Real user monitoring beacons and maintaining regulatory compliance
Arc XP leverages the solution mPulse from our CDN partner to build the performance data about sites in order to optimize content delivery. The data is collected through a JS script called as “boomerang”. This script determines the specific preload and pre-fetch calls to be dynamically embedded into an HTML page and the subsequent resources files to be prioritized for H/2 push on client connections during page load.
However, since client cookies are involved, there are regulatory requirements for some clients which must be addressed before the beacon can be used.
Below is the guidance from the CDN partner regarding how to enable the opt-in behavior,
1. Opt-out and Opt-in scenarios
We identified 3 common scenarios how Boomerang could be loaded to comply with the applicable data protection requirements.
- Opt-out from Boomerang: By default Boomerang is loaded on the page and sends performance data. Boomerang will be disabled and the Boomerang cookies will be deleted if a visitor opts-out from Boomerang through Cookie Consent popup.
| Before opt-out | After opt-out | |
|---|---|---|
| Boomerang Loaded | Yes | Yes |
| Beacons Sent | Yes | No |
| RT Cookie exists | Yes | No |
| BA Cookie exists | Yes | No |
| BOOMR_CONSENT Cookie exists | No | Yes (value opted-out) |
| Extra beacon params | No | No |
- Opt-in to Boomerang (Boomerang loaded before opt-in): By default, Boomerang is loaded on the page and does NOT send performance data. Performance data will be sent after a visitor opts-in to Boomerang through a Cookie Consent popup.
| Before opt-out | After opt-out | |
|---|---|---|
| Boomerang Loaded | Yes | Yes |
| Beacons Sent | No | Yes |
| RT Cookie exists | Yes | Yes |
| BA Cookie exists | Yes | Yes |
| BOOMR_CONSENT Cookie exists | No | Yes (value opted-out) |
| Extra beacon params | No | cip.in, cip.v |
- Opt-in to Boomerang (Boomerang loaded after opt-in): Boomerang will be loaded and performance data sent after only after a visitor opts-in to Boomerang through the Cookie Consent popup.
| Before opt-out | After opt-out | |
|---|---|---|
| Boomerang Loaded | No | Yes |
| Beacons Sent | No | Yes |
| RT Cookie exists | No | Yes |
| BA Cookie exists | No | Yes |
| Extra beacon params | No | No |
2. Cookies and Local Storage
2.1 Cookies
List of cookies created and used by Boomerang:
| Name | Expires | Type | Description |
|---|---|---|---|
RT | 7 days | First-party | Doesn’t contain personal information but it contains various pieces of information about the visitor’s session, such as number of visited pages, session start time, last visited url and etc. |
BA | 7 days | First-party | Used by Bandwidth Boomerang plugin. Doesn’t contain personal information. |
BOOMR_CONSENT | 1 year | First-party | Contains information about visitor’s choice for opt-out or opt-in. |
For detailed information about what data is kept on the cookies listed above, please read the “Cookies” section of Boomerang Documentation Page
2.2 Local Storage (mPulse users specific)
For mPulse customers, in some instances Boomerang will persist data in Browser’s Local Storage. In these instances, a Local Storage is used for performance optimization and reduction of network round trips.
List of local storage keys used by Boomerang:
| Key | Plugin | Description |
|---|---|---|
_boomr_LOGN | LOGN | Persists Boomerang JSON configuration. Helps for faster Boomerang initialization. Doesn’t contain personal information. |
_boomr_akamaiXhrRetry | Akamai | Persists a flag that instructs the Akamai plugin when to perform requests. Doesn’t contain personal information. |
3. Consent Inline Plugin
The Consent Inline Plugin is not part of the Boomerang build, but it could be easily injected before Boomerang code, which will make the plugin available. The plugin provides 2 helper functions window.BOOMR_OPT_OUT() and window.BOOMR_OPT_IN() that can be used for instrumenting opt-out and opt-in.
When window.BOOMR_OPT_OUT() is called Boomerang will stop sending beacon data, RT and BA cookies will be deleted and the new special BOOMR_CONSENT cookie with value opted-out will be created.
Consent Inline Plugin has the capability to instruct Boomerang to hold beacon sending until window.BOOMR_OPT_IN() is called. When window.BOOMR_OPT_IN() is called, a cookie BOOMR_CONSENT with value opted-in will be created.
The purpose of BOOMR_CONSENT cookie is to “tell” Boomerang what was the visitor’s consent choice when a visitor navigates to a new page.
3.1 Opt-out allowed example
In case we would like to allow website visitors to opt-out from Boomerang we must follow the steps in this order:
- Inject Consent Inline Plugin configuration:
<script>window.BOOMR_CONSENT_CONFIG = { enabled: true};</script>- Inject Consent Inline Plugin code:
<script>!function(o){"use strict";if(void 0!==o.BOOMR_CONSENT_CONFIG&&!0===o.BOOMR_CONSENT_CONFIG.enabled){o.BOOMR=void 0!==o.BOOMR?o.BOOMR:{};var i=o.BOOMR;i.plugins=void 0!==i.plugins?i.plugins:{};if(!i.plugins.ConsentInlinedPlugin){var n={v:"1",OPT_COOKIE:"BOOMR_CONSENT",OPT_IN_COOKIE_VAL:"opted-in",OPT_OUT_COOKIE_VAL:"opted-out",COOKIE_EXP:31536e3,complete:!1,enabled:!0,firedPageReady:!1,deferredOptIn:!1,deferredOptOut:!1,rtCookieFromConfig:!1,bwCookieFromConfig:!1,optOut:function(){if(!i.utils.setCookie(n.OPT_COOKIE,n.OPT_OUT_COOKIE_VAL,n.COOKIE_EXP)){i.error("Can not set Opt Out cookie","ConsentInlinedPlugin");return!1}"function"==typeof i.disable&&i.disable();n.complete=!1;n.removeBoomerangCookies();return!0},optIn:function(){if(!0===n.complete)return!0;if(!i.utils.setCookie(n.OPT_COOKIE,n.OPT_IN_COOKIE_VAL,n.COOKIE_EXP)){i.error("Can not set Opt In value","ConsentInlinedPlugin");return!1}"function"==typeof i.wakeUp&&i.wakeUp();n.complete=!0;i.addVar("cip.in","1",!0);i.addVar("cip.v",n.v,!0);i.sendBeacon();return!0},removeBoomerangCookies:function(){var e=n.rtCookieFromConfig||"RT",o=n.bwCookieFromConfig||"BA";i.utils.removeCookie(e);i.utils.removeCookie(o)},onPageReady:function(){n.firedPageReady=!0;n.deferredOptIn&&n.optIn();n.deferredOptOut&&n.optOut()}};o.BOOMR_OPT_OUT=function(){n.firedPageReady?n.optOut():n.deferredOptOut=!0};o.BOOMR_OPT_IN=function(){n.firedPageReady?n.optIn():n.deferredOptIn=!0};i.plugins.ConsentInlinedPlugin={init:function(e){void 0!==e.RT&&void 0!==e.RT.cookie&&(n.rtCookieFromConfig=e.RT.cookie);void 0!==e.BW&&void 0!==e.BW.cookie&&(n.bwCookieFromConfig=e.BW.cookie);i.subscribe("page_ready",n.onPageReady,null,n);if(o.BOOMR_CONSENT_CONFIG.optInRequired&&i.utils.getCookie(n.OPT_COOKIE)!==n.OPT_IN_COOKIE_VAL){n.complete=!1;return this}if(i.utils.getCookie(n.OPT_COOKIE)===n.OPT_OUT_COOKIE_VAL){void 0===e.RT&&(e.RT={});e.RT.cookie="";void 0===e.BW&&(e.BW={});e.BW.cookie="";n.complete=!1;return this}n.complete=!0;return this},is_complete:function(){return n.complete}}}}}(window);</script>- Load Boomerang via loader snippet. (Done automatically by Arc via insertion into head)
- Call
window.BOOMR_OPT_OUT()when visitor opts-out via Cookie consent popup or other UI element.
Some important caveats regarding performance
Clients should be aware that if they use an opt-in behavior and a low percentage of their users adopt the cookie, this may impact page performance and download times. Specifically, when deployment ID’s are changed, there is a learning delay between when fonts and other assets tagged with the previous deployment ID stop being H/2 pushed and the correct deployment ID’s are used. The lower the number of data beacons received for any specific page, the longer the delay will be.
To mitigate the impact on performance:
Client developers should manipulate <head> within their pages and place the opt-in/out script referenced below as the first thing in the head. Arc’s automated insertion will inject as the last script in head, so this ensures that the opt-in/out functions are available when the beacon loads.