It isn't technically possible to block tracking from being utilized unless you presevent whatever the source is of the tracking from being able to do so. Therefore, when our solution is correctly configured it disables elements that set cookies prior consent.
To enable these disabled elements certain attributes determine whether the element should be enabled or not, based on a visitor's consent.
If an element sets cookies in only a single category, the conditions that need to be met for the element to be allowed to load are very simple; If a visitor has accepted that category of cookies (or all categories), the element will be allowed to load. If the opposite is true the element will remain blocked.
Things become more complicated when a single element sets cookies in multiple categories. This is particularly true for script bundles. These are files that essentially contain a collection of scripts that fulfill a variety of functions and can potentially set cookies in multiple categories.
To better understand when you can expect a file to be blocked and when it will be allowed to load, it is important to understand the rules the Cookiebot script uses to determine whether to allow an element to load, or to block it.
An element that sets cookies will always be allowed to load prior consent if:
- It exclusively sets "Necessary" cookies
- It exclusively sets "Unclassified" cookies
- It exclusively sets a combination of "Necessary" and "Unclassified" cookies
An element will remain blocked if it sets any combination of cookies that includes one or several of the following categories: "Preferences", "Statistics", or "Marketing" until consent has been given for all those categories. All of the required cookie categories for this element must be accepted by a visitor before it is allowed to load, even if the cookies set by the element include "Necessary" cookies.
Always ensure that unclassified cookies are assigned a category at your earliest convenience.
How automatic cookie blocking works
After each scan a file is generated which provides instructions for the auto blocker. The URL of this file will always look similar to this: https://consentcdn.cookiebot.com/consentconfig/00000000-0000-0000-0000-000000000000/domain.com/configuration.js
For every element that must be blocked prior consent, the file has an instruction such as this one:
CookieConsent.configuration.tags.push({
id: 1,
type: "script",
tagID: "",
innerHash: "",
outerHash: "",
url: "",
resolvedUrl: "",
cat: [2, 3, 4],
});
Most of this information enables the auto blocker to recognize the element that needs to be blocked prior consent:
The type
indicates the element type, tagID
will be the value of the id
attribute if the element has one. InnerHash
and outerHash
is used to identify inline scripts, which by definition will not have a scr
attribute. Conversely, external scripts will not have hashes, but they will have url
and resolvedUrl
, which will match the src
attribute.
All this information determines which element will be blocked if a match is found. cat
is what will determine whether the element will be blocked, and what conditions must be met for the element to be allowed to load.
The cookie categories are as follows:
- Necessary
- Preferences
- Statistics
- Marketing
- Unclassified
As mentioned above only when necessary, unclassified, or a combination of the two are set by the element will it be allowed to load prior consent.
This means that the following values of cat
will allow a script to load prior consent:
[1]
[5]
[1, 5]
Any other combination will require the categories other than 1 or 5 to be accepted before the element will be allowed to load.
For example: cat: [1, 4]
will require the visitor to consent to marketing cookies before the element is loaded, despite the fact that one of the cookies set by it was deemed necessary.
In this example, a script will be marked up as follows: <script type="text/plain"
data-cookieconsent="marketing"></script>
.
"Necessary" is not added to the data-cookieconsent
attribute, since necessary cookies do not require consent. Similarly, "Unclassified" will never be included either, as it is not an accepted value. Unclassified cookies are by definition in one of the other four categories, it is just unknown which.
If you add the Cookiebot CMP script before the first scan of the domain in question has completed, the auto blocking feature will not be able to prevent any tracking from occurring.
How manual cookie blocking works
To manually ensure no tracking occurs prior consent, you need to ensure that the element in question is disabled by default and has an attribute that allows the Cookiebot CMP script to recognize that the element in question is blocked and under which circumstances it should be allowed to load.
The latter is achieved by adding the data-cookieconsent
attribute to element that needs to be blocked prior consent.
Set the