Cookie Management

You can use DataGrail Consent to manage first-party cookies that store data subject data within the browser, which can be necessary for your company to comply with various industry regulations.

While DataGrail Consent prioritizes script or service blocking, cookie lifecycle management can provide a first layer of compliance for customers that are still mapping out the specific services used within their organization. For more best practices on managing trackers vs. cookies, see this guide.

DataGrail Consent includes scanning and auto-classification features to identify and categorize first-party cookies stored on your users' websites. If a data subject opts out of a category that matches the rules published on your website, the cookie will be blocked and deleted from your visitors' browsers, in accordance with regulatory policies and frameworks.

First vs. Third Party Cookies

DataGrail will only retrieve cookies that are "first-party" or deployed to your website via scripts that are running on your website. Third-party cookies, or those that have an origin outside of your domain, are impossible to block due to browser security mechanisms. Instead, you should manage the scripts that deploy these cookies directly.

Cookie Scanning

When you first view the cookies tab in DataGrail Consent, you'll notice there are no rules defined, so no cookies are managed. If you already know the rules you want to define (in the case of migrating from another vendor), you can start adding them within the managed tab.

Enabling The Cookie Scanner

If you aren't sure what rules you need to create, you can use our scanning capability to collect and report on cookies from your website to inform what rules you need to set up.

First, enable the Cookie Scanner option to collect and report cookies for the container(s) connected that will have cookies managed by DataGrail.

By selecting this option and publishing our updates, you grant DataGrail permission to deploy our scanning technology and begin cookie sampling from any sites connected to this container.

You will start seeing results reported to DataGrail in a few minutes within the unmanaged table in the cookies tab:

This table shows all cookies identified by the browser for visitors experiencing your websites. You can use this report to inform the creation of rules that match one or a subset of the cookies visible in the unmanaged tab.

If you want to make a new rule based on a cookie observation, you can select the row entry in the unmanaged tab. If we have a suggested rule, we will prepopulate this for you in the subsequent dialog box.

Rule Creation Tools

warning

The following information is not legal advice, only technology guidance to inform your rule creation strategy. We recommend collaborating with your developer team and counsel to build an accurate record of rules for management.

DataGrail Cookie Classification: Based on the cookies revealed via the DataGrail Consent cookie scanner, we will suggest rules that you can use to quickly manage cookies on your websites. Rule suggestions are based on our models and aggregation of our sampling data, and will continue to improve over time. You can quickly accept these suggestions using the bulk select tool.

Large Language Models (ChatGPT, Claude/Anthropic): You can ask these tools for help with identifying cookies and even giving you a classification suggestion:

Online Databases (cookiedatabase.org, cookiesearch.org, etc): These are aggregated, open use tools to search for cookies and retrieve information about cookies in a wiki-like format.

Rule Management

You can create rules using the add rule button in either the managed or unmanaged tabs.

Each rule can have the following information specified for management:

1. Rule: This is the formula that DataGrail will use to match against the specific cookies that should be blocked and deleted within a data subject's browser storage.
   1. Rules can contain a wildcard denoted with an asterisk (*) at the end of the rule.
   2. For example, if you want to create a rule that unifies all of the DataGrail cookies as Performance, you can set the rule to datagrail* (case sensitive) and name the rule "DataGrail Essentials"
2. Name: This is the human readable name that you'll use for the purposes of identifying the functionality of the cookie. In the future, this name and other cookie metadata may be exposed to end users.
3. Category: The category or purpose this cookie belongs to. You can choose from one of the four built-in DataGrail categories, or one of your own.
4. Vendor: The software vendor that picks up the data stored in the cookie to perform its functionality.

As you begin to populate the rule field, DataGrail will confirm if that rule will match any unmanaged cookies in the window area.

If you add the rule, the cookies that are matched by this rule become managed and you will see the rule in the managed table.:

If you used our scanner to generate a report of unmanaged cookies, you will also see the count of cookies in this table reduced by the amount of cookies that become managed as a result of the rule creation.

Best Practice

Ideally, you should have no (0) unmanaged cookies. It is best practice to create rules and set them to the essential or uncategorized options so that you have a complete inventory of cookies that are managed by DataGrail, even though the Data Subject visiting your site will not be able to remove them from their browser as a result of their consent preferences.

Migration From a Different CMP

If you are migrating from a legacy CMP, you can export your list of cookies you have previously managed within that tool and give it to DataGrail for us to import into your environment on your behalf. DataGrail will only need the cookie names, rules, and categories for management. You can provide this as a table:

Cookie Name	Rule	Category	Vendor
A name to help users understand the specific use of the cookie data	A string that specifies the specific observations of cookies that need to be managed	The purpose of the cookie data for data processing. DataGrail supports "Marketing", "Performance", "Functional", or "Essential"	The vendor that uses the cookie data for its functionality
e.g. Google Analytics	e.g. ga_	e.g. Marketing	e.g. Google

We will take this list and add it to your customer configuration using internal tooling. From there, you simply need to publish DataGrail Consent to your website containers. DataGrail will then manage these cookies based on the Consent preferences received.

Publishing and Testing

After you have defined rules for DataGrail to use to manage cookies, you can publish this rule list to all of your containers for management. DataGrail will publish the same rules across all containers managed by DataGrail.

You can test DataGrail cookie management by defining a simple script on your site which will set some fake cookies in the browser. These fake cookies, in turn, can be managed as rules and published to that website.

Add this script code to your site:

<script>
  window.dgEvent = window.dgEvent || [];

  function initial_prefs(preferences) {
    console.log("setting cookie");
    document.cookie = 'dg-category-essential=123123; expires=Thu, 01 Jan 2031 00:00:00 UTC; path=/; SameSite=Strict;';
    document.cookie = 'dg-category-performance=123123; expires=Thu, 01 Jan 2031 00:00:00 UTC; path=/; SameSite=Strict;';
    document.cookie = 'dg-category-functional=123123; expires=Thu, 01 Jan 2031 00:00:00 UTC; path=/; SameSite=Strict;';
    document.cookie = 'dg-category-marketing=123123; expires=Thu, 01 Jan 2031 00:00:00 UTC; path=/; SameSite=Strict;';
  }

  window.dgEvent.push({
    event: "initial_preference_callback",
    params: initial_prefs
  });
</script>

When added, the enumerated cookies will appear in your browser when DataGrail Consent loads. From there, you can define these cookies for management within DataGrail Consent, which will take effect on the next publish.