Embedded Deployment
In order to host the banner and manage your scripts and cookies, DataGrail needs to deploy a small piece of JavaScript on your site (consent.js). You have the option to deploy this JavaScript an embedded script, either alongside our Google Tag Manager (GTM) integration to manage scripts, or without it.
You may want to use an Embedded Deployment to load DataGrail Consent on your site in the following scenarios:
- Site optimization: With an embedded script, you have more control over the loading order of DataGrail Consent. This is useful if you are running optimization software for A/B testing or other purposes.
- Circumventing web browser blockers: Some browsers block
googletagmanager.comfrom loading on your website, which may preemptively block DataGrail Consent. Embedded deployment will allow DataGrail to independently load DataGrail Consent on your website, instead of via GTM.
Each container has its own unique script tag, which looks like this:
<!-- DataGrail Consent Script -->
<script
type="text/javascript"
src="https://api.consentjs.datagrail.io/[CUSTOMER_ID]/[CONTAINER_ID]/consent-loader.js"
></script>
<!-- End DataGrail Consent Script -->
Key Concepts
Understanding the following key concepts will help make your Consent implementation easy.
| Term | Definition |
|---|---|
| Script | Any client‑side JavaScript resource that can set cookies, call external services, or perform tracking. |
| Tag | A discrete tracking unit (often in Google Tag Manager) that loads a script or pixel |
| Inline Script | Tracking or functional code placed directly in page source outside a tag manager |
| Cookie | Small text file stored on your computer by a website to remember information about your visit or facilitate tracking |
| Container | The deployment wrapper that serves DataGrail consent.js and applies published consent rules (e.g. a GTM container or embedded snippet). |
| Publish | Action that deploys the latest consent configuration (script categorization, policy configuration, banner settings, etc.) to the selected container. |
Configure Containers
In order to host the banner and manage your scripts and cookies, DataGrail needs to deploy a small piece of JavaScript on your site (consent.js). We provide two Embedded Deployment options to create a container and deploy this code.
Implementing a Consent Management Solution is a major change on your website. Consent interacts with your other third-party scripts and cookies, so we always recommend configuring and testing DataGrail on a staging site before doing so on your production one. If you do not have a staging site, ensure you read the Test Mode Documentation.
Embedded Containers & GTM
Deploying DataGrail consent as an embedded script with Google Tag Manager allows you to manage GTM tags directly, while allowing you to determine how/when DataGrail gets loaded on the page.
- Integrate Google Tag Manager to DataGrail and ensure relevant containers are added.
- Navigate to Consent Management, Settings, Containers, and select an existing GTM container.
- Turn on the Embedded Deployment toggle.
- Place the generated script at the first element of the
<head>of your website, which we recommend doing before toggling the embedded deployment option and republishing the banner. This will ensure changes take effect with zero downtime.
Embedded Containers Without GTM
Deploying DataGrail Consent as an embedded script without Google Tag Manager removes the ability to manage GTM tags with DataGrail. We only recommend this option for complex implementations where GTM is not required.
- Navigate to the Consent Management tab, select Settings, and then Containers.
- Select Add a Container and then DataGrail Container from the dropdown.
- Name and create the container.
- Open the newly created container and select Copy Script.
- Place this script at the first element of the
<head>of your website, which we recommend doing before toggling the embedded deployment option and republishing the banner. This will ensure changes take effect with zero downtime.
Categorize Trackers
With your container and deployment method configured, you must categorize all tracking services on your site, allowing data subjects to customize consent preferences against specific categories, otherwise known as purposes.
DataGrail can manage a wide range of tracking services implemented through various mechanisms on your site.
- Google Tag Manager Tags
- Inline Scripts
- Cookies
- Facebook Pixels
- Shopify Tracking Services
- Webflow Tracking Services
- Custom Services Through Callback Functions
Scripts vs. Cookies
Prioritize managing trackers at the script level first. Scripts are the source that load or set most cookies; if you block a tracking script until consent is granted, its downstream cookies and network calls never occur.
After all scripts are audited, categorized, and gated by consent, perform a secondary review to identify any residual cookies that were not set from scripts. This top‑down approach reduces compliance risk and simplifies maintenance versus chasing individual cookies.
Script Identification
Identifying tracking scripts can vary widely depending on how they were implemented by your team; DataGrail provides multiple methods to help you achieve comprehensive, end‑to‑end tracker coverage.
Google Tag Manager
Google Tag Manager (GTM) is the preferred way to discover, organize, and control tracking scripts on your site. Whenever possible, deploy all tracking scripts through GTM. With the DataGrail integration, GTM tags are automatically imported, kept in sync, and surfaced for classification; new tags in GTM trigger updates in DataGrail for review.
Even outside DataGrail, adopting GTM is a widely accepted web development best practice because it centralizes tracking services, simplifies audits, and supports stronger compliance. If you are not using GTM yet, implementing it early reduces future migration effort.
If you have connected Google Tag Manager to DataGrail and use it as your primary way to deploy scripts, most tracking services you need to classify will be imported automatically.
Privacy Inspector
The DataGrail Privacy Inspector is a Google Chrome extension for your organization to review the trackers running on your website that may be selling or sharing information with third parties.
The Privacy Inspector is the best way to find tracking scripts that run outside Google Tag Manager. If a script does not appear as a GTM tag, it is likely being loaded inline from your site's source.
For each script you discover that is not in GTM (or if you do not use GTM):
- Move it into GTM whenever possible (preferred for centralized control and easier auditing).
- If it must remain inline, manage it with DataGrail's ScriptControl Plugin.
Script Classification
By assigning every script, tag, cookie, and tracking service to a category, you ensure only those aligned with a user's banner selections are activated.
