Managing GDPR Consent

Integration

You can configure your script in two different variants:

  1. Default Variant: Sets a cookie immediately upon page load. Only use this in the EU when you deem pagent mandatory for you site’s operation.
  2. Opt-In Variant: Uses cookie-less tracking for up to 24h and sets a permanent cookie only once opt-in is triggered.

You can activate the opt-in variant using the data-opt-in-required="true" flag directly on the integration script.

Here is an example:

<head>
  <!-- pagent SDK Script - Opt-In Variant -->
  <script data-client-key="[YOUR_KEY]" data-opt-in-required="true" src="https://cdn.pagent.ai/js/sdk.js"></script>
</head>

When using the opt-in variant, no cookies are created by our SDK unless you explicitely give it consent.

Note: The parameter used to be data-opt-in="true" and was renamed for purposes of clarity. The old parameter however still works in the same fashion.

Once you have consent from your user, execute the opt-in command as follows:

window._pgnt = window._pgnt || [];
window._pgnt.push({ kind: "opt-in" });

Alternatively, you can have a script injected into your page upon consent using your own tooling, like below:

<script>
    window._pgnt = window._pgnt || [];
    window._pgnt.push({ kind: "opt-in" });
</script>

Cookieless tracking

Pagent can also operate completely without cookies.

In this cookieless mode we still need to recognise a visitor long enough to keep A/B tests consistent, but we do so only for 24 hours and without storing any data in the browser. Because no persistent identifier is written, this mode typically does not require a cookie banner.

How visitor consistency works

When the SDK loads it derives a short-lived, deterministic seed:

seed = SHA-256(salt + ip + userAgent)
  • salt – a random 64-byte string generated by our backend and rotated every 24h
  • ip – the visitor’s IP address (truncated, e.g. /24 for IPv4, /56 for IPv6)
  • userAgent – the browser’s user-agent string

The seed exists only in memory. Once the salt rotates after 24 hours the identifier can no longer be reproduced, effectively resetting the visitor.

Cookieless tracking therefore behaves the same as using the opt-in variant without ever calling opt-in: experiments stay consistent within the 24-hour window, yet no long-term tracking occurs.