Cookie Management

While DataGrail Consent prioritizes script or service blocking, you can use DataGrail Consent to manage first-party cookies and browser storage keys that store data subject data within the browser, which can be necessary for your company to comply with various industry regulations. For more best practices on managing trackers vs. cookies, see this guide.

If a data subject opts out of a category that matches the rules published on your website, the cookie will be blocked and deleted from your visitors' browsers, in accordance with regulatory policies and frameworks.

First vs. Third Party Cookies

DataGrail can only retrieve and manage cookies that are "first-party" or deployed to your website via scripts that are running on your website. Third-party cookies, or those that have an origin outside of your domain, are impossible to block due to browser security mechanisms. Instead, you should manage the scripts that deploy these cookies directly.

Cookie Scanner

DataGrail Consent includes scanning and auto-classification features to identify and categorize first-party cookies and browser storage keys stored on your users' websites.

How it Works

When DataGrail is deployed, every time a user visits your site, the cookies set in the browser (via document.cookie) are sent to DataGrail and added as unmanaged cookies.

In addition to cookies, DataGrail also scans localStorage and sessionStorage entries. These browser storage mechanisms are commonly used by tracking and analytics tools to store identifiers and behavioral data, and may fall under consent requirements depending on your applicable regulations.

Scanned storage entries appear in the Unmanaged tab alongside cookies and can be identified by their Type column value:

Type	Source
Cookie	document.cookie (standard browser cookies)
Storage Key	localStorage or sessionStorage entries

Enabling The Cookie Scanner

When you first view the cookies tab in DataGrail Consent, you'll notice there are no rules defined, so no cookies or storage keys are managed. If you already know the rules you want to define (in the case of migrating from another vendor), you can start adding them within the managed tab.

1. Navigate to Plugins in the Consent Settings page.
2. Toggle the Manage Cookies plugin to on. By selecting this option and publishing our updates, you grant DataGrail permission to deploy our scanning technology and begin cookie sampling from any sites connected to this container.

Scan Results

Since the Cookie Scanner relies on real traffic to your website, it may take a few hours to start seeing scanned cookies populate within DataGrail.

Interpreting Results

Once enabled, you will start seeing results reported to DataGrail in a few minutes within the unmanaged table in the cookies tab:

This table shows all cookies and storage keys identified in the browser for visitors experiencing your websites. Use the Type column to distinguish between standard cookies (Cookie) and browser storage entries (Storage Key). You can use this report to inform the creation of rules that match one or a subset of the items visible in the unmanaged tab.

If you want to make a new rule based on a cookie observation, you can select the row entry in the unmanaged tab. If we have a suggested rule, we will prepopulate this for you in the subsequent dialog box.

Where is this cookie or storage key coming from?

Most reported cookies should use an identifiable name and have a clear relationship to a service or script deployed on your site. While you should always confirm with your development team, if you are unfamiliar with a cookie, the following tools can help with classification:

• Large Language Models (ChatGPT, Claude/Anthropic): You can ask these tools for help with identifying cookies and even giving you a classification suggestion:
• Online Databases (cookiedatabase.org, cookiesearch.org, etc): These are aggregated, open use tools to search for cookies and retrieve information about cookies in a wiki-like format.

If it's still unclear where the entry is coming from, it may be a false positive. Browser extensions and other local tooling can inject cookies or write to storage on the page. This means that while it was detected by the scanner, it's likely not being set by your site. In this case, the entry is out of scope for management by your organization.

Use the Total Observed and Date Observed columns to understand if the entry is being set consistently. If it was last seen a few weeks ago and has very few occurrences relative to your other entries, it's likely not being set by your site.

Vera AI Cookie Suggestions

Vera can automatically analyze your unmanaged cookies and storage keys and generate suggested rules with pre-filled categories, vendors, and descriptions. Enable Vera suggestions in the Suggested Rules tab to accelerate your cookie classification. Learn more about Vera's capabilities.

Rule Management

By default, DataGrail will suggest rules that you can use to quickly manage cookies and storage keys on your websites.

Rule suggestions are based on our models and aggregation of our sampling data, and will continue to improve over time. You can quickly accept these suggestions using the bulk select tool.

Adding Cookie Rules

You can manually add cookie rules to manage specific cookies or storage keys on your websites. Rules use match criteria to identify which items should be blocked and deleted from your visitors' browsers based on their consent preferences.

Follow these steps to add a rule:

1. Navigate to the Unmanaged or Rules tab of the Cookies page.

2. Select Add Rule.

3. Enter the Match Criteria. This is the formula that DataGrail will use to match against the specific cookies or storage keys that should be blocked and deleted within a data subject's browser storage. You can use wildcard patterns to create flexible rules that match multiple cookies:

   Pattern	Matches	Position	Example
   *	Any characters	End only	datagrail* matches datagrail_session, datagrail_analytics
   {d}	Digit sequences (0-9)	Any	user_{d}_session matches user_12345_session, user_9876_session
   {h}	Hexadecimal sequences (0-9, a-f, A-F)	Any	token_{h} matches token_a1b2c3, token_9f8e7d
   {w}	Alphanumeric sequences	Any	{w}_tracking_{d} matches abc_tracking_123, xyz_tracking_456

4. Enter an internal-only Name, Category, Vendor (optional), Vendor Privacy Policy Link (optional), and Description (optional) for the cookie.

