- How it does it work?
- Am I using automatic cookie blocking?
- How do I switch from manual to automatic cookie blocking?
- How long does it take to implement?
- How do I know it's working?
- Troubleshooting: why are cookies still being set?
On September 10th 2019 Cybot introduced Automatic cookie blocking as a new feature and part of the core functionality in our cookie Consent Management Solution. With automatic cookie blocking, Cookiebot will block all cookies except those strictly necessary from being set until a user has given their consent. Based on the user's consent and the categories opted into, Cookiebot will allow the cookies in these categories to be set.
How does it work?
The Cookiebot scanner crawls your website and identifies all cookies being set AND the scripts, iframes, videos, images etc. setting them, as well as a number of other methods used to track users and set cookies (Including pixels - See: What kinds of cookies and tracking technologies does the Cookiebot scanner find?)
Based on the scan results and paired with the classification of cookies in our manager, a configuration file is automatically built and made available to the consent banner script implemented on your website.
Every time we scan your website and every time you make changes to your settings in the Cookiebot Manager, your configuration file is updated and the latest information is applied when automatically blocking cookies on your website.
When your website is accessed by a user, our consent banner will instantly read and apply the configuration file, allowing all necessary cookies and blocking the rest, until all, some or none are allowed, based on the consent given by the users interaction with the banner.
The way it technically works is that each cookie setting script and element is identified and registered in a way that it can be uniquely identified again at a later stage. Our algorithm includes a number of steps to identify and verify the script (among them content checksum, file, path and keyword matching, and more).
If one script has been assessed to be the initiator of several cookies and these cookies belong to different categories, then the script will be blocked unless all categories the cookies belong to have been consented to.
The script abc.js is the source of two cookies: a preference cookie named favorite_page and a statistics cookie named visitor_stats.
If the user visiting the website decides to give their consent to only preference cookies, opting out of statistics and marketing cookies, all scripts setting statistics and marketing cookies will be blocked.
In our example abc.js would be blocked as well and favorite_page would not be set, despite the user opting in to preference cookies.
Am I using automatic cookie blocking?
In the Cookiebot Manager, in Settings under the 'Your scripts' you can see the difference between the two scripts used for the different blocking modes by switching between the Automatic and Manual cookie blocking modes. The switch between the two options is only a switch between what is displayed in the manager and does not necessarily present the functionality implemented on your website.
You will see the manual script being similar to this:
And the automatic script being similar to this:
If you look at the highlighted parts, you will see that the difference is in the scripts' attributes:
- async = manual cookie blocking
- data-blockingmode="auto" = automatic blocking
The script on your website determines whether you are using manual cookie blocking or automatic cookie blocking. Navigate to your website and take a look at the source code of the front page.
If you use Chrome on Windows you can do so by hitting CTRL+U and in most browsers you can left click and choose "View Page Source".
Search for "cbid" (Use CTRL+F) and you should find a line of code similar to one of the two above. This should tell you what cookie blocking mode is enabled on your website.
Here's an example of how the manual script would look:
Please note that if you are unable to find cbid in your source code, it may be because our script is loaded through a tag manager like Google Tag Manager. If that is the case, your cookie control is also typically handled from within your tag manager through events and triggers.
How do I switch from manual to automatic cookie blocking mode?
The script which is currently inserted in the header of the website to display the cookie banner looks like this:
To enable the automatic cookie-control, the script needs a bit of editing: Remove the async attribute and add a data-blockingmode="auto" attribute so that the script looks like this:
The zeroes are replaced with the cbid-number from the relevant domain group on your Cookiebot account (See also: Your CBID or Domain group ID and where to find it).
If this is not already the case, make sure that the script is placed as the very first script on the website. Cookies will now be blocked before consent and controlled automatically based on what the website user has consented to.
How long does it take to implement?
Once you've added your domain to the Cookiebot Manager it will take up to 24 hours for the first scan and analysis of your website to complete. When you add the Cookiebot script to your website, a number of predefined known cookies will be blocked right away until cookie consent has been obtained. The rest of your cookies will be controlled by Cookiebot as soon as the scan has completed.
Changes to Categorization of cookies in the manager may take up to two minutes to show on your website.
How do I know it's working?
If you're unsure if your Cookie consent banner is working properly and if your cookies are held back by our automatic cookie blocking function, you may do the following to check whether the solution is working as intended:
- Check your latest cookie scan report for issues
- Do a manual check via your browser
1. Check your scan report for issues
We added built-in compliance checks to our scanner, to make sure you are automatically notified of any issues per cookie in your scan reports. Every month we advise you to check your scan report and make sure to keep an eye out for the following 3 issues:
- Unclassified cookies found
- Cookies not blocked before consent
- Cookies that send data to inadequate countries
1.1. Unclassified cookies
In order to make sure your cookies are blocked correctly, they need to be classified in one of the 4 categories:
For more information on unclassified cookies how to manually categorize them, please see: Check your unclassified cookies.
1.2. Cookies not blocked before consent
If a cookie is not blocked until consent has been given, this will be stated in your scan report:
If you can see any cookies referring to this issue, it is important to check up on the cause of this. As a first step, see if you can reproduce the issue by running a manual check via your browser (see also step 2 in this article). Can you also see the cookie set before consent is provided via your browser? This is most likely due to an issue with the banner script implementation and you can use the following checklist to discover the cause:
If you are using automatic cookie blocking;
✔ Is Cookiebot the first script on the page to load
Make sure that the Cookiebot script is the very first script to load on your website. This is essential for our script’s ability to hold back cookies until consent has been obtained.
✔ Has the Cookiebot script been implemented multiple times
Both the banner and declaration script should only be implemented once, otherwise this may cause issues with auto blocking.
Example: You are using WordPress and have enabled Cookiebot via the plugin AND added the script inline to your website code.
Example: You use Google Tag Manager on your website and have enabled Cookiebot via your Tag Manager setup AND have also added the banner script inline to your source code.
✔ Check your Google Tag Manager setup
Are you using GTM to implement Cookiebot on your website?Ensure your GTM is configured to check consent settings before loading tags which set cookies.
Review our GTM installation guide here.
✔ Check whether the cookie is set by the webserver
In your Cookie report you may have cookies that are set by your webserver, also known as “server-side cookies”, these are marked like this:
These you will have to block by adding server-side code, to withhold these cookies until consent has been given. You may have to contact your web host or web solution vendor to find out more about these cookies. See the "Server Side Usage" section of our developer documentation for adding server-side Cookiebot logic.
1.3. Cookies that send data to inadequate countries
This issue is reported per cookie and you will be able to see the following text added:
For more information regarding adequate countries, please see: Send personal data to "adequate" 3rd countries.
2. Manual check via the browser
Please note, all below examples are from Google Chrome on Windows. Other browsers and other operating systems will have similar options, but you find small deviations to the method mentioned.
- Open a new session of your browser in private or incognito mode. In your browser hit CTRL+SHIFT+N
- Navigate to your website and check that the cookie consent banner appears as expected.
- Hit F12 in your browser to open developer mode. In the new window navigate to "Application" ❶ in the top menu bar and choose "Cookies" ❷ in the left hand menu under Storage.If Cookies show up, please mark them with your mouse and delete them until no cookies are present on your website.
- Now reload your website hitting F5 in your browser. You will see the banner, and possibly some cookies appear, like this:Click a link or two on your website, to navigate to other pages, without interacting with the cookies banner. If the banner disappears, you may have "Implied consent" configured. Log in to your account, navigate to Settings -> Dialog and change this to "Explicit consent" if you want the banner to stay until prior consent has been obtained through a click on the OK button.
Notice how no other cookies than the few strictly necessary cookies you may have on your website are being set.
- Activate the Cookie Consent Banner by choosing which categories you want to opt in to and click OK. You will now see more cookies being set.
Troubleshooting: why are cookies still being set?
✔ Check your script
Make sure that you are using the automated blocking mode (Check your script and blocking mode)
✔ Wait 24 hours
When you first sign up for Cookiebot and implement our services on your website it may take up to 24 hours for our scans to complete and for all cookies to be under the control of the automatic cookie blocker. We will be able to block a large amount of cookies as soon as our script is on your site, but for full coverage an initial scan and analysis of your website is required. This will happen automatically within the first 24 hours.
✔ My scan report says "Prior consent enabled: "no"
The very first scan of your website will be used to analyze your cookies and apply our algorithms to make sure all cookies are held back, except for those that are strictly necessary, until prior consent has been obtained. Your first scan report will reflect the state of your website before this analysis has been completed. It is a reflection of the state of your website before full coverage was created by the scan. When you receive the report, the analysis will have completed and you will have full coverage. Your next report, created upon completion of your next scan, will show the state of your website with automatic cookie blocking fully implemented.
✔ Our compliance test says "Not compliant"
Please make sure you wait at least 24 hours from signing up and implementing until you use to compliance test to scan your website.
✔ Cookies are still not blocked
Please make sure that you have inserted the Cookiebot script at the very top of your website, as the very first element inside your <head>-element.
Also make sure that your Cookiebot script does not contain the text "async" in the script tag.