What can I do as a developer to offer that choice to the user, before it loads? What can I do about the transitive dependencies that my dependencies load?
> What can I do as a developer to offer that choice to the user, before it loads?
Don't load it until you have given the choice to the user. Dynamically load after that, or wait for the next server round-trip.
> What can I do about the transitive dependencies that my dependencies load?
This is a significant problem for which I don't have an easier solution than making a lot of effort to properly audit and monitor your supply chain.
If you aren't sure that nothing in your supply chain is doing something dodgy, how do you justify pushing it to your users (or, at least, doing so without appropriate warning)?
You can for example use analytics that aren't spyware, and hence don't even have to try to trick users giving "consent" to things they don't really want.
> What can I do as a developer to offer that choice to the user, before it loads?
Implement a (sane) version of a cookie banner which sets a cookie containing the information that the user is fine with loading external libraries or not. That cookie itself is classified as a technical cookie if only used for that reason and will not require "permission" from the user. That's how this would be implemented in a GDPR-compliant way.
If the cookie is set, you can load the respective external scripts and tools. If not, you don't.
> What can I do about the transitive dependencies that my dependencies load?
That's trickier one and probably more into the legal side, as in informing the user that those dependencies exist and how they correlate to each other.
Don't load it until you have given the choice to the user. Dynamically load after that, or wait for the next server round-trip.
> What can I do about the transitive dependencies that my dependencies load?
This is a significant problem for which I don't have an easier solution than making a lot of effort to properly audit and monitor your supply chain.
If you aren't sure that nothing in your supply chain is doing something dodgy, how do you justify pushing it to your users (or, at least, doing so without appropriate warning)?