Skip to main content

Automatic cookie blocking

  • Updated

Intro

Automatic cookie blocking is a feature that can be enabled in Cookiebot CMP. With automatic cookie blocking, Cookiebot blocks all cookies - except those strictly necessary - from being set, until a user has provided consent. Based on the user's consent choices and the categories that they opt in to, Cookiebot allows cookies in the approved categories to be set.

 

How does it work?

The Cookiebot scanner crawls through the website and identifies all cookies being set, the related scripts, iframes, videos, images, etc., as well as several other methods used to track users and set cookies, including pixels. For more information about this topic see: What kinds of cookies and tracking technologies does the Cookiebot scanner find?

Based on the scan results and the cookie classification, a configuration file is automatically built and made available to the consent banner script implemented on the website.

Every time the website is scanned and changes are made to the settings, the configuration file is updated and the latest information is applied when automatically blocking cookies.

To provide your users with the best possible experience and to ensure that informed consent is given, make sure to routinely categorize your unclassified cookies. Use your monthly report to see new cookies  that we’ve identified since the last scan, and to check that everything is categorized correctly.

When your website is accessed by a user, our consent banner instantly reads and applies the configuration file, allowing all necessary cookies and blocking the rest, until all, some or none are allowed, based on the consent given by the user's interaction with the banner.

In technical terms, each cookie-setting resource, such as scripts, is registered and given a unique identifier so that it can be identified at a later stage. Our algorithm includes several methods by which it identifies and verifies scripts, including, but not limited to: consent checksums, files, paths and keyword matchings.

If a script has been identified as the initiator of several cookies and these cookies belong to different categories, then this script is blocked unless all categories that the cookies belong to have been consented to.

To exemplify:

The script abc.js is the source of two cookies: a preference cookie named favorite_page and a statistics cookie named visitor_stats.

If the user visiting the website decides to give their consent to only preference cookies, opting out of statistics and marketing cookies, all scripts setting statistics and marketing cookies are blocked.

In our example abc.js is blocked as well and favorite_page is not set, despite the user opting in to preference cookies.

 

Am I using automatic cookie blocking?

To know which version you are using you must look at the script implemented on your website. The script alone decides the cookie blocking functionality on your website.

In the Cookiebot Manager, in Settings under the 'Your scripts' you can see the difference between the two scripts used for the different blocking modes by switching between the Automatic and Manual cookie blocking modes. The switch between the two options is only a switch between what is displayed in the manager and does not necessarily present the functionality implemented on your website.

 

You will see the manual script being similar to this:

<script
  id="Cookiebot"
  src="https://consent.cookiebot.com/uc.js"
  data-cbid="00000000-0000-0000-0000-000000000000"
  type="text/javascript"
  async
></script>

And the automatic script being similar to this:

<script
  id="Cookiebot"
  src="https://consent.cookiebot.com/uc.js"
  data-cbid="00000000-0000-0000-0000-000000000000"
  data-blockingmode="auto"
  type="text/javascript"
></script>

If you look at the highlighted parts, you will see that the difference is in the scripts' attributes:

  • async → manual cookie blocking
  • data-blockingmode="auto" → automatic blocking
The script on your website determines whether you are using manual cookie blocking or automatic cookie blocking. 

Navigate to your website and take a look at the source code of the front page. If you use Chrome on Windows you can do so by hitting CTRL+U and in most browsers you can left click and choose "View Page Source".

Search for "cbid" (Use CTRL+F) and you should find a line of code similar to one of the two above. This tells you what cookie blocking mode is enabled on your website.

Here's an example of how the manual script would look:

mceclip1.png

Note that if you are unable to find cbid in your source code, it may be because our script is loaded through a tag manager like Google Tag Manager. If that is the case, your cookie control is also typically handled from within your tag manager through events and triggers.

 

How do I switch from manual to automatic cookie blocking mode?

The script which is currently inserted in the header of the website to display the consent banner looks like this:

<script
  id="Cookiebot"
  src="https://consent.cookiebot.com/uc.js"
  data-cbid="00000000-0000-0000-0000-000000000000"
  type="text/javascript"
  async
></script>

To enable the automatic cookie-control, the script needs a bit of editing: Remove the async attribute and add a data-blockingmode="auto" attribute so that the script looks like this:

<script
  id="Cookiebot"
  src="https://consent.cookiebot.com/uc.js"
  data-cbid="00000000-0000-0000-0000-000000000000"
  data-blockingmode="auto"
  type="text/javascript"
></script>

The zeroes are replaced with the cbid from the relevant domain group on your Cookiebot account (See also: Your CBID or Domain group ID and where to find it).

If this is not already the case, make sure that the script is placed as the very first script on the website. Cookies are now blocked before consent is given and controlled automatically based on what the website user has consented to.

 

How long does it take to implement?

Once you've added your domain to the Cookiebot Manager it takes up to 24 hours for the first scan and analysis of your website to complete. When you add the Cookiebot script to your website, several predefined known cookies are blocked right away until cookie consent has been obtained. The rest of your cookies are controlled by Cookiebot as soon as the scan has completed.

Changes to categorization of cookies in the manager may take up to two minutes to show on your website.

 

How do I know it's working?

