Analytics analytics_storage

Snowplow Analytics — consent fix

Snowplow Analytics loads before consent and sets sp (session ID, session duration) and _sp_id.* (user ID, 2 years). Snowplow collects detailed behavioural data — page visits, clicks, scroll depth — and sends it to a collector (public or first-party). The sp and _sp_ses.* cookies are also set as first-party cookies if the collector runs on a custom subdomain.

Domains

  • collector.snowplow.io
  • snowplow.io
  • sp.snowplow.io

Cookies

  • sp
  • _sp_ses.*
  • _sp_id.*

Snowplow is an advanced (often first-party) analytics platform. As soon as the script loads, it sets cookies such as sp (session ID) and _sp_id.* (user ID, valid for 2 years). With these, it collects highly detailed behavioural data, such as page visits, clicks, and scroll depth. Because many companies run Snowplow on their own subdomain (such as sp.yourwebsite.com), standard ad-blockers often do not recognise this tracker. However, it still firmly falls under analytical cookies and therefore requires explicit consent before activation.

Why Snowplow loads too early

Snowplow is often manually installed in the source code or rolled out via Google Tag Manager (GTM) as "Custom HTML". Because Snowplow data is frequently viewed as 'first-party', companies mistakenly believe that no consent is required. This is incorrect: placing analytical cookies (and reading them) is not permitted without consent under the GDPR.

The Fix: Link Snowplow to consent

To prevent Snowplow from capturing data before the visitor has clicked, you can adjust the implementation via GTM, use Snowplow's native plugin, or configure your CMP more strictly.

1. Use an Exception Trigger in GTM (Recommended)

If you load Snowplow via GTM:

  1. Open your Snowplow Tag.
  2. Scroll to the Triggering section.
  3. Click Add Exception.
  4. Create a new trigger of the type Custom Event.
  5. For Event name, enter .* and check the box for Use regex matching.
  6. Select Some Custom Events.
  7. Set the condition: Consent State — analytics_storage does not equal granted.
  8. Save the trigger and publish.

2. The Native Consent Plugin (Code)

Do you have Snowplow hardcoded on your website? Then use Snowplow's official Consent Tracking functionality. Ensure that you only execute enableActivityTracking and the initialisation after your specific Cookie Management Platform (CMP) has given approval.

// Only load this AFTER analytics cookies have been accepted
window.snowplow('enableActivityTracking');
window.snowplow('trackPageView');

3. Block the custom collector in your CMP

Because Snowplow often sends data to its own subdomain (e.g., data.yourcompany.com), CMPs like Cookiebot or CookieFirst do not automatically recognise this domain as a tracker. You must manually add this subdomain to the list of URLs to be blocked (category: Statistics) in your CMP's settings.

How to Verify the Fix

Use your browser's Network tab to check the connection.

  1. Open your website in an incognito window.
  2. Ignore the cookie banner (do not click anything).
  3. Open Developer Tools (F12) and navigate to the Network tab.
  4. Search for the name of your collector endpoint (often something with sp, collector, or the name of your subdomain). No data traffic should be visible.

Not sure if the fix worked, or want to verify that no other scripts are leaking data? Run a free scan with ConsentChecker.eu for instant confirmation.

Sources

No CMP yet?

A Cookie Management Platform (CMP) handles consent automatically for Snowplow Analytics and other trackers — including the correct GTM integration.

Cookiebot → CookieYes → CookieFirst → Complianz → Borlabs Cookie → Enzuzo → ConsentOS →

Check your own site

Scan your website for free to see if Snowplow Analytics (or other trackers) loads before consent.

Start free scan →