Reference → Tracking and Consent Module Reference

Tracking and Consent Module Reference

FieldValue
Audiencepublic
Areasg-module
PillarSG-Modules
Updated2026-05-27

What is this for?

Overview

The Tracking and Consent module controls how the site collects visitor consent and gates third-party scripts based on consent status.
It provides a configurable consent banner, four consent categories (necessary, analytics, marketing, functional), per-category script gating, a consent log for audit purposes, and per-site override settings in multi-site installs.

This page is a field-level reference.
For each surface the tables below state what the field is, what it controls, and how it behaves.

Scope

What the Tracking and Consent module covers

  • Consent banner — the notice displayed to first-time visitors requesting consent to non-necessary cookies and tracking.
Controls display timing, positioning, copy, button labels, and color.
  • Consent categories — four named categories that group scripts by purpose.
Visitors can accept or reject categories independently.
  • Per-category script gating — scripts assigned to a category fire only when the visitor has consented to that category.
Scripts assigned to the Necessary category always fire.
  • Consent log — a per-visitor record of consent decisions (accepted, rejected, withdrawn) with timestamps.
Available for audit trail purposes.
  • Per-site overrides — in a multi-site SGEN install, each site can override global consent banner copy and category defaults while inheriting the global script assignments.
  • Multi-region handling — banner display can be scoped to visitor geography (EU for GDPR, US states for CCPA).

What the Tracking and Consent module does NOT cover

  • Creating and managing the scripts themselves — use SG-Modules Custom Codes to add third-party scripts, then assign them to a consent category here.
  • Server-side analytics collection — the module gates client-side scripts. Server-side instrumentation is outside this module's scope.
  • Legal advice on compliance requirements — the module provides technical implementation of consent gating. Compliance obligations depend on your jurisdiction and legal counsel.
  • Email marketing consent capture — opt-in for email lists is a Forms and Integrations concern, not this module.

Where to find it

Navigate to SG-Modules > Tracking & Consent in the admin sidebar.
The panel opens with four tabs: Banner, Categories, Scripts, and Consent Log.
Per-site overrides are accessible from the site selector dropdown within the panel when a multi-site install is active.

Fields

Consent banner fields

FieldLocationWhat it controls
Banner enabledBanner tab → toggleTurns the consent banner on or off sitewide. When off, no consent notice is shown and scripts fire without gating.
Display triggerBanner tab → DisplayWhen the banner appears for a new visitor: on page load (immediate), after scroll (% of page), or after time delay (seconds).
PositionBanner tab → PositionWhere the banner renders: bottom bar, top bar, bottom-left corner, or center modal.
Heading textBanner tab → Copy → HeadingThe main heading shown in the consent banner.
Body textBanner tab → Copy → BodyThe explanatory paragraph beneath the heading. Plain text; no HTML.
Accept all button labelBanner tab → Copy → Accept buttonLabel for the button that accepts all categories.
Reject all button labelBanner tab → Copy → Reject buttonLabel for the button that rejects all non-necessary categories.
Manage preferences button labelBanner tab → Copy → Manage buttonLabel for the button opening the per-category preference centre.
Privacy policy linkBanner tab → Copy → Privacy policy URLURL inserted as a link in the banner body text where {privacy_policy} placeholder is used.
Banner background colorBanner tab → Appearance → BackgroundHex color for the banner background.
Banner text colorBanner tab → Appearance → TextHex color for banner body text.
Button primary colorBanner tab → Appearance → Primary buttonHex color for the Accept All button background.
Button secondary colorBanner tab → Appearance → Secondary buttonHex color for the Reject All and Manage Preferences button borders.
Re-show banner afterBanner tab → ExpiryNumber of days before a visitor's consent decision expires and the banner is shown again. Default: 365 days.

Consent category fields

CategoryFixed or editableDefault stateWhat it covers
NecessaryFixed — always enabledAlways on, not shown to visitor as a choiceCookies and scripts required for the site to function — session management, security tokens, load balancing. Cannot be rejected.
AnalyticsEditable name + descriptionOff by default (opt-in)Scripts that collect visitor behaviour data — page views, session duration, click paths. Examples: analytics platforms, heatmap tools.
MarketingEditable name + descriptionOff by default (opt-in)Scripts that support ad targeting, retargeting, and conversion tracking — ad pixels, remarketing tags.
FunctionalEditable name + descriptionOff by default (opt-in)Scripts that enhance functionality but are not strictly necessary — live chat, video embeds, personalisation widgets.
Each editable category has the following fields:
FieldWhat it controls
Category nameThe label shown to visitors in the preference centre.
Category descriptionThe explanation of what this category does, shown in the preference centre.
Default stateWhether the category is pre-selected as accepted when the visitor first sees the preference centre. Opt-in = off. Opt-out = on.

