Cookie Consent and GDPR Compliance for the Velaro Chat Widget
7 min read
> Disclaimer: This article describes how the Velaro chat widget handles data and provides configuration options for common compliance scenarios. It is not legal advice. Requirements under GDPR, CCPA, ePrivacy, and other regulations vary by jurisdiction, industry, and specific implementation. Please consult your legal counsel to determine the appropriate configuration for your organization.
Overview
The Velaro chat widget can be configured to support cookie consent and privacy compliance requirements on your website. This article explains exactly what data the widget collects, when it collects it, and how to control that behavior using two available options that can be used independently or together.
What the Widget Collects by Default
When the Velaro widget loads using the standard embed code, the following occur immediately on page load, before any visitor interaction:
| Data | Where Stored | What It Contains |
|---|---|---|
| velaro_hitCount | Browser localStorage | Running count of pages visited across sessions |
| velaro_viewedPages | Browser localStorage | Array of the last 10 URLs the visitor has viewed |
| velaro_pageHits | Browser localStorage | Array of the last 20 page URLs with timestamps |
| Visitor registration | Velaro servers | Referrer URL, UTM parameters, current page URL, page history, Google Analytics ID, HubSpot cookie ID |
Under GDPR's ePrivacy rules, localStorage is treated identically to cookies. These items contain behavioral tracking data and are generally classified as functional rather than strictly necessary cookies, meaning they may require consent before being set on sites subject to opt-in cookie consent laws.
Option 1: Defer All Tracking Until Interaction
The deferStorageUntilInteraction option causes the widget to wait until a visitor actively clicks the chat bubble before writing any data or contacting Velaro's servers. This is the simplest compliance option and requires a single line of code.
What changes
| Behavior | Standard | With deferStorageUntilInteraction |
|---|---|---|
| Chat bubble appears on page | Yes | Yes |
| Shows agent availability in real time | Yes | Yes |
| localStorage written on page load | Yes | No |
| Visitor API called on page load | Yes | No |
| Full chat experience when visitor opens chat | Yes | Yes — no change |
| Proactive chat invites (timed or rule-based) | Yes | No |
How to enable
``js Velaro('boot', { siteId: YOUR_SITE_ID, deferStorageUntilInteraction: true }); ``
That is the only change required. The bubble appears and shows live agent availability. The moment a visitor clicks to open chat, all tracking fires and the full experience loads — routing, visit history, pre-chat forms, everything.
What visitors experience
Before clicking the bubble: The bubble appears, shows agent availability. Nothing is written to the browser. Zero calls to Velaro servers.
After clicking the bubble: Full chat experience. If agents are available, the pre-chat form or chat window opens immediately. Agent routing works normally. Visit history is captured at the moment of click.
Important: proactive invites
Proactive invites — timed pop-ups or rule-based prompts such as "You've been here 30 seconds, can I help?" — depend on page visit data that loads at boot. With deferStorageUntilInteraction enabled, that data does not load until the visitor clicks, so rule-based invites will not fire. If proactive invites matter to your workflow, use Option 2 below.
Important: visitors who reject cookies
With this option alone, the widget does not know about your cookie banner. A visitor who clicks "Reject All" and then clicks the chat bubble will still be tracked when they open chat — the widget treats clicking the bubble as an intentional action. If you need to fully honor rejections, combine this option with Option 2.
Option 2: Wire to Your Cookie Consent Banner
The privacyConsent option connects the widget directly to your existing cookie consent banner. Your developer calls a provided callback with true when the visitor accepts and false when they reject. The widget then behaves accordingly in real time — no page reload required.
What changes based on visitor choice
When visitor accepts cookies — done(true):
- Cookies enabled immediately in the current session
- Visitor tracking loads immediately — no page reload required
- Proactive invites become eligible from that point forward
- Full inline chat experience
When visitor rejects cookies — done(false):
- No localStorage written, no visitor API call, even if they click the chat bubble
- Clicking the bubble opens a popout window rather than expanding inline
- The visitor can still chat — the experience is functional but slightly different
- If they later change their mind and accept, tracking loads immediately without a page reload
How to enable (generic pattern)
``js Velaro('boot', { siteId: YOUR_SITE_ID, privacyConsent: function(done) { // Call done(true) when the visitor accepts cookies // Call done(false) when the visitor rejects cookies // This callback fires on initial decision AND when the visitor changes their mind done(visitorHasAcceptedFunctionalCookies); } }); ``
Your developer wires the done callback to your banner's accept and reject events. Most consent platforms fire a JavaScript event when the visitor makes or changes a choice — your developer connects that event to the done call. Contact Velaro Support with the name of your consent platform and we can provide the exact integration code.
Common platform examples
OneTrust: ``js Velaro('boot', { siteId: YOUR_SITE_ID, privacyConsent: function(done) { function check() { // C0003 is the Functional category in most OneTrust configurations var groups = window.OnetrustActiveGroups || ''; done(groups.indexOf('C0003') !== -1); } if (window.OneTrust && window.OneTrust.IsAlertBoxClosed()) { check(); } else { window.addEventListener('OTConsentApplied', check); } // Re-fire when visitor changes preferences window.addEventListener('OTConsentApplied', check); } }); ``
Cookiebot: ``js Velaro('boot', { siteId: YOUR_SITE_ID, privacyConsent: function(done) { function check() { done(!!(window.Cookiebot && window.Cookiebot.consent && window.Cookiebot.consent.preferences)); } if (window.Cookiebot && window.Cookiebot.loaded) { check(); } else { window.addEventListener('CookiebotOnLoad', check); } window.addEventListener('CookiebotOnConsentReady', check); } }); ``
Custom or in-house banner: ```js Velaro('boot', { siteId: YOUR_SITE_ID, privacyConsent: function(done) { // Store the callback so your banner code can call it window._velaroDone = done; } });
// Then in your banner's accept handler, add: // window._velaroDone && window._velaroDone(true);
// And in your banner's reject handler, add: // window._velaroDone && window._velaroDone(false); ```
Option 3: Combine Both Options
For the strictest compliance posture — nothing written before interaction AND full respect for the visitor's banner decision — use both options together:
``js Velaro('boot', { siteId: YOUR_SITE_ID, deferStorageUntilInteraction: true, privacyConsent: function(done) { // wire to your banner done(visitorHasAcceptedFunctionalCookies); } }); ``
With both options active:
| Scenario | Result |
|---|---|
| Visitor has not interacted with banner yet, has not clicked chat | Nothing written. Bubble visible. |
| Visitor accepts cookies | Tracking loads immediately in the current session. Proactive invites eligible. |
| Visitor rejects cookies and clicks the bubble | Nothing tracked. Popout window opens. Chat works. |
| Visitor rejects, later changes to accept | Tracking loads immediately. No page reload needed. |
Summary: Which Option Is Right for You?
| Your situation | Recommended option |
|---|---|
| Compliance scanner flags tracking on page load; you do not use proactive invites | deferStorageUntilInteraction: true |
| You use proactive invites; you have a consent banner your developer can modify | privacyConsent wired to your banner |
| You want zero data before interaction AND full respect for rejections | Both options combined |
| Your site has no cookie consent requirement | No change needed |
Frequently Asked Questions
Does the chat bubble disappear if a visitor rejects cookies?
No. With either option, the bubble always appears and shows accurate agent availability. Cookie decisions affect tracking and chat mode (inline vs popout), not whether the bubble is visible.
Will agents still see the visitor's page history?
With deferStorageUntilInteraction only: agents see the pages visited from the moment the visitor clicked to open chat. Pages visited before clicking are not recorded.
With privacyConsent and acceptance: full page history is available once the visitor accepts, beginning from that moment in the current session.
Does this make my site fully GDPR compliant?
These options address the specific concern of writing tracking data before consent or user interaction. Whether your overall implementation is compliant depends on your legal obligations, your consent banner configuration, your data processing agreements with Velaro, and other factors. Consult your legal counsel.
Do I need to update anything in my Velaro account or admin console?
No. These are client-side embed code changes only. No server-side settings need to change.
Can visitors who rejected cookies later accept and get full tracking?
Yes, when using the privacyConsent callback. When the visitor updates their preference — typically via a Cookie Settings link in your site footer — the callback fires again with true and tracking loads immediately in that session without a page reload.
For implementation assistance, contact Velaro Support and tell us which consent platform your site uses.
Email
Was this article helpful?
Security and Compliance in Velaro V20