Cookie Management
Cookie Management is in beta for select customers and prospects who have purchased DataGrail Consent. Please contact your Customer Success Manager or support@datagrail.io for more information.
You can use DataGrail Consent to manage cookies that store data subject data within the browser, which can be necessary for your company to comply with various industry regulations. While DataGrail Consent prioritizes script or service blocking, cookie lifecycle management can provide a first layer of compliance for customers that are still mapping out the specific services used within their organization.
DataGrail Consent can scan for the cookies that vendors (including you) use to store data subject information, which is helpful for building the rules that DataGrail Consent will use to determine what cookies are allowed to load in the browser based on a data subject's consent choices. If a data subject opts out of a category that matches the rules published on your website, the cookie will be blocked and deleted from your visitors' browsers, in accordance with regulatory policies and frameworks.
Cookie Scanning
When you first view the cookies tab in DataGrail Consent, you'll notice there are no rules defined, so no cookies are managed. If you already know the rules you want to define (in the case of migrating from another vendor), you can start adding them within the managed tab as seen below:
If you aren't sure what rules you need to create, you can use our scanning capability to collect and report on cookies from your website to inform what rules you need to set up.
First, enable the option to collect and report cookies for the container(s) connected that will have cookies managed by DataGrail.
By selecting this option and publishing our updates, you grant DataGrail permission to deploy our scanning technology and begin cookie sampling from any sites connected to this container.
You will start seeing results reported to DataGrail in a few minutes within the unmanaged table in the cookies tab:
This table shows all of the cookies we found via our scanner for visitors experiencing your websites connected to DataGrail Managed Containers. You can use this report to inform the creation of rules that match one or a subset of the cookies visible in the unmanaged tab.
DataGrail will only retrieve cookies that are "first-party" or deployed to your website via scripts that are running on your website. Third-party cookies, or those that have an origin outside of your domain, are impossible to block due to browser security mechanisms. Instead, you should manage the scripts that deploy these cookies directly.
Rule Creation Tools
The following information is not legal advice, only technology guidance to inform your rule creation strategy. We recommend collaborating with your developer team and counsel to build an accurate record of rules for management.
You may not know what these cookies are or what vendors are using them, but there are tools available to help inform the rules you would create to classify these cookies for management:
Large Language Models (ChatGPT, Claude/Anthropic): You can ask these tools for help with identifying cookies and even giving you a classification suggestion:
Online Databases (cookiedatabase.org, cookiesearch.org, etc): These are aggregated, open use tools to search for cookies and retrieve information about cookies in a wiki-like format.
Rule Management
You can create rules using the add rule button in either the managed or unmanaged tabs.
Each rule includes can have the following information specified for management:
- Rule: This is the formula that DataGrail will use to match against the specific cookies should be blocked and deleted within a data subject's browser storage.
- Rules can contain a wildcard denoted with an asterisk (*) at the end of the rule.
- For example, if you want to create a rule that unifies all of the Google Analytics cookies as Performance, you can set the rule to
_ga*(case sensitive) and name the rule "Google Analytics"
- Name: This is the human readable name that you'll use for the purposes of identifying the functionality of the cookie. In the future, this name and other cookie metadata may be exposed to end users.
- Category: The category or purpose this cookie belongs to. You can choose from one of the four built-in DataGrail categories, or one of your own.
- Vendor: The software vendor that picks up the data stored in the cookie to perform its functionality.
As you begin to populate the rule field, DataGrail will confirm if that rule will match any unmanaged cookies in the window area.
If you add the rule, the cookies that are matched by this rule become managed and you will see the rule in the managed table. Here's another example for HotJar:
If you used our scanner to generate a report of unmanaged cookies, you will also see the count of cookies in this table reduced by the amount of cookies that become managed as a result of the rule creation.
Ideally, you should have no (0) unmanaged cookies. It is best practice to create rules and set them to the essential or uncategorized options so that you have a complete inventory of cookies that are managed by DataGrail, even though the Data Subject visiting your site will not be able to remove them from their browser as a result of their consent preferences.
Migration From a Different CMP
If you are migrating from a legacy CMP, you can export your list of cookies you have previously managed within that tool and give it to DataGrail for us to import into your environment on your behalf. DataGrail will only need the cookie names, rules, and categories for management. You can provide this as a table:
| Cookie Name | Rule | Category | Vendor |
|---|---|---|---|
| A name to help users understand the specific use of the cookie data | A string that specifies the specific observations of cookies that need to be managed | The purpose of the cookie data for data processing. DataGrail supports "Marketing", "Performance", "Functional", or "Essential" | The vendor that uses the cookie data for its functionality |
e.g. Google Analytics | e.g. ga_ | e.g. Marketing | e.g. Google |
We will take this list and add it to your customer configuration using internal tooling. From there, you simply need to publish DataGrail Consent to your website containers. DataGrail will then manage these cookies based on the Consent preferences received.
Publishing and Testing
After you have defined rules for DataGrail to use to manage cookies, you can publish this rule list to all of your containers for management. DataGrail will publish the same rules across all containers managed by DataGrail.
You can test DataGrail cookie management by defining a simple script on your site which will set some fake cookies in the browser. These fake cookies, in turn, can be managed as rules and published to that website.
Add this script code to your site:
<script>
window.dgEvent = window.dgEvent || [];
function initial_prefs(preferences) {
console.log("setting cookie");
document.cookie = 'dg-category-essential=123123; expires=Thu, 01 Jan 2031 00:00:00 UTC; path=/; SameSite=Strict;';
document.cookie = 'dg-category-performance=123123; expires=Thu, 01 Jan 2031 00:00:00 UTC; path=/; SameSite=Strict;';
document.cookie = 'dg-category-functional=123123; expires=Thu, 01 Jan 2031 00:00:00 UTC; path=/; SameSite=Strict;';
document.cookie = 'dg-category-marketing=123123; expires=Thu, 01 Jan 2031 00:00:00 UTC; path=/; SameSite=Strict;';
}
window.dgEvent.push({
event: "initial_preference_callback",
params: initial_prefs
});
</script>
When added, the enumerated cookies will appear in your browser when DataGrail Consent loads. From there, you can define these cookies for management within DataGrail Consent, which will take effect on the next publish.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.