Script assignment fields

Scripts are assigned to consent categories in the Scripts tab.
A script entry references a Custom Code block (created in SG-Modules > Custom Codes) and assigns it to one category.

FieldWhat it controls
Script labelInternal name for this script entry. Not shown to visitors.
Custom Code referenceLinks to a Custom Code block by name. The Custom Code contains the actual script.
Consent categoryThe category this script is assigned to. The script fires only when the visitor has accepted this category.
Load timingWhen the script is injected after consent is given: immediately on consent, on next page load, or on next session.
ActiveWhether this script entry is enabled. Inactive entries are skipped even if the visitor consented to the category.
# Example: script assignment configurationscripts:- label: "Analytics Platform"custom_code: "analytics-tracking-head"consent_category: analyticsload_timing: immediatelyactive: true- label: "Ad Conversion Pixel"custom_code: "ad-pixel-footer"consent_category: marketingload_timing: on_next_page_loadactive: true- label: "Live Chat Widget"custom_code: "live-chat-script"consent_category: functionalload_timing: immediatelyactive: true

Consent log fields

FieldWhat it records
Visitor IDAn anonymised identifier for the visitor (not a personal identifier — typically a session or fingerprint hash).
TimestampDate and time the consent decision was recorded.
Decisionaccepted_all / rejected_all / custom (custom means the visitor chose specific categories).
Categories acceptedWhich categories the visitor accepted, recorded per decision.
Consent versionThe version of the consent configuration active at the time of the decision. When consent configuration changes, a new version is issued.
Withdrawal timestampIf the visitor later withdrew consent (via the preference centre), the date and time of withdrawal.
The consent log is available for export as CSV from the Consent Log tab.Log entries are retained for the configured retention period (default: 12 months).

Multi-region display fields

FieldWhat it controls
Region rules enabledToggle to activate geography-based banner display rules.
EU / EEA detectionWhen on, the consent banner displays to visitors from EU / EEA countries. Visitors from other regions do not see the banner (unless other region rules are active).
US state detectionWhen on, the consent banner displays to visitors from US states with active privacy laws (currently: California, Colorado, Connecticut, Virginia, others as legislation takes effect).
Global fallbackWhether visitors from regions without a specific rule see the banner or bypass it. Default: show banner globally.

When to use this

When to use this

Use this module whenever the site deploys third-party tracking scripts — analytics, ad pixels, live chat, marketing automation tags, heatmap tools, or video embeds that drop cookies.

A site that runs tracking scripts without a consent mechanism is not compliant with GDPR for EU visitors or CCPA for California residents (among other regulations).
The module provides the technical gating layer — consent decisions block or allow scripts.

Use the Analytics category for any script that records visitor behaviour for your own analysis.

Use the Marketing category for any script that supports advertising platforms — pixels, retargeting, conversion measurement.

Use the Functional category for scripts that add features visitors can observe (chat widget, video player, personalisation) but that are not strictly required for the site to work.

Use the Necessary category only for scripts the site cannot function without.
Do not place third-party analytics or marketing scripts in Necessary — that would remove visitor choice and is not compliant with most consent frameworks.

Use the consent log when you receive a data subject request or need to demonstrate that consent was given (or refused) by a specific visitor at a specific time.

Use per-site overrides in multi-site installs where different sites serve different markets with different regulatory contexts.

Configuration

Configuration

See subsections below for each configuration task.

Setting up the consent banner

  1. Open SG-Modules > Tracking & Consent > Banner tab.
  2. Enable the banner toggle.
  3. Write the Heading and Body copy.
Include {privacy_policy} in the body where the privacy policy link should appear.
  1. Enter the Privacy policy URL.
  2. Set button labels for Accept All, Reject All, and Manage Preferences.
  3. Choose the Position (bottom bar recommended for most sites).
  4. Set Display trigger (on page load recommended).
  5. Configure banner colors to match the site brand.
  6. Set the Re-show banner after period (365 days is the default; adjust for your compliance requirements).
  7. Save.

Assigning scripts to consent categories

  1. Open SG-Modules > Tracking & Consent > Scripts tab.
  2. Click Add Script Entry.
  3. Enter an internal Script label.
  4. Select the Custom Code block that contains the script.
If the script is not yet created as a Custom Code, do that first in SG-Modules > Custom Codes.
  1. Select the Consent category (Analytics, Marketing, or Functional).
  2. Set Load timing (immediately is the most common choice).
  3. Set the entry to Active.
  4. Save.

