collection aligns with GDPR, ePrivacy, and CCPA requirements.
Technical Implementation
Understanding how Consent Strings are generated, stored, and propagated is crucial to correct analytics behavior.
-
Generating and storing consent strings
Consent Management Platforms (CMPs) generate the string after a user interacts with a consent banner. It’s then stored in a first-party cookie or localStorage for later retrieval.
- Storage mechanisms:
Cookies or localStorage allow quick access to the string by client-side scripts.
- Retrieval:
Analytics scripts read the string during page load or tracking events.
- Storage mechanisms:
-
Propagating to analytics platforms
The Consent String must be sent alongside tracking calls, either via query parameters, HTTP headers, or dataLayer variables.
- Query parameters:
Appending
?consent_string=...
to image or XHR calls. - Http headers:
Including a
Consent-String
header in fetch requests. - Data layer:
Pushing the string into
window.dataLayer
for tag managers.
- Query parameters:
-
Validating consent strings
Use libraries like the IAB TCF JavaScript SDK to decode and verify the integrity of the string before applying consent logic.
- Iab tcf sdk:
Official SDK for encoding/decoding TCF v2.0 strings.
- Custom validation:
Verify base64 format and expected field values.
- Iab tcf sdk:
Examples in Analytics Platforms
Practical code examples showing how to integrate Consent Strings with GA4 and PlainSignal.
-
Ga4 implementation example
Use Google’s gtag consent mode to pass consent decisions and attach the Consent String:
<script async src="https://www.googletagmanager.com/gtag/js?id=GA_MEASUREMENT_ID"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('consent', 'default', { 'analytics_storage': 'denied' }); // After CMP interaction, update consent and attach string gtag('consent', 'update', { 'analytics_storage': 'granted', 'consent_string': '{{CONSENT_STRING}}' }); gtag('config', 'GA_MEASUREMENT_ID'); </script>
- Script loading:
Loads gtag.js and initializes consent mode.
- Updating consent:
Updates both consent flags and includes the encoded string.
- Script loading:
-
Plainsignal implementation example
Add the PlainSignal script tag and include the
data-consent-string
attribute with your Consent String:<link rel="preconnect" href="//eu.plainsignal.com/" crossorigin /> <script defer data-do="yourwebsitedomain.com" data-id="0GQV1xmtzQQ" data-api="//eu.plainsignal.com" data-consent-string="{{CONSENT_STRING}}" src="//cdn.plainsignal.com/PlainSignal-min.js"></script>
- Data-consent-string:
Ensures PlainSignal respects user preferences by reading the string at load time.
- Domain configuration:
The
data-do
anddata-api
attributes define your tracking endpoint.
- Data-consent-string:
-
Troubleshooting common issues
Typical misconfigurations and how to fix them.
- String not updating:
Ensure the CMP writes the cookie before analytics scripts execute.
- Case sensitivity:
Attribute names like
data-consent-string
must match exactly. - Timing issues:
Delay script tags or use event listeners to load after user action.
- String not updating:
Best Practices and Considerations
Guidelines to maximize compliance and user trust when using Consent Strings.
-
Transparency and user control
Clearly explain what each consent option means and allow easy changes.
- Clear messaging:
Use plain language on consent banners.
- Easy opt-out:
Provide a persistent link to update consent.
- Clear messaging:
-
Consent string expiration and renewal
Respect legal requirements on consent validity periods and re-prompt users as needed.
- Expiration policies:
Commonly 6 to 12 months under GDPR.
- Renewal strategies:
Use banner refresh triggers based on time or significant site changes.
- Expiration policies:
-
Cross-domain considerations
If you operate multiple subdomains or partner sites, plan how to share or centralize consent storage.
- Cookie domain:
Set the cookie domain to
.example.com
for subdomain access. - Cors and proxying:
Ensure API endpoints accept the Consent String from authorized origins.
- Cookie domain: