Disabling Cookies for Application Insights added by DXP

Sam
Sam
Vote:
 

I understand Microsoft Application insights is added by DXP to projects and is part of the service agreement to monitor usage.

But to comply with GDPR is it required to offer users the option to disable the cookies? Usage can still be monitored, but users wouldn't be tracked.

Application Insights cookies can be configured during initialisation (https://docs.microsoft.com/en-us/azure/azure-monitor/app/javascript#configuration), but the initialisation is handled by code injected by DXP, so I'm unsure if we can control this. I feel this would be difficult to test in a development environment.

Has anyone out there looked at this issue and have any recommendations on how to safely configure the cookies for Application Insights?

thanks

#266118
Nov 02, 2021 12:11
Vote:
 

I'd suggest reaching out to Optimizely Support, they may be able to disable it with a WebApp setting

#266169
Nov 03, 2021 11:28
Sam
Vote:
 

Thanks I did reach out and the advice I received was this 

"That injected javascript is the only way to track pageview on their website. If we disable it, we cant detect correctly the pageview requested.
This script was injected by Microsoft Azure in order to integrate Application Insight into their app service.

I found a question raised here but not sure it'll help https://github.com/microsoft/ApplicationInsights-dotnet/issues/1565

"

#266170
Nov 03, 2021 11:44
Vote:
 

You should make sure the Application Insights cookies are marked as strictly neccessary for your cookie consent. Cookie usage | Optimizely Developer Community

I don't believe these cookies persist personal information so should be fine for GDPR but as Scott mentioned, you are better to confirm that point with support.  

#266211
Edited, Nov 04, 2021 12:44
Sam
Vote:
 

Thanks Johnny. I think though they would be classified as Statistics or Performance cookies https://gdpr.eu/cookies/. I don't think they meet the classification of 'strictly necessary'. The link https://world.optimizely.com/documentation/developer-guides/digital-experience-platform/development-considerations/cookie-usage/ indicates other cookies as 'strictly necessary' but not the application insights ones.

Based on this I think Optimizely really should provide guidance on how to configure non-cookie behaviour

#266220
Nov 04, 2021 13:42
Sam
Vote:
 

Got the following update from support - it looks as though you can switch to build-time implementation of AI if requested:
===

Based on what Application Insights provides us, we have two ways to integrate AI into the App Service. They are Runtime (AI javascript injected by Microsoft Azure) and Buildtime (AI managed by developer).
I suggest customer should switch from Runtime to Buildtime to fully control their AI javascript behavior.

But as I said, by disabling AI javascript, we're no longer tracking correct pageview on customer so we don't suggest doing it that way.

With AI Buildtime implementation, customer's developer will handler javascript within their html and they can disable them if end-user does not consent with it.

Thanks,

#266393
Nov 08, 2021 10:17
Vote:
 

Yes if you're just wanting to disable the injection of the JS and cookie generated by the JavaScript tracking it's just turning

to false which stops it auto injecting the script in. 

I've done this before when I wanted to modify the standard AI JavaScript header tag.

#266403
Nov 08, 2021 14:18
Sam
Vote:
 

I'm not sure but disabling application insights completely might be against the DXP terms of service. Also the javascript application insights are actually pretty useful tool for monitoring your app. 

Update on our implementation:

Rather than re-impement App Insights at build time, It seems you can update the cookie settings of app insights on DOM Loaded which seems to prevent cookies from dropping. Hopefully this complies with GDPR!

document.addEventListener('DOMContentLoaded', function () {
            if (!checkPerformanceCookiesEnabled()) {
                if (typeof appInsights === 'object' && typeof appInsights.config === 'object') {
                    window.appInsights.config.isCookieUseDisabled = true;
                }
            }
        });
#266938
Nov 18, 2021 15:11
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.