Configuring per-category defaults

  1. Open SG-Modules > Tracking & Consent > Categories tab.
  2. Select a category to edit.
  3. Update the Category name and Description to match your site's language.
  4. Set the Default state — opt-in (off by default) is the correct setting for Analytics, Marketing, and Functional under GDPR.
  5. Save.

Exporting the consent log

  1. Open SG-Modules > Tracking & Consent > Consent Log tab.
  2. Use the date range filter to scope the export.
  3. Click Export CSV.
  4. The CSV contains one row per consent decision, with all fields listed in the Consent log fields table above.

Examples

Examples

Example 1 — A marketing site adds analytics and ad tracking with consent gating.
The team installs two Custom Code blocks: one for their analytics platform, one for their ad platform pixel.
In Tracking & Consent > Scripts, they assign the analytics block to the Analytics category and the pixel to the Marketing category.
They configure the banner with plain-language copy and bottom-bar position.
Both scripts are now gated — they fire only after visitor consent.
Visitors who reject Marketing still get analytics tracking if they accepted Analytics (categories are independent).

Example 2 — A site serves both EU and US visitors.
The team enables the EU / EEA detection and US state detection region rules.
EU visitors see the consent banner on first visit.
US visitors from CCPA-applicable states see the banner.
Visitors from other regions bypass the banner (global fallback is set to bypass).
The team reviews and adjusts the global fallback after legal review.

Example 3 — A data subject requests proof of consent.
A visitor contacts the team asking for confirmation of when they accepted or refused consent.
The operations team opens the Consent Log tab, filters by the approximate date range, locates the Visitor ID associated with the session, and exports the relevant log entry as CSV.
The log entry shows the timestamp, the decision (custom), the categories accepted, and the consent configuration version in effect at that time.

Example 4 — Withdrawing and re-obtaining consent after configuration change.
The team adds a new marketing script to the site.
Adding the script creates a new consent configuration version.
The banner re-shows to all visitors on their next session because the consent configuration version has changed.
Visitors consent again under the new configuration.
The consent log records both the previous decision and the new decision for each visitor.

Edge cases

Edge cases

Scripts firing before consent is collected.
Check that every script block is assigned to a consent category in the Scripts tab.
Scripts in Custom Codes that are not assigned to a category in the Tracking & Consent module fire unconditionally.
The module only gates scripts it knows about.

Consent banner not appearing on the site.
Confirm the banner toggle is enabled.
Check whether the site is in a region excluded by region rules.
Clear browser cookies and reload — if a prior consent decision is stored in the visitor's browser, the banner will not show again until the decision expires.

Category default state set to opt-in but scripts firing anyway.
Category default state controls what is pre-selected in the preference centre — it does not block scripts on first page load if the visitor closes the banner without making a choice.
Configure the Display trigger so the banner must be interacted with before the page content loads (modal variant) if the use case requires explicit action before any non-necessary scripts fire.

Consent log not showing a visitor's decision.
The log records decisions made through the banner or preference centre.
If a visitor navigated away before the banner interaction was recorded, no entry is created.
The log is not a complete record of every visitor session — it records consent events only.

Multi-site banner copy divergence.
In a multi-site install, per-site overrides replace the global copy entirely (they do not merge).
If the global copy is updated, per-site overrides are not automatically updated.
Review per-site overrides whenever global copy changes.

GDPR opt-in vs opt-out default.
Setting any non-necessary category to opt-out (pre-checked) by default is not compliant with GDPR's requirement for freely given, informed, specific consent.
Set Analytics, Marketing, and Functional to opt-in (off by default) unless specific legal advice covers an alternative approach for your jurisdiction.

Related features

Related

  • Custom Codes module — scripts must exist as Custom Code blocks before they can be assigned to consent categories in this module. The Tracking & Consent module gates scripts; it does not create them.
  • SEO module — structured data (JSON-LD) injected by the SEO module is not gated by consent. It is server-rendered metadata, not client-side script execution.
  • Forms module — email opt-in consent for marketing lists is handled at the form level (checkbox field with explicit label), not through the consent banner categories.
  • Ecommerce module — payment processing scripts may carry their own consent obligations. Review with your legal team whether payment gateway scripts belong in Necessary or Functional.

Related reading

Topic
SEO Module Reference
Ecommerce Module Reference
Forms
On this page