Web SDK
Web SDK - Privacy & Consent
GDPR / DMA consent for the FunnelMob Web SDK.
The Web SDK exposes a setConsent API for GDPR / DMA. It is opt-in — if you never call it, the SDK tracks normally.
GDPR / DMA consent
Pass a FunnelMobConsent to record the user's decision. Field shape mirrors Google Consent Mode v2 and AppsFlyer's AppsFlyerConsent:
import { FunnelMob, type FunnelMobConsent } from '@funnelmob/sdk';
const consent: FunnelMobConsent = {
isUserSubjectToGDPR: true,
hasConsentForDataUsage: true,
hasConsentForAdsPersonalization: false,
hasConsentForAdStorage: true,
};
FunnelMob.shared.setConsent(consent);| Field | Effect on the SDK |
|---|---|
isUserSubjectToGDPR | When false, the per-dimension flags are advisory and the SDK tracks normally. |
hasConsentForDataUsage | When false and isUserSubjectToGDPR === true, the SDK stops dispatching events/sessions/identify and purges its local queue. |
hasConsentForAdsPersonalization | Forwarded to ad networks (Google ad_personalization). Does not gate dispatch. |
hasConsentForAdStorage | Forwarded to ad networks (Google ad_storage). Does not gate dispatch. |
setConsent can be called any time — before or after init(). When called, the SDK schedules a session re-fire so the backend learns the new consent state without waiting for the next page load.
Consent revocation
When the user revokes consent (hasConsentForDataUsage: false with isUserSubjectToGDPR: true):
- New
trackEvent(...)calls are dropped. - Pending events are removed from memory and from
localStoragepersistence. - In-flight HTTP requests still complete (we can't recall data already on the wire). Server-side erasure is the deletion API's job, not the SDK's.
Persistence is your CMP's job, not the SDK's
The Web SDK does not persist consent state itself. You should call setConsent on every page load from your consent management platform (CMP) / cookie banner.
This matches the industry standard (AppsFlyer, Adjust, Segment, Amplitude all do this). Reasons:
- The CMP is the single source of truth — if the SDK kept its own copy, an SDK upgrade or storage clear could leave the two out of sync.
- Consent is typically expressed via the CMP's cookie /
localStorageentry. The CMP already has the data; the SDK shouldn't duplicate it.
"Wait for everything" pattern (cookie banner / strict consent)
If you need the SDK to do absolutely nothing until the user has accepted a banner, use autoStart: false:
const config = new FunnelMobConfiguration({
apiKey: 'fm_live_abc123',
autoStart: false,
});
FunnelMob.shared.initialize(config);
// after the user accepts your banner:
FunnelMob.shared.setConsent(consent);
FunnelMob.shared.start();With autoStart: false, the SDK wires up internal state but performs no network activity (no session POST, no event flushes, no _fbp cookie write) until you call start(). This is stricter than setConsent alone and is the recommended pattern for hosts that need a pre-init consent gate.
If you also want to manage the _fbp / _fbc Meta cookies yourself instead of letting the SDK auto-write them on start(), pair this with autoCollectBrowserIds: false and supply values via setBrowserIdentifiers(...).