5. Configure Cookie Retention settings (applies to Cookie type entries):

   • Time: Specify the time period after which this cookie should be deleted by the browser and no longer sent. 400 days by default.
   • Session: Cookie will be deleted by the browser when the current session ends.

6. Select Add Rule.

7. Publish your changes.

After you add the rule, cookies that match this rule become managed and will appear in the Rules tab. If you're using the cookie scanner, you'll see the count of unmanaged cookies reduced by the number of cookies now managed by this rule.

Best Practice

Ideally, you should have no (0) unmanaged cookies or storage keys. It is best practice to create rules and set them to the essential or uncategorized options so that you have a complete inventory of cookies that are managed by DataGrail, even though the Data Subject visiting your site will not be able to remove them from their browser as a result of their consent preferences.

Unmanaged Cookie Handling

Unmanaged cookies are first-party cookies detected on your site that don't match any of your defined cookie rules. DataGrail allows you to configure default behavior for these unmanaged cookies, ensuring compliance even for cookies you haven't explicitly categorized.

You can configure unmanaged cookie handling at either the global level (applies to all consent containers) or container level (unique settings per container).

Navigate to the uncategorized cookies rule under Consent Management, Cookies, and Rules to manage these settings.

Behavior Options

Choose how unmanaged cookies should be handled:

Behavior	Description	When to Use
Allow All	Load all unmanaged cookies without requiring consent (default)	You have minimal cookie activity or want to gradually implement cookie management
Categorize	Assign unmanaged cookies to a specific consent category and require consent	You want to manage all cookies but need time to create individual rules
Block All	Block all unmanaged cookies from loading	You have strict compliance requirements and want to ensure no uncategorized cookies load

Global vs. Container-Managed Mode

You can configure unmanaged cookie handling in two different modes:

• Global Mode: A single setting applies to all consent containers on your account. Use this mode when you have a single website or consistent requirements across all sites.
• Container-Managed Mode: Each container can have its own unmanaged cookie handling settings. Use this mode when you manage multiple websites with different legal requirements (for example, strict EU rules vs. more lenient US rules).

Mode Transitions

When you switch from Global Mode to Container-Managed Mode, DataGrail automatically copies your current global settings to all managed containers. When you switch back to Global Mode, all container-specific settings are cleared and the global setting takes effect.

Configuring Container-Specific Settings

If you need different unmanaged cookie handling for different websites, follow these steps:

1. Edit the uncategorized cookies rule and select Manage by container and save changes.
2. Navigate to Settings and Containers
3. For each container, choose the appropriate Default Unmanaged Cookie Handling behavior and Consent Category (if using Categorize).
4. Select Save.
5. Publish your changes.

Cookie Policies

Most organizations maintain a cookie policy section within their privacy policy, but this is traditionally updated manually, which means it becomes outdated quickly.

You can now retrieve the JSON URL that contains your tracker definitions and embed this information directly on your website, ensuring your cookie policy stays automatically synchronized with your consent banner configuration.

Accessing the JSON URL

Follow these steps to find the JSON URL for your container:

1. Navigate to Consent Management and select Containers.
2. Select the container you want to generate a cookie policy for.
3. Copy the JSON URL from the container details.

The JSON URL provides a complete export of all cookies and tracking services configured for that container.

JSON Structure

The JSON response includes detailed information about each cookie rule. You can use this JSON data to dynamically generate and display cookie policies on your website, ensuring they remain accurate and up-to-date with minimal maintenance.

The following table describes the fields included in the JSON:

Field	Description
id	Unique identifier for the cookie rule
name	Cookie name or pattern (may be empty for wildcard rules)
vendor	Service or vendor name associated with the cookie
consent_container_version_id	Container version identifier
created_at	Timestamp when the rule was created
updated_at	Timestamp when the rule was last modified
retention	Cookie retention period in milliseconds
rights_portal	Privacy policy link for the vendor
display_rule	Match pattern or criteria used to identify cookies
category_gtm_key	Consent category identifier (e.g., dg-category-essential)
translations	Localized descriptions and metadata for the cookie

Frequently Asked Questions

Why a cookie name a number or anonymized string?

The cookie scanner leverages information from the browser. Some privacy-centric browsers may anonymize or obfuscate cookie names, which can be pulled in to DataGrail.

What's the difference between Cookie and Storage Key in the Type column?

Cookie entries come from document.cookie (standard browser cookies). Storage Key entries come from localStorage or sessionStorage — browser storage mechanisms commonly used by tracking and analytics tools to persist identifiers or behavioral data. Both types are subject to the same consent-based blocking and deletion behavior when a matching rule is in place.

Can I block localStorage and sessionStorage writes the same way I block cookies?

Yes. Once you create a rule matching a Storage Key entry, DataGrail will block writes to that key and delete the existing entry when a data subject opts out of the associated consent category.