If you're unsure whether your consent banner is working properly and whether your cookies are held back by our automatic cookie blocking function, you can do the following to check whether the solution is working as intended:

  1. Check your latest cookie scan report for issues
  2. Do a manual check via your browser

1. Check your scan report for issues

We added built-in compliance checks to our scanner to make sure you are automatically notified of any issues per cookie in your scan reports. Every month we advise you to check your scan report and keep an eye out for the following three issues:

  1. Unclassified cookies found
  2. Cookies not blocked before consent is given
  3. Cookies that send data to inadequate countries

1.1. Unclassified cookies

To make sure your cookies are blocked correctly, they need to be classified in one of the four categories:

  1. Necessary
  2. Marketing
  3. Statistics
  4. Preference

For more information on unclassified cookies and how to manually categorize them, see: Check your unclassified cookies.

 

1.2. Cookies not blocked before consent is given

If a cookie is not blocked until consent has been given, this is stated in your scan report:

Screenshot_2022-02-11_at_11.28.50.png

If you can see any cookies referring to this issue, it is important to check up on the cause of this. As a first step, see if you can reproduce the issue by running a manual check via your browser (see also step 2 in this article). Can you also see the cookie set before consent is given via your browser? This is most likely due to an issue with the banner script implementation and you can use the following checklist to discover the cause:

If you are using automatic cookie blocking;

Is Cookiebot the first script on the page to load

Make sure that the Cookiebot script is the very first script to load on your website. This is essential for our script’s ability to hold back cookies until consent has been obtained.

Has the Cookiebot script been implemented multiple times

Both the banner and declaration script should only be implemented once, otherwise this may cause issues with auto-blocking.
Example: You are using WordPress and have enabled Cookiebot via the plugin AND added the script inline to your website code.
Example: You use Google Tag Manager on your website and have enabled Cookiebot via your Tag Manager setup AND have also added the banner script inline to your source code.

Check your Google Tag Manager setup

Are you using GTM to implement Cookiebot on your website? Ensure your GTM is configured to check consent settings before loading tags which set cookies.
Review our GTM installation guide here.

Check whether the cookie is set by the webserver

In your Cookie report you may have cookies that are set by your webserver, also known as “server-side cookies”, these are marked like this:

Initiator: Webserver

These you will have to block by adding server-side code, to withhold these cookies until consent has been given. You may have to contact your web host or web solution vendor to find out more about these cookies. See the "Server Side Usage" section of our developer documentation for adding server-side Cookiebot logic.

 

1.3. Cookies that send data to inadequate countries

This issue is reported per cookie and you can see the following text added:

Screenshot_2022-02-11_at_12.45.46.png

For more information regarding adequate countries, see: Send personal data to "adequate" 3rd countries.

2. Manual check via the browser

Note, all below examples are from Google Chrome on Windows. Other browsers and other operating systems have similar options, but you find small deviations to the method mentioned.

  1. Open a new session of your browser in private or incognito mode. In your browser hit CTRL+SHIFT+N
  2. Navigate to your website and check that the consent banner appears as expected.
  3. Hit F12 in your browser to open developer mode. In the new window navigate to "Application" ❶ in the top menu bar and choose "Cookies" ❷ in the left hand menu under Storage.console01.pngIf Cookies show up, mark them with your mouse and delete them until no cookies are present on your website.
  4. Now reload your website hitting F5 in your browser. You see the banner, and possibly some cookies appear, like this:console02.pngClick a link or two on your website, to navigate to other pages, without interacting with the cookies banner. If the banner disappears, you may have "Implied consent" configured. Log in to your account, navigate to Settings -> Dialog and change this to "Explicit consent" if you want the banner to stay until consent is given through a click on the OK button.

    Notice how no other cookies than the few strictly necessary cookies you may have on your website are being set.
  5. Activate the consent banner by choosing which categories you want to opt in to and click OK. You now see more cookies being set.console03.png

 

Troubleshooting: why are cookies still being set?

Check your script

Make sure that you are using the automated blocking mode (Check your script and blocking mode)

Wait 24 hours

When you first sign up for Cookiebot and implement our services on your website it may take up to 24 hours for our scans to complete and for all cookies to be under the control of the automatic cookie blocker. We are able to block a large amount of cookies as soon as our script is on your site, but for full coverage an initial scan and analysis of your website is required. This happens automatically within the first 24 hours.

My scan report says "Prior consent enabled: "no"

The very first scan of your website is used to analyze your cookies and apply our algorithms to make sure all cookies are held back, except for those that are strictly necessary, until consent has been given. Your first scan report reflects the state of your website before this analysis has been completed. It is a reflection of the state of your website before full coverage was created by the scan. When you receive the report, the analysis has completed and you have full coverage. Your next report, created upon completion of your next scan, shows the state of your website with automatic cookie blocking fully implemented.

Our compliance test says "Not compliant"

Make sure you wait at least 24 hours from signing up and implementing until you use the compliance test to scan your website.

Cookies are still not blocked

Make sure that you have inserted the Cookiebot script at the very top of your website, as the very first element inside your <head>-element. 
Also make sure that your Cookiebot script does not contain the async attribute on the script tag.

If you are still unsure as to the cause of your cookies not being blocked correctly, let us know and we are happy to have a look!

Contact us

 

While auto-blocking is a quick and easy way to prevent cookies from being set, there are several reasons to consider manually marking up elements to prevent them from setting cookies before consent is given: Read more about manual cookie blocking

Comments

0 comments

Please sign in to leave a comment.