Managing Inline Scripts

Overview

DataGrail Consent can apply a data subject's consent preferences to scripts not managed within Google Tag Manager. For example, you may have scripts embedded directly on your website, or you may have scripts injected via other tools like Wordpress.

To handle these cases, we've created a developer plugin called ScriptControl, which executes consent preferences provided by data subjects while also helping you to ensure your organization is compliant.

The implementation process involves the following steps:

1. Auditing all trackers deployed on your site: To help identify trackers not deployed in Google Tag Manager, you can use the DataGrail Privacy Inspector to reveal these trackers running on your site in real time.

2. Updating unmanaged scripts so they can be managed by DataGrail: After you've identified remaining trackers deployed on your site, you can choose to move them into Google Tag Manager, or use this guide to manage them as inline scripts.

3. Confirm setup using built-in reporting: After you've configured any script tags that need to be managed by DataGrail Consent, you can confirm setup with the Privacy Inspector. Developers can also use ScriptControl functionality to review the scripts that will be managed when we receive a consent preference.

Script Management

DataGrail Consent is optimized to work with scripts managed with Google Tag Manager. If you have scripts injected from other services, we recommend auditing how scripts are used on your website before using ScriptControl to handle script execution.

Updating inline scripts for management by DataGrail Consent

Create a new custom service within DataGrail

Setup begins by creating a custom service within your DataGrail Consent environment, which generates a unique identifier that can be added to your site's source code. Navigate to the Tracking Services page in DataGrail Consent, and click the add service button just above the services table on the right hand side. This opens a drawer that asks you to name the service and provide other metadata necessary before creation.

• You must specify the service name, which typically represents the purpose of the tracker that is used on your site (e.g. "Checkout Pixel")
• While the vendor is not exposed to end users, it is helpful to complete this field for your own cataloging needs (e.g. "Shopify")
• You are required to set the initial category for classifying the service.
• Lastly, you'll need to specify the Google Tag Manager container that is associated to the web app that you have this inline script. This is required as we send the instructions for blocking inline scripts through to each container.

Reformat the <script> tags to be managed by ScriptControl

There are two things that you need to do in order for ScriptControl to assist you with handling consent preferences for scripts not managed by Google Tag Manager:

1. Set the script to be type='text/plain'. This ensures the script does not initially execute until we have confirmed the data subject's consent preference.
2. Use the script-id generated earlier and add the ID to attribute data-consent-id for that script.

For example, an inline script would go from:

<script src='script_path.js'></script>

to

<script type='text/plain' src='script_path.js' data-consent-id='2tYePMDNJsAn3NiYmoaETt'></script>

Category Data Attribute

ScriptControl currently also accepts the ability to manage scripts using the data-consent-category attribute, instead of the data-consent-id attribute. Valid values are the English names of the categories themselves, i.e. "Marketing" or "Performance". If you choose to use the data-consent-category attribute, these scripts will not be visible within the DataGrail Consent module; instead, they will be managed only within code. The data-consent-category attribute may be deprecated in the future.

These changes ensure that the script will not execute when the page is initially loaded, unless a consent preference is detected by ScriptControl.

Confirm scripts to be managed

ScriptControl reports on the scripts that it finds on your page as either Managed or Unmanaged:

• Managed - The script was formatted per the above guidelines and will be managed by ScriptControl
• Unmanaged - The script does not contain the formatting necessary to be handled by ScriptControl

Unmanaged Scripts

There are a few of valid reasons to have unmanaged scripts on your site:

1. You are managing the script with our Google Tag Manager integration: In this case, the script is injected onto the page based on whether or not its associated tag fires on the page. If you have DataGrail configured to manage the tag's associated container, then you don't have to make any further updates to that script. Notably, DataGrail Consent is itself a tag that injects the consent.js script from Google Tag Manager.

2. The script is required for core site functionality: For example, you may have embedded scripts that handle website events or perform mathematical functions. For the purposes of managing consent, these can be ignored. You could choose to reformat the scripts and apply the essential category.

If DataGrail Consent has not received explicit consent preferences from a data subject, our product will apply an initial consent preference ("opt-in" or "opt-out") for all managed tags based on the policy framework behaviors defined in the DataGrail app.

Verify successful script management

You can use various reporting events emitted by ScriptControl to confirm that any managed scripts were successfully handled by DataGrail Consent.

ScriptControl reporting capabilities

ScriptControl makes use of the CustomEvent browser interface to create custom events and uses the built in dispatchEvent to communicate that event out. The current events that ScriptControl reports on are listed below. For events that include data in the response, they will be inside of the documented detail key that is part of the event.

Event	Description
dg:scriptcontrolstart	Began search of <script> tags on your website.
dg:newscriptdetected	Found new <script> tag. (Includes script in event)
dg:noncompliantscript	Found an unmanaged <script> tag. (Includes script in event)
dg:scriptinjected	Found a managed <script> tag and that it has injected that script tag back into your website with the correct type of text/javascript so that it will run as intended. (Includes script in event)
dg:compliantscriptnotinjected	Found a managed <script> tag, but due to the consent preferences set it will block the script from properly being injected back into your website in order to stay compliant. (Includes script in event)
dg:scriptcontrolcomplete	ScriptControl completed its efforts to detect and report on the <script> tags on your website. A final report of all compliant and non compliant script tags will be included.

How do I get access to these reported events?

Because ScriptControl is using native browser based CustomEvents, you can easily tie into these events by adding event listeners for each event listed above. For example:

document.addEventListener('dg:scriptcontrolstart', () => {
  console.log('DataGrail ScriptControl has started detecting scripts...');
});

// or for an event that is reporting script tag data

document.addEventListener('dg:newscriptdetected', (event) => {
  console.log('DataGrail ScriptControl has detected script(s)...', event.detail);
});

// This will yield the below object in the browser's console.
{
  script: ScriptNode
}

Once you tie into the events you need, you can do whatever custom handling or reporting that you need. Alternatively, you can also access two functions via your browser's console by accessing window.DG_BANNER_API

The functions as shown above are

• managedScripts - Will return to you the managed scripts that ScriptControl found.

• unmanagedScript - Will return to you the unmanaged scripts that ScriptControl found.

If you access these functions before ScriptControl is finished, the message will indicate as such and report back to you what it has found so far.