Kameleoon + DataGrail Consent
Kameleoon offers the most sophisticated consent architecture among A/B testing tools, with four operational modes, a novel "Delayed Mode" that runs experiments without cookies, and explicit support for CNIL exemption criteria. This guide shows you how to integrate Kameleoon with DataGrail's consent banner.
Kameleoon's Four Consent Modes
Kameleoon supports four distinct operational modes based on consent state:
| Mode | Experiments Run? | Cookies Written? | Data Sent? | When Active |
|---|---|---|---|---|
| Active | Yes | Yes | Yes | Consent = true (granted) |
| Disabled | No | No | No | Consent = null/false + "Completely block" |
| Delayed | Yes | No | No (held in memory) | Consent = null + "Do not block" |
| Restricted | Only "Technical" tagged | No | No | Consent = null/false + "Partially block" |
Recommended: Use Delayed Mode for single-page apps and Restricted Mode for multi-page apps that need bugfixes/accessibility tests to run without consent.
Delayed Mode
Delayed Mode is Kameleoon's most innovative feature: experiments run immediately without cookies or data transmission. All data is held in memory only. If consent is later granted, everything flushes to Kameleoon at once.
How it works:
- Visitor arrives without cached consent
- Kameleoon runs experiments and shows variants
- User interactions are recorded in browser memory (not localStorage, not cookies)
- User grants consent via DataGrail banner
- All queued data flushes to Kameleoon servers
kameleoonVisitorCodecookie is written
Critical limitation: Without persistent storage, the visitor code regenerates on each page navigation. Variant allocation is inconsistent across pages until consent is obtained and the cookie is written.
Best for: Single-page applications (SPAs) where users don't navigate between pages before consenting.
In Delayed Mode, a visitor might see Variant A on the homepage, then Variant B on a product page, because the visitor code regenerated between pages. For multi-page sites, consider Restricted Mode instead.
Consent Callback Integration
Kameleoon provides explicit consent APIs you can trigger using DataGrail's callback system:
<script>
window.dgEvent = window.dgEvent || [];
function handleKameleoonConsent(preferences) {
if (window.DG_BANNER_API.categoryEnabled('performance') && window.Kameleoon) {
Kameleoon.API.Core.enableLegalConsent();
} else if (window.Kameleoon) {
Kameleoon.API.Core.disableLegalConsent();
}
}
window.dgEvent.push({
event: "initial_preference_callback",
params: handleKameleoonConsent
});
window.dgEvent.push({
event: "preference_callback",
params: handleKameleoonConsent
});
</script>
The initial_preference_callback fires on page load for returning visitors with cached consent, flushing any queued Delayed Mode data immediately. The preference_callback fires when new visitors make a consent choice via the banner.
Restricted Mode: "Technical" Experiments
Kameleoon allows you to tag experiments as "Technical" — these run even without consent. Intended for:
- Bugfixes deployed as 100% rollouts
- Accessibility improvements (screen reader support, keyboard navigation)
- Infrastructure changes (CDN testing, performance optimization)
Configure in Kameleoon dashboard:
- Open your experiment in Kameleoon dashboard
- Go to Settings > Advanced
- Enable Technical tag
- Set traffic allocation to 100% to one variation (prevents reallocation issues)
- Save experiment
Important: Only use the Technical tag for experiments that truly enhance functionality for users, not for business optimization. This classification is meant to align with "strictly necessary" interpretations.
CNIL Exemption Eligibility
Kameleoon's architecture is explicitly designed to qualify for CNIL's A/B testing exemption (France). If you meet all eight criteria, you can shift from opt-in consent to opt-out information:
CNIL Exemption Criteria
- Users are informed about cookie use — Configure in your privacy policy
- Users can opt out — Kameleoon provides opt-out mechanism
- Purpose limited strictly to measurement/testing — Configure in Kameleoon dashboard
- No data cross-referencing — Don't connect with CRM or other systems
- Single site scope — Limit experiments to one domain
- IP truncation — Kameleoon supports last byte truncation
- 13-month cookie lifetime — Configure in Kameleoon settings
- No third-party data sharing — Disable integrations with ad platforms
If all criteria are met: You can use Delayed or Restricted mode with opt-out instead of opt-in, recovering ~95% of your testing population.
CNIL exemption eligibility depends on your specific implementation. Consult your legal team before relying on exemption classification.
Cookie Pattern
Kameleoon uses only one cookie. Add this as a cookie rule in your DataGrail Consent dashboard under Cookie Management. Select Add Rule, enter the match criteria, set the Category to Performance, and configure the retention:
| Match Criteria | Category | Retention | Purpose |
|---|---|---|---|
kameleoonVisitorCode | Performance | 400 days | Persistent visitor identifier for variant assignment |
Cookie duration: Adjustable based on consent state:
- With consent: 13 months (CNIL-compliant)
- Without consent: Session-only or no cookie (Delayed Mode)
JavaScript SDK Configuration
For advanced control, configure Kameleoon's SDK with consent awareness using DataGrail's callback system:
<script>
var client = new KameleoonClient({
siteCode: 'YOUR_SITE_CODE',
stubMode: true
});
window.dgEvent = window.dgEvent || [];
function activateKameleoon(preferences) {
if (window.DG_BANNER_API.categoryEnabled('performance')) {
var visitorCode = Kameleoon.API.Visitor.getCode();
client.stubMode = false;
client.setLegalConsent(visitorCode, true);
}
}
window.dgEvent.push({
event: "initial_preference_callback",
params: activateKameleoon
});
window.dgEvent.push({
event: "preference_callback",
params: activateKameleoon
});
</script>
Stub mode ensures zero side effects (no cookies, no storage, no network calls) until consent is explicitly granted.
Additional Cookie Rules
If you're using Kameleoon's JavaScript SDK with localStorage caching, the primary enforcement is gating the SDK via callbacks (shown above). The kameleoonVisitorCode cookie rule added in the Cookie Pattern section covers the main cookie.
Additional Privacy Features
Kameleoon provides these privacy controls beyond consent modes:
| Feature | Purpose | Configuration |
|---|---|---|
| Custom Visitor Code Manager | Control identifier storage | SDK configuration |
| Custom Requester | Suppress tracking without breaking SDK | SDK configuration |
| Targeting Data Cleanup | Auto-purge stored targeting data | targetingDataCleanupInterval |
| Private attributes | Exclude sensitive data from transmission | SDK configuration |
| EU endpoints | Data residency | Select region in dashboard |
Consent State Checking
Read Kameleoon's current consent state:
// Check if consent is granted
const consentState = Kameleoon.API.Visitor.experimentLegalConsent;
if (consentState === true) {
console.log('Consent granted - full tracking active');
} else if (consentState === false) {
console.log('Consent denied - tracking disabled');
} else if (consentState === null) {
console.log('Consent unknown - in Delayed or Restricted mode');
}
Mode Comparison
| Mode | Best For | User Experience | Data Collection | Variant Consistency |
|---|---|---|---|---|
| Active | Post-consent | Full experimentation | Immediate | Consistent |
| Disabled | Strict compliance | Original only | None | N/A |
| Delayed | SPAs | Full experimentation | On consent | Single-page only |
| Restricted | Multi-page + bugfixes | Technical experiments only | None | Consistent for technical |
Troubleshooting
Delayed Mode shows different variants on different pages
This is expected behavior in Delayed Mode without consent:
- Without
kameleoonVisitorCodecookie, visitor code regenerates per page - Each page may assign a different variant
- Solution: Switch to Restricted Mode for multi-page consistency, or use Active Mode after consent
enableLegalConsent() called but data isn't being sent
Check that:
- Kameleoon SDK is fully loaded (
window.Kameleoonexists) - You're calling the correct API:
Kameleoon.API.Core.enableLegalConsent() - The visitor has actually interacted with experiments (Delayed Mode queued data)
- Network tab shows requests to Kameleoon servers after consent granted
- Ad blockers aren't interfering with Kameleoon's network calls
Technical experiments aren't running even with the tag enabled
Verify:
- Experiment is tagged as "Technical" in Kameleoon dashboard
- Restricted Mode is configured (not Disabled Mode)
- Traffic allocation is set to 100% to avoid reallocation
- Experiment is active and not paused
- Visitor matches targeting criteria
How do I test CNIL exemption eligibility?
CNIL exemption checklist:
- Review your privacy policy — mentions A/B testing?
- Opt-out mechanism functional? Test the opt-out URL
- No CRM or third-party integrations connected? Check dashboard integrations
- Single domain only? Verify experiment scope
- IP truncation enabled? Check privacy settings
- Cookie lifetime ≤ 13 months? Verify cookie config
- Consult legal team for final eligibility determination
Integration Comparison
| Approach | Complexity | Flicker | Data Loss | CNIL Eligible |
|---|---|---|---|---|
| Delayed Mode + callbacks | Low | No | No (queued) | Yes (if all criteria met) |
| Restricted Mode + Technical tags | Medium | No | Yes (non-technical) | Partial |
| Active Mode + preference_callback | Low | No | Yes (pre-consent) | No |
| Disabled Mode (full block) | Minimal | Yes | Yes (pre-consent) | N/A |
Related Resources
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.