feat(analytics): enhance PostHog consent management and user identification for GDPR compliance

Author: JoachimLK

app/composables/useAnalyticsConsent.ts

@@ -1,17 +1,11 @@
 /**
- * Composable for managing PostHog analytics consent (GDPR compliance).
+ * Composable for managing PostHog analytics consent.
  *
- * By default, PostHog captures events. Users can opt out via this composable.
- * The consent state is persisted in a cookie shared across subdomains
- * (e.g. reqcore.com and app.reqcore.com) via the NUXT_PUBLIC_COOKIE_DOMAIN
- * runtime config.
- *
- * Usage:
- *   const { hasConsented, acceptAnalytics, declineAnalytics } = useAnalyticsConsent()
+ * Cookieless tracking is ALWAYS active — no consent needed.
+ * Accepting analytics upgrades to full cookie-based tracking
+ * (UTM, sessions, identity). Declining keeps cookieless mode.
  */
 
-import { flushPendingEvents, discardPendingEvents } from '~/composables/useTrack'
-
 /** Cookie name — shared across reqcore-web and applirank */
 export const CONSENT_COOKIE_NAME = 'reqcore-consent'
 
@@ -24,7 +18,7 @@ export function useAnalyticsConsent() {
   // usePostHog() is auto-imported by @posthog/nuxt, but the module is
   // conditionally loaded.  Replicate the safe accessor so this composable
   // works even when PostHog is not configured (CI, self-hosted without key).
-  const posthog = (useNuxtApp() as Record<string, unknown>).$posthog as ((() => { opt_in_capturing: () => void, opt_out_capturing: () => void, capture: (event: string, properties?: Record<string, unknown>) => void }) | undefined)
+  const posthog = (useNuxtApp() as Record<string, unknown>).$posthog as (() => import('posthog-js').PostHog) | undefined
   const ph = posthog?.()
 
   const cookieDomain = (useRuntimeConfig().public as Record<string, string>).cookieDomain
@@ -54,50 +48,43 @@ export function useAnalyticsConsent() {
 
   function acceptAnalytics() {
     consentCookie.value = 'granted'
-    // Also clean up legacy key if it still exists
     if (import.meta.client) localStorage.removeItem(LEGACY_STORAGE_KEY)
-    ph?.opt_in_capturing()
-    // Capture the entry-page pageview now that the user has opted in.
-    // PostHog's init-time $pageview was suppressed by opt_out_capturing_by_default,
-    // and subsequent pushState events only fire after this call, so we must
-    // manually send one for the page the user is currently on.
+    if (!ph) return
+    // Upgrade from cookieless to full cookie-based persistence
+    ph.set_config({
+      persistence: 'localStorage+cookie',
+      person_profiles: 'identified_only',
+      cross_subdomain_cookie: true,
+    })
+    // Register UTM + attribution now that we have persistence
     if (import.meta.client) {
-      const url = new URL(window.location.href)
-      url.search = ''
-      url.hash = ''
-      ph?.capture('$pageview', { $current_url: url.toString() })
-    }
-    // Replay any events that were buffered before consent was granted
-    // (e.g. signup_submitted, org_created fired during the auth flow).
-    if (import.meta.client) {
-      flushPendingEvents()
+      const params = new URLSearchParams(window.location.search)
+      const utmKeys = ['utm_source', 'utm_medium', 'utm_campaign', 'utm_content', 'utm_term'] as const
+      const utmProps: Record<string, string> = {}
+      for (const key of utmKeys) {
+        const val = params.get(key)
+        if (val) utmProps[key] = val
+      }
+      if (Object.keys(utmProps).length > 0) {
+        ph.register(utmProps)
+        const firstTouch: Record<string, string> = {}
+        for (const [k, v] of Object.entries(utmProps)) {
+          firstTouch[`initial_${k}`] = v
+        }
+        ph.register_once(firstTouch)
+      }
+      ph.register_once({
+        initial_referrer: document.referrer || '$direct',
+        initial_landing_page: window.location.pathname,
+      })
+      ph.capture('consent_granted')
     }
   }
 
   function declineAnalytics() {
     consentCookie.value = 'denied'
     if (import.meta.client) localStorage.removeItem(LEGACY_STORAGE_KEY)
-    ph?.opt_out_capturing()
-    // Discard any events buffered before the user declined.
-    if (import.meta.client) {
-      discardPendingEvents()
-    }
-  }
-
-  // Apply stored consent on mount.
-  // PostHog defaults to opt_out_capturing_by_default: true (GDPR), so we only
-  // need to explicitly opt-in for users who previously granted consent.
-  if (import.meta.client) {
-    if (consentCookie.value === 'granted') {
-      ph?.opt_in_capturing()
-      // Replay any events buffered (in sessionStorage) before this page load —
-      // e.g. signup_completed or org_created tracked during a flow that ended
-      // with a hard window.location.href navigation.
-      flushPendingEvents()
-    }
-    else {
-      ph?.opt_out_capturing()
-    }
+    // No action needed — cookieless tracking continues without cookies or person profiles
   }
 
   return {

app/composables/usePostHogIdentity.ts

@@ -32,9 +32,15 @@ export async function usePostHogIdentity() {
       const previousUser = (prev?.[0] as typeof session.value)?.user
 
       if (user?.id && consented) {
-        // Only the user ID is forwarded — name and createdAt are intentionally
-        // omitted so PostHog receives the minimal data needed for analytics.
-        ;($posthogIdentifyUser as (userId: string) => void)(user.id)
+        // Forward person properties for opted-in users so they're identifiable
+        // in PostHog.  GDPR-safe: gated on explicit user consent.
+        ;($posthogIdentifyUser as (userId: string, properties?: Record<string, string | undefined>) => void)(
+          user.id,
+          {
+            email: user.email,
+            name: user.name || undefined,
+          },
+        )
       }
       else if (previousUser?.id && !user?.id) {
         // Always reset on log-out regardless of consent state so that

app/plugins/posthog-identity.client.ts

@@ -2,16 +2,13 @@
  * Client-only plugin that identifies the current user and organization
  * in PostHog whenever the auth session is available.
  *
- * - Applies stored consent from the cross-subdomain cookie BEFORE any
- *   identity events fire, preventing the race condition where identify()
- *   is discarded because PostHog is still in opt_out_capturing_by_default
- *   mode when ConsentBanner hasn't mounted yet.
- * - Calls posthog.identify() with the user's ID and safe properties
+ * - Upgrades PostHog from cookieless to full cookie-based persistence
+ *   for returning opted-in users, BEFORE identity watchers fire.
+ * - Calls posthog.identify() with the user's ID and person properties
  * - Calls posthog.group() for the active organization (group analytics)
  * - Resets PostHog on sign-out to avoid cross-user data leakage
  */
 import { CONSENT_COOKIE_NAME } from '~/composables/useAnalyticsConsent'
-import { flushPendingEvents } from '~/composables/useTrack'
 
 // URL properties that may carry tokens or invitation IDs — always sanitized.
 // Includes referrer properties: if a user navigated from /jobs?invite_token=xxx,
@@ -65,23 +62,21 @@ export default defineNuxtPlugin({
       urlModified = true
     }
 
-    // ── Apply stored consent BEFORE any events fire ──
-    // PostHog starts with opt_out_capturing_by_default: true.  If the user has
-    // already consented, we must call opt_in_capturing() here — before the
-    // identity watchers in usePostHogIdentity fire — otherwise identify() and
-    // group() calls are silently discarded while PostHog is still opted-out.
+    // ── Apply stored consent: upgrade persistence for returning opted-in users ──
+    // PostHog starts with cookieless tracking (persistence: 'memory',
+    // person_profiles: 'never').  If the user already consented, upgrade to
+    // full cookie-based persistence before identity watchers fire so that
+    // identify() and group() calls create person profiles.
     const storedConsent = consentCookie.value
     if (storedConsent === 'granted') {
-      posthog.opt_in_capturing()
-      // Replay any events buffered in sessionStorage from a previous page load
-      // (e.g. signup_completed, org_created tracked during flows that ended
-      // with a hard window.location.href navigation).
-      flushPendingEvents()
-    }
-    else {
-      // Ensure opt-out state is explicit for new visitors and users who declined.
-      posthog.opt_out_capturing()
+      posthog.set_config({
+        persistence: 'localStorage+cookie',
+        person_profiles: 'identified_only',
+        cross_subdomain_cookie: true,
+      })
     }
+    // No else needed: cookieless tracking continues for non-consented visitors.
+    // Events still flow (aggregate analytics) but no person profiles are created.
 
     // ── Privacy: strip query params and hashes from captured URLs ──
     // These may contain tokens, invitation IDs, or other PII.
@@ -128,11 +123,12 @@ export default defineNuxtPlugin({
     // after the app has mounted and auth session is available.
     return {
       provide: {
-        // Only the user ID (UUID) is sent — name and createdAt are omitted to
-        // satisfy GDPR data minimisation (Art. 5(1)(c)): a stable distinct_id
-        // is sufficient for product analytics without exposing personal data.
-        posthogIdentifyUser: (userId: string) => {
-          posthog.identify(userId)
+        // User ID + person properties (email, name) are sent for opted-in
+        // users.  GDPR-safe: identify() in usePostHogIdentity is gated on
+        // consent, and person_profiles is 'never' until consent upgrades it
+        // to 'identified_only'.
+        posthogIdentifyUser: (userId: string, properties?: Record<string, string | undefined>) => {
+          posthog.identify(userId, properties)
         },
         // Only id and human-readable name are forwarded.  slug is redundant
         // for analytics purposes and is omitted to minimise data collection.

nuxt.config.ts

@@ -74,8 +74,6 @@ export default defineNuxtConfig({
       disable_session_recording: true,
       enable_recording_console_log: false,
       disable_surveys: true,
-      opt_out_capturing_by_default: true,
-      respect_dnt: true,
       secure_cookie: true,
       capture_pageview: true,
       capture_pageleave: true,
@@ -85,9 +83,13 @@ export default defineNuxtConfig({
         capture_unhandled_rejections: true,
         capture_console_errors: false,
       },
-      // ── Persistence ──
-      persistence: 'localStorage+cookie',
-      cross_subdomain_cookie: true,
+      // ── Cookieless by default ──
+      // No cookies stored until user grants consent.  Events still flow for
+      // aggregate analytics.  On consent, persistence is upgraded to
+      // 'localStorage+cookie' via set_config() in the consent composable.
+      persistence: 'memory',
+      person_profiles: 'never',
+      cross_subdomain_cookie: false,
     },
     serverConfig: {
       // Capture uncaught exceptions and unhandled rejections on the server