I'd suggest reaching out to Optimizely Support, they may be able to disable it with a WebApp setting
Thanks I did reach out and the advice I received was this
"That injected javascript is the only way to track pageview on their website. If we disable it, we cant detect correctly the pageview requested.
This script was injected by Microsoft Azure in order to integrate Application Insight into their app service.
I found a question raised here but not sure it'll help https://github.com/microsoft/ApplicationInsights-dotnet/issues/1565
"
You should make sure the Application Insights cookies are marked as strictly neccessary for your cookie consent. Cookie usage | Optimizely Developer Community
I don't believe these cookies persist personal information so should be fine for GDPR but as Scott mentioned, you are better to confirm that point with support.
Thanks Johnny. I think though they would be classified as Statistics or Performance cookies https://gdpr.eu/cookies/. I don't think they meet the classification of 'strictly necessary'. The link https://world.optimizely.com/documentation/developer-guides/digital-experience-platform/development-considerations/cookie-usage/ indicates other cookies as 'strictly necessary' but not the application insights ones.
Based on this I think Optimizely really should provide guidance on how to configure non-cookie behaviour
Got the following update from support - it looks as though you can switch to build-time implementation of AI if requested:
===
Based on what Application Insights provides us, we have two ways to integrate AI into the App Service. They are Runtime (AI javascript injected by Microsoft Azure) and Buildtime (AI managed by developer).
I suggest customer should switch from Runtime to Buildtime to fully control their AI javascript behavior.
But as I said, by disabling AI javascript, we're no longer tracking correct pageview on customer so we don't suggest doing it that way.
With AI Buildtime implementation, customer's developer will handler javascript within their html and they can disable them if end-user does not consent with it.
Thanks,
Yes if you're just wanting to disable the injection of the JS and cookie generated by the JavaScript tracking it's just turning
to false which stops it auto injecting the script in.
I've done this before when I wanted to modify the standard AI JavaScript header tag.
I'm not sure but disabling application insights completely might be against the DXP terms of service. Also the javascript application insights are actually pretty useful tool for monitoring your app.
Update on our implementation:
Rather than re-impement App Insights at build time, It seems you can update the cookie settings of app insights on DOM Loaded which seems to prevent cookies from dropping. Hopefully this complies with GDPR!
document.addEventListener('DOMContentLoaded', function () {
if (!checkPerformanceCookiesEnabled()) {
if (typeof appInsights === 'object' && typeof appInsights.config === 'object') {
window.appInsights.config.isCookieUseDisabled = true;
}
}
});
I understand Microsoft Application insights is added by DXP to projects and is part of the service agreement to monitor usage.
But to comply with GDPR is it required to offer users the option to disable the cookies? Usage can still be monitored, but users wouldn't be tracked.
Application Insights cookies can be configured during initialisation (https://docs.microsoft.com/en-us/azure/azure-monitor/app/javascript#configuration), but the initialisation is handled by code injected by DXP, so I'm unsure if we can control this. I feel this would be difficult to test in a development environment.
Has anyone out there looked at this issue and have any recommendations on how to safely configure the cookies for Application Insights?
thanks