Cookie Management

While DataGrail Consent prioritizes script or service blocking, you can use DataGrail Consent to manage first-party cookies that store data subject data within the browser, which can be necessary for your company to comply with various industry regulations. For more best practices on managing trackers vs. cookies, see this guide.

If a data subject opts out of a category that matches the rules published on your website, the cookie will be blocked and deleted from your visitors' browsers, in accordance with regulatory policies and frameworks.

First vs. Third Party Cookies

DataGrail can only retrieve and manage cookies that are "first-party" or deployed to your website via scripts that are running on your website. Third-party cookies, or those that have an origin outside of your domain, are impossible to block due to browser security mechanisms. Instead, you should manage the scripts that deploy these cookies directly.

Cookie Scanner

DataGrail Consent includes scanning and auto-classification features to identify and categorize first-party cookies stored on your users' websites.

How it Works

When DataGrail is deployed, every time a user visits your site, the cookies set in the browser (via document.cookie) are sent to DataGrail and added as unmanaged cookies.

Enabling The Cookie Scanner

When you first view the cookies tab in DataGrail Consent, you'll notice there are no rules defined, so no cookies are managed. If you already know the rules you want to define (in the case of migrating from another vendor), you can start adding them within the managed tab.

1. Navigate to Containers in the Consent Settings page.
2. Select the desired container.
3. Toggle the Cookie Scanner to on. By selecting this option and publishing our updates, you grant DataGrail permission to deploy our scanning technology and begin cookie sampling from any sites connected to this container.

Interpreting Results

Once enabled, you will start seeing results reported to DataGrail in a few minutes within the unmanaged table in the cookies tab:

This table shows all cookies identified by the browser for visitors experiencing your websites. You can use this report to inform the creation of rules that match one or a subset of the cookies visible in the unmanaged tab.

If you want to make a new rule based on a cookie observation, you can select the row entry in the unmanaged tab. If we have a suggested rule, we will prepopulate this for you in the subsequent dialog box.

Where is this cookie coming from?

Most reported cookies should use an identifiable name and have a clear relationship to a service or script deployed on your site. While you should always confirm with your development team, if you are unfamiliar with a cookie, the following tools can help with classification:

• Large Language Models (ChatGPT, Claude/Anthropic): You can ask these tools for help with identifying cookies and even giving you a classification suggestion:
• Online Databases (cookiedatabase.org, cookiesearch.org, etc): These are aggregated, open use tools to search for cookies and retrieve information about cookies in a wiki-like format.

If it's still unclear where the cookie is coming from, it may be a false positive. This means that while it was detected by the scanner, it's likely not being set by your site. It's possible for browser extensions and other local tooling to inject cookies on to the page. In this case, the cookie is out of scope for management by your organization.

Use the Total Observed and Date Observed columns to understand if the cookie is being set consistently. If the cookie was last seen a few weeks ago and has very few occurrences relative to your other cookies, it's likely not being set by your site.

Rule Management

By default, DataGrail will suggest rules that you can use to quickly manage cookies on your websites.

Rule suggestions are based on our models and aggregation of our sampling data, and will continue to improve over time. You can quickly accept these suggestions using the bulk select tool.

To add a cookie management rule manually:

1. Navigate to the Unmanaged or Rules tab of the Cookies page.
2. Select Add Rule.
3. Enter the Match Criteria. This is the formula that DataGrail will use to match against the specific cookies that should be blocked and deleted within a data subject's browser storage.
   • Rules can contain a wildcard denoted with an asterisk (*) at the end of the rule.
   • For example, if you want to create a rule that unifies all of the DataGrail cookies as Performance, you can set the rule to datagrail* (case sensitive) and name the rule "DataGrail Essentials"
4. Enter an internal-only Name, Category, and Vendor for the cookie.
5. Select Add Rule.
6. Publish your changes.

If you add the rule, the cookies that are matched by this rule become managed and you will see the rule in the managed table.

If you used our scanner to generate a report of unmanaged cookies, you will also see the count of cookies in this table reduced by the amount of cookies that become managed as a result of the rule creation.

Best Practice

Ideally, you should have no (0) unmanaged cookies. It is best practice to create rules and set them to the essential or uncategorized options so that you have a complete inventory of cookies that are managed by DataGrail, even though the Data Subject visiting your site will not be able to remove them from their browser as a result of their consent preferences.

Frequently Asked Questions

Why a cookie name a number or anonymized string?

The cookie scanner leverages information from the browser. Some privacy-centric browsers may anonymize or obfuscate cookie names, which can be pulled in to DataGrail.