Consent & privacy
The Active Reach Web SDK includes built-in consent management for GDPR, CCPA, and other privacy frameworks.
Consent mode
Enable consent mode during SDK initialization:
Aegis.init('YOUR_WRITE_KEY', {
enable_consent_mode: true,
wait_for_consent: true,
default_consent: {
analytics: false,
marketing: false,
functional: true,
},
});When wait_for_consent is true, the SDK queues all events but sends nothing until consent is granted. Once granted, queued events are flushed.
Consent categories
| Category | What it covers | Default |
|---|---|---|
analytics | Page views, event tracking, session data | Denied |
marketing | Campaign tracking, ad attribution, remarketing pixels | Denied |
functional | Identity resolution, session management | Granted |
Granting and denying consent
// Grant specific category
Aegis.grantConsent('analytics');
Aegis.grantConsent('marketing');
// Grant all categories
Aegis.grantConsent();
// Deny specific category
Aegis.denyConsent('marketing');
// Set all preferences at once
Aegis.setConsent({
analytics: true,
marketing: false,
functional: true,
});Integration with consent managers
OneTrust
Aegis.init('YOUR_WRITE_KEY', {
enable_consent_mode: true,
integrate_onetrust: true,
});The SDK automatically reads OneTrust cookie categories and maps them to Active Reach consent categories. When the user updates their OneTrust preferences, the SDK updates accordingly.
Cookiebot
Aegis.init('YOUR_WRITE_KEY', {
enable_consent_mode: true,
integrate_cookiebot: true,
});Same behavior — Cookiebot consent changes propagate to the SDK automatically.
Google Consent Mode v2
Aegis.init('YOUR_WRITE_KEY', {
enable_consent_mode: true,
integrate_google_consent_mode: true,
});The SDK reads Google’s gtag('consent', 'update', ...) signals and maps ad_storage and analytics_storage to Active Reach categories.
Do Not Track
By default, the SDK respects the browser’s Do Not Track signal (respect_dnt: true). When DNT is enabled:
- No events are sent
- No cookies are set
- The SDK is effectively disabled
Set respect_dnt: false to override (not recommended unless you have a legal basis).
Listening for consent changes
const unsubscribe = Aegis.onConsentChange((preferences) => {
console.log('Consent updated:', preferences);
});
// Later: stop listening
unsubscribe();Per-channel marketing opt-in — aegis.user.setOptIn
Cookie-consent categories (analytics, marketing, functional) govern whether the SDK collects events at all. Per-channel marketing opt-in is a separate question — which outbound channels a known contact has consented to. The aegis.user namespace (added 1.13.0; current 1.14.0) writes this onto the contact graph:
aegis.user.setOptIn('email', true);
aegis.user.setOptIn('sms', true);
aegis.user.setOptIn('whatsapp', false);
aegis.user.setOptIn('webpush', true);Supported channels: email, sms, push, webpush, whatsapp, rcs, inapp.
Under the hood setOptIn writes an opt_in_<channel> trait via identify() — segmenters, journey channel pickers, and the DPDP audit trail can all read it from the contact record.
Mirror requirement for any consent UI in your codebase
Any cookie-consent or marketing-opt-in UI must mirror its state to setOptIn for every channel it covers. Writing only to localStorage keeps the consent state invisible to the contact graph — segments won’t filter on it and journey channel pickers won’t gate on it.
// Inside your acceptAll handler
function acceptAll() {
localStorage.setItem('cookie_consent', JSON.stringify({ analytics: true, marketing: true }));
aegis.setConsent({ analytics: true, marketing: true, functional: true });
// Mirror per-channel marketing opt-ins onto the contact graph:
for (const channel of ['email', 'sms', 'whatsapp', 'webpush'] as const) {
aegis.user.setOptIn(channel, true);
}
}iOS counterpart — NSE consent gate
The web setOptIn mirror has a direct iOS counterpart: the Notification Service Extension (NSE) consent gate shipped in Phase 4.5. The NSE reads the host app’s ConsentManager record from an App Group UserDefaults suite and silently skips its push.delivered POST when marketing is denied. The OS still shows the rich notification; only the analytics call is suppressed.
Same principle, different surface — both gates use a single consent state to make sure segments, journey channel pickers, and the DPDP audit trail see the same opt-in record whether the customer is on web or in your iOS app. Detail in iOS SDK Advanced → NSE consent gate.
What’s next
- Web SDK overview — full SDK documentation
- Compliance & security — platform-level data governance
- iOS SDK Advanced — NSE — App Group setup for the iOS consent gate