Working with Cookie Consent Tools

If your site serves visitors in the EU or UK, you need cookie consent before loading the SourceTag script. This page shows how to integrate SourceTag with popular cookie consent tools so the script only runs after the visitor has given consent.

The general approach

Instead of loading the SourceTag script unconditionally in the <head>, you:

Add the script tag in a way that prevents it from loading automatically
Use your consent tool’s API to load the script only after consent is given

Each consent tool has its own mechanism for this. The examples below cover the most common ones.

CookieYes

CookieYes uses a data-cookieyes attribute on script tags to control when they load.

Replace your normal script tag:

<script src="https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js"></script>

With this:

<script
  src="https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js"
  async
  type="text/plain"
  data-cookieyes="cookiecategory:analytics"
></script>

The type="text/plain" attribute prevents the browser from executing the script. CookieYes changes it to type="text/javascript" once the visitor consents to the “analytics” category.

If you’ve categorised SourceTag as “marketing” in your CookieYes setup, use data-cookieyes="cookiecategory:marketing" instead.

Setting up the cookie in CookieYes

In your CookieYes dashboard, go to Cookie List
Run a scan of your site (or add the cookie manually)
Find _sourcetag in the cookie list
Set the category to Analytics or Marketing (whichever you prefer)
Set the description to something like: “Stores marketing attribution data (channel, campaign, source) for lead tracking. First-party cookie.”
Set the duration to 400 days

If CookieYes doesn’t detect the _sourcetag cookie during scanning (because consent hasn’t been given yet), add it manually under Cookie List > Add Cookie.

GTM with CookieYes

If you load SourceTag via Google Tag Manager, CookieYes may block the entire GTM container before the SourceTag tag can fire. To avoid this:

Allow GTM itself to load without consent
Use CookieYes’s GTM consent mode integration to control individual tags
Set your SourceTag tag trigger to require “Analytics” or “Marketing” consent

Cookiebot

Cookiebot uses data-cookieconsent attributes to control script loading.

Replace your normal script tag with:

<script
  src="https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js"
  async
  type="text/plain"
  data-cookieconsent="marketing"
></script>

Cookiebot will activate the script when the visitor consents to the “marketing” category. Use “statistics” if you’ve categorised the cookie under statistics instead.

Important: Do not add data-cookieconsent="ignore" to the SourceTag script - that tells Cookiebot to always load it regardless of consent, which defeats the purpose.

Setting up the cookie in Cookiebot

In your Cookiebot dashboard, go to your domain
Run a scan (or go to Cookies to add manually)
Find _sourcetag and assign it to the Marketing or Statistics category
Set the description to: “Stores marketing attribution data for lead source tracking”
Cookiebot will automatically block the script until the visitor consents to the assigned category

Using the Cookiebot JavaScript API

Alternatively, you can load the script programmatically using Cookiebot’s consent event:

<script>
  window.addEventListener('CookiebotOnAccept', function () {
    if (Cookiebot.consent.marketing) {
      var script = document.createElement('script');
      script.src = 'https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js';
      script.async = true;
      document.head.appendChild(script);
    }
  });
</script>

This creates and injects the script tag only after consent is confirmed.

Returning visitors with Cookiebot

When a returning visitor has already given consent, Cookiebot fires CookiebotOnAccept immediately on page load. The script approach above handles both first-time consent and returning visitors.

Iubenda

Iubenda uses its own script-blocking mechanism. You can use the _iub.csConfiguration.callback approach or the type="text/plain" method.

Using the class attribute

<script
  src="https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js"
  async
  type="text/plain"
  class="_iub_cs_activate"
  data-iub-purposes="4"
></script>

Purpose ID 4 corresponds to “Measurement” in Iubenda’s default purpose list. If you’ve assigned the cookie to a different purpose, use that purpose number instead.

Using the Iubenda callback

<script>
  var _iub = _iub || [];
  _iub.csConfiguration = _iub.csConfiguration || {};
  _iub.csConfiguration.callback = _iub.csConfiguration.callback || {};
  _iub.csConfiguration.callback.onConsentGiven = function () {
    var script = document.createElement('script');
    script.src = 'https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js';
    script.async = true;
    document.head.appendChild(script);
  };
</script>

Complianz (WordPress)

If you’re using the Complianz plugin on WordPress alongside the SourceTag WordPress plugin, Complianz can manage the script automatically:

Go to Complianz > Integrations
If SourceTag isn’t auto-detected, add it as a custom script
Set the category to “Marketing” or “Statistics”
Complianz will block the script until consent is given

If you’re not using the WordPress plugin (i.e. you added the script tag manually), use the type="text/plain" approach with Complianz’s data attribute:

<script
  src="https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js"
  async
  type="text/plain"
  data-category="marketing"
></script>

Google Consent Mode

If you use Google Consent Mode (v2) for managing consent signals, you can conditionally load the SourceTag script based on the consent state:

<script>
  function loadSourceTag() {
    var script = document.createElement('script');
    script.src = 'https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js';
    script.async = true;
    document.head.appendChild(script);
  }

  // Check if analytics_storage consent has been granted
  if (typeof gtag === 'function') {
    gtag('consent', 'default', {
      analytics_storage: 'denied',
      ad_storage: 'denied'
    });
  }

  // Listen for consent updates
  document.addEventListener('consent-updated', function () {
    // Check your consent tool's API for the current consent state
    // and load SourceTag if analytics/marketing consent is granted
    loadSourceTag();
  });
</script>

The exact event name and consent checking logic depends on your consent tool. Consult your consent tool’s documentation for the correct event to listen for.

Generic approach (any consent tool)

If your consent tool isn’t listed above, the pattern is the same:

Don’t load the script automatically. Remove the script tag from the <head> or change its type to text/plain.
Listen for a consent event. Every consent tool fires an event or calls a callback when consent is given.
Create and inject the script tag. When consent is confirmed, create a new script element and append it to the document head.

<script>
  // Replace this with your consent tool's event/callback
  function onConsentGranted() {
    if (document.querySelector('script[src*="SourceTag"]')) return; // Already loaded

    var script = document.createElement('script');
    script.src = 'https://cdn.sourcetag.io/scripts/YOUR_SITE_ID/st.js';
    script.async = true;
    document.head.appendChild(script);
  }
</script>

What happens without consent

If a visitor doesn’t give consent and the script never loads:

No _sourcetag cookie is set
No attribution data is captured
Forms work normally, just without the hidden attribution fields
The form submission goes through without any st_ field values

This is the expected and correct behaviour. You simply won’t have attribution data for visitors who decline cookies.

Categorising the cookie

When configuring your consent tool, categorise the _sourcetag cookie as:

Marketing or Analytics/Statistics (most consent tools use one or both of these categories)
Purpose: tracking the marketing source of website visitors for lead attribution
Duration: 400 days (or your configured lifetime)
Type: First-party, persistent