Cookie-Based Consent Transfer

The cookie-based method is the preferred approach for transferring GTM consent between sites that share a parent domain. It uses first-party cookies set with a wildcard domain to share consent across all subdomains.

When to Use This Method

Use the cookie method when:

Source and destination share a parent domain (e.g., example.com → shop.example.com)
You have control over both domains
You want the most reliable, non-strippable method
Privacy is a concern (cookies aren't visible in URLs)

How It Works

The cookie method follows this flow:

Source site sets cookie with Domain=.example.com
Browser automatically sends cookie on redirect
Destination reads cookie via JavaScript
GTM receives consent before container loads

// Source: Set cookie
document.cookie = "gtm_consent={...}; Domain=.example.com; Max-Age=300"

// Destination: Read cookie
const consent = getConsentFromCookie();
gtag('consent', 'default', consent);

Property	Value	Purpose
Name	`gtm_consent`	Identifies the consent cookie
Value	JSON string	Full consent state object
Domain	`.example.com`	Shares across all `*.example.com`
Path	`/`	Available everywhere on domain
Max-Age	`300` (5 minutes)	Auto-expires after redirect
SameSite	`Lax`	Allows navigation, prevents CSRF
Secure	Set if HTTPS	Only sent over secure connections

The cookie stores a JSON object with all consent states:

{
  "analytics_storage": "granted",
  "ad_storage": "denied",
  "ad_user_data": "denied",
  "ad_personalization": "denied",
  "functionality_storage": "granted",
  "personalization_storage": "granted",
  "security_storage": "granted"
}

Domain Requirements

The cookie method only works when both sites share a common parent domain.

Works (Share .example.com):

example.com → shop.example.com ✅
www.example.com → checkout.example.com ✅
app.example.com → shop.example.com ✅

Doesn't Work (Different domains):

example.com → different.com ❌
example.com → example.co.uk ❌
example.com → example.org ❌

Salesforce Custom Domain Setup

If your MAF site is on Salesforce's domain (yourorg.my.site.com), you must configure a custom domain:

Navigate to Setup → Digital Experiences → All Sites
Click your site → Administration → Settings
Select Domain Name → Add custom domain: shop.example.com

Configure DNS:

Type:  CNAME
Name:  shop
Value: yourorg.my.site.com
TTL:   Auto or 3600

Verify and activate in Salesforce

// In browser console on source site
document.cookie.split(';').forEach(c => {
    if (c.includes('gtm_consent')) {
        console.log('Cookie found:', c.trim());
    }
});

Check in DevTools → Application → Cookies:

Look for gtm_consent cookie
Verify Domain is .example.com (with leading dot)

// In browser console on destination site
console.log('All cookies:', document.cookie);

// Use receiver API
window.GTMConsentReceiver.checkCookie();

Check Console Logs

On the destination site, you should see:

✅ [GTM Consent] Cookie found and parsed: {analytics_storage: "granted", ...}
📍 [GTM Consent] Using consent from COOKIE (preferred method)
✅ [GTM Consent] Applied to GTM via gtag("consent", "default")
[GTM Consent] Method: cookie

Advantages

Most Reliable - Cannot be stripped by redirects or intermediaries
Privacy-Friendly - Not visible in URLs or server logs
Clean URLs - No consent parameters polluting the URL
Standard Browser Feature - Universal support, well-understood
Automatic - Browser sends cookie automatically

Troubleshooting

Check these common issues:

Different parent domains - Verify both sites share parent domain
Cookie expired - Test within 5 minutes of setting
HTTPS mismatch - Both sites should use same protocol
Custom domain not configured - Set up in Salesforce

Verify domains share parent:

// On both sites, run:
console.log('Domain:', window.location.hostname.split('.').slice(-2).join('.'));
// Should be identical (e.g., "example.com")

Check console for errors:

❌ [GTM Consent] Invalid consent object, missing required keys

Solution: Verify cookie value is valid JSON with required keys (analytics_storage, ad_storage)

Security & Privacy

The implementation follows security best practices:

document.cookie =
    "gtm_consent={...}; " +
    "Domain=.example.com; " +  // First-party domain
    "Max-Age=300; " +           // 5 minutes only
    "SameSite=Lax; " +          // Prevents CSRF
    "Secure";                   // HTTPS only

Best Practices

Use Short Expiry

// 5 minutes is enough for redirect
Max-Age=300

Why: Minimizes exposure if user doesn't complete redirect

Always Use Secure Flag on HTTPS

const secure = window.location.protocol === 'https:' ? '; Secure' : '';
document.cookie += secure;

Why: Prevents cookie from being sent over insecure connections

Set SameSite=Lax

SameSite=Lax

Why: Allows navigation while preventing CSRF attacks

Validate on Receive

if (consent && typeof consent === 'object') {
    const hasRequired = consent.analytics_storage && consent.ad_storage;
    if (hasRequired) {
        // Apply
    }
}

Why: Prevents invalid data from breaking GTM

Summary

The cookie method is the preferred approach when:

Sites share a parent domain
You want maximum reliability
Privacy is important
You need clean URLs

Requirements:

Same parent domain (e.g., *.example.com)
Custom domain configured for Salesforce
HTTPS enabled on both sites

Result:

Most reliable consent transfer
Privacy-friendly (not in URLs)
Fast (browser-managed)
Secure (proper flags)