Cookie consent and analytics scaffolding — GDPR-friendly, non-blocking

Analytics and cookie consent shipped this week. The banner is non-blocking — every page is fully interactive while the choice is pending — and Google Analytics 4 only loads if the visitor explicitly accepts.

What this covers

• The consent banner appears on first visit. Accept, decline, or dismiss; the choice is stored locally and respected across the site.
• If Global Privacy Control or DNT: 1 is set, the banner treats the visitor as silently declining unless they explicitly accept.
• The GA4 loader is gated on hasAnalyticsConsent(). On revoke we set the official window['ga-disable-<id>'] opt-out global and clear the GA cookies on the elofyn.com origin.
• GA4 runs with anonymize_ip, Google Signals off, ad personalization off, and a 13-month cookie horizon (down from the default two years).

How to revisit the choice

The footer has a Manage cookies button on every page that reopens the banner. The /policies/cookies page lists every cookie we set, why, and how long it lasts.

Why this matters before the rest

This change had to land before the Dev API, the AI Tool Radar, and the twenty-tool catalog — every later surface relies on the same consent plumbing. Shipping it first means none of the later surfaces had to re-litigate "do we measure this", and the privacy posture is consistent across the site.