To categorize your tracking services:
- Set up and connect all relevant tracking services.
- Navigate to the Tracking Services section of the Consent Management page.
- For each uncategorized service (highlighted in yellow), select the relevant category from the dropdown.
- Publish changes to your connected containers.
When you connect Google Tag Manager to DataGrail Consent, we auto-classify some tags based on our internal models.
Default Categories
DataGrail offers four default categories based on the purposes as defined by the GDPR, but you can rename or relabel these when customizing your banner.
Functional
Helps improve the website’s ease of use via performance and functionality for data subjects. Functional services/cookies store code on your device and/or browser that allows a website to remember selections that you have made during previous visits and how you interact with them on the website.
Example: Services use code to remember language settings or a username and password to an account on that website. The website would still load if you did not have these services running.
Marketing
Services/cookies, usually third-party, which store code on your device and/or browser that allows a website to track visitors’ web activity, creating a profile used for targeted advertising. These services, unlike similar analytics services, are used for online marketing by collecting information about data subjects to channel partners for extra revenue and a targeted ad experience.
Example: Services that use code to remember things a data subject has viewed or clicked on when browsing the website. This information is then passed to other organizations or used internally to market other-like products or services to the data subject. The website would still load if you did not have these services running.
Performance
Similar to Marketing and Functional Services. Analytics, is an optional category that organizations are utilizing in attempts to maintain business intelligence to improve the website function and UX by looking into general trends of how people use the website, and not how a user interacts with the website or to market to them.
Example: Volume of traffic on a website throughout the week, how long data subjects browse certain pages, and which parts of the website they frequent. The website would still load if you did not have these services running.
Essentials
Allows the loading and ability for data subjects to interact with websites. Essential services are automatically loaded when data subjects access a website and use its features and functionality. These services are only used to send the data online and are strictly necessary to make a website operational.
Example: Services that are utilized to allow a website to be loaded and navigated by data subjects. They serve no other functions and without them the website would not load.
Cookie Identification & Classification
After categorizing all scripts, review any cookies that do not originate from those managed scripts.
DataGrail automatically scans environments where consent is deployed to discover first‑party cookies. Each entry shows the first date seen and a total observation count to help determine relevance. Low counts often indicate a cookie set by a browser extension or a user customization and it is usually out of scope for consent management.
Learn more about managing cookies in DataGrail!
Third‑party cookies (set on domains you do not control) cannot be discovered or blocked directly by any consent management solution. Control them by gating or removing the scripts or pixels that create them.
Configure Policies & Plugins
Consent Policies determine which consent categories are enabled on initial page load and whether the banner appears, based on the visitor’s automatically-detected location.
DataGrail provides a set of default policies for major global privacy regulations. Review and adjust these settings before launch to ensure they reflect your organization’s privacy posture.
Learn more about Consent Policies!
In the Plugins page under Consent Management Settings, DataGrail provides the option to store and apply visitor's consent preferences across your primary domain and subdomains wherever DataGrail Consent is published.
Customize The Banner
With your tracking services categorized and managed, the last step is configuring consent is to customize the banner to ensure the language/styling matches your brand and privacy posture. You can construct location-specific banner notices that appear on your website to data subjects using the Layouts feature.
If you want to customize the layout to match your brand's design patterns, including using custom fonts and colors, you can follow our CSS Customization Guide. And if you need to localize the banner, you can check out our Localization Guide.
Publish & Test
Publishing is the process of deploying the DataGrail configuration to your connected containers. Think of this action as "going live" to any containers you may have selected.
The publish process for an embedded deployment follows the same workflow as Google Tag Manager deployment. The only difference is the destination of the published updates:
- For embedded deployments with GTM, DataGrail consent code is pushed directly to your site through the embedded script. Updates to managed tags are pushed to GTM directly.
- For embedded deployments without GTM, DataGrail consent code is pushed directly to your site through the embedded script. GTM tags are not managed.
To publish to an Embedded Container:
- Select Review and Update in the upper-right of the page.
- Use the checkboxes to select the relevant containers.
- Select Publish.
Once your first publish is complete on a staging site or site in test mode, you can follow this guide to validate a successful implementation.
Implementing a Consent Management Solution is a major change on your website. Consent interacts with your other third-party scripts and cookies, so we always recommend publishing DataGrail on a staging site before doing so on your production one. If you do not have a staging site, consider using Test Mode.
Footer Links
As a best practice, you may want to include a footer link that reopens the consent banner so users can make or update their selection after it’s closed or if it doesn’t appear by default.
The California Attorney General has developed a recognizable and uniform opt-out icon that businesses can use on their website.
Example Implementation:
<a href="#" onclick="window.DG_BANNER_API.showConsentBanner();">My Privacy Choices <img width="30" height="17" src="path/to/icon" style="display:inline-block; vertical-align:middle; margin-left:.25rem; margin-bottom:.2rem;" ></a>
Marketing Impact
Implementing a Consent Management Platform for the first time introduces deliberate controls that prevent certain scripts, tags, and cookies from loading until appropriate preferences are established.
This typically creates an immediate, visible shift in familiar marketing and analytics metrics.
What To Expect
- Fewer total events (pageviews, sessions, conversions) in analytics tools when region policies require prior consent
- Lower remarketing audience sizes until users provide choices
- Attribution model volatility (channel mix may appear to change temporarily)
- Delays in firing of pixels that previously executed earlier in the page lifecycle
Previously, certain tracking services may have run despite a consent choice, or region-specific defaults were not respected. In some cases, a Consent Management Platform may not have been implemented at all.
After Consent implementation, tracker execution is controlled by the Consent Policy’s region‑specific defaults (including whether signals like GPC are honored) or explicit user choice.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.