NAV Navbar
  • Legal Consent
  • Legal Consent


    Depending on the country you are operating your website in, it may be necessary to ask for the visitor's permission to be submitted to A/B testing or Personalization before you are actually allowed to execute parts of Kameleoon's code on a visitor's browser. You have a responsibility to disclose on your website the various technologies you use (especially the ones that perform tracking activities, which is the case with Kameleoon), and the visitor has to agree (even implicitely) to each of them.

    This legal consent is for example mandatory in European Countries with the famous GDPR regulation. This article explains how Kameleoon deals with legal consent, and details the different options to tailor its behavior to your requirements.

    Legal Consent Policies

    Kameleoon behaves differently before and after legal consent is obtained. The platform offers a configuration option to control when and how it will obtain the visitor's legal consent, and thus trigger a switch between its operational modes. Three values are possible for this option, which correspond to three different policies:

    The default policy for a new site depends on the country specified for the Kameleoon customer account. If you're registered as a customer within the European Union, the default policy is POSITIVE_INTERACTION. If not, the default policy is OFF (ie, no legal consent control).

    Restricted mode description

    While Kameleoon is not aware of a visitor's legal consent, it will still be active, but operates in "restricted mode". It won't perform two very important operations that are normally part of its normal working process:

    However, the targeting and triggering of experiments and personalizations is still active from the very beginning, as is the bucketing and the display of variations. This basically means that a visitor landing on your website can potentially be "part" of an experiment and see a variation before giving his consent to be tracked. But results are not sent until he gives active consent to do so, so in practice he's not being tracked yet.

    Under restricted mode, Kameleoon actually keeps all the information in volatile RAM memory (within the JavaScript memory space) and just delays writing it to the browser persistent spaces and sending it over the network. This means that once the legal consent is obtained, all data that would have been written / sent before is instantly flushed. You can for instance observe in a browser's developer console that (usually several) Kameleoon tracking calls are sent out only after the platform is made aware of the visitor's legal consent. If the legal consent is never obtained, of course nothing is ever written nor sent.

    Description of the POSITIVE_INTERACTION policy

    This policy (which is the default for all European customers) is akin to an automatic mode. Kameleoon handles the GDPR constraints all by itself, without any additional configuration. Usually, this is the fastest and easiest way to be compliant with their local regulations and thus this policy is selected by the majority of our customers.

    Technically, Kameleoon is in restricted mode from the visitor's arrival on the landing page of your website until he either clicks or scrolls. As soon as this positive interaction is done, Kameleoon switches to its normal mode and flushes data to the usual endpoints (cookies / Local Storage / data collection servers). On the following pages, and for the next visits, the legal consent is remembered, so Kameleoon starts in normal mode right away.

    Description of the MANUAL policy

        function acceptPolicy() {
            document.getElementById('footer').style.visibility = 'hidden';
        function disableKameleoon() {
            const expiryDate = new Date();
            expiryDate.setMonth(expiryDate.getMonth() + 1);
            document.cookie = 'kameleoonOptout=true; expires=' + expiryDate.toGMTString();
            document.getElementById('footer').style.visibility = 'hidden';
    <div id='footer'>
            We use various technologies to personalize content and to analyze our traffic.
            Please accept if you comply with our privacy policy, or decline if you wish to avoid tracking.
        <button type='button' onclick="acceptPolicy()">Accept</button>
        <button type='button' onclick="disableKameleoon()">Decline</button>

    If you have specific requirements or mechanisms already in place on your website to handle the constraints of legal consent collection, you can notify Kameleoon manually. This is done via the use of the Kameleoon.API.Core.enableLegalConsent() method in our JavaScript Activation API. Simply call this method once you have obtained legal consent and want to trigger the activation of Kameleoon's normal mode. With this policy, Kameleoon starts in restricted mode, switches when the method has been called, and remembers this for this particular visitor (so no need to call Kameleoon.API.Core.enableLegalConsent() on subsequent pages and visits).

    An example of a typical setup is provided to the right. The customer provides a dialog that informs its visitors that the website uses tracking features (usually with a list of the platforms / technologies used). If they don't agree with the terms provided, they can avoid tracking by clicking the appropriate button.

    Permanently disabling Kameleoon for a given visitor

    Usually, once the visitor refuses to give consent to run Kameleoon, you want to permanently disable Kameleoon for this visit and all future ones. To do so, you can setup an opt-out cookie, which is documented here. Note that the example in the previous section implements this approach.