We measured without selling anyone out
We wanted to know what works — which pages convert, which CTA gets clicked — without tracking people who never agreed to it. That tension shaped every choice here.
Denied by default
Consent Mode v2 starts with all storage denied. An opt-in banner (EN and ID) flips analytics on only when a visitor says yes. Lead attribution — which campaign or referrer sent someone — rides along cookielessly, so it survives a "no thanks."
Why gtag, not GTM
The site runs a strict Content-Security-Policy with no unsafe-inline. Google Tag Manager injects
tags at runtime, so it would need a per-request nonce and unsafe-eval — both of which that policy
refuses. gtag.js has one small inline snippet, which the build hashes into the CSP automatically.
Do
- Default consent to denied; opt in, never out
- Keep attribution cookieless so it survives a refusal
- Hash the one inline snippet into the CSP
Don't
- Reach for GTM under a strict CSP
- Drop cookies before the visitor agrees
- Put the build's env var on the platform that doesn't build
Measurement is a trust contract, not a surveillance budget. We'd rather know less, honestly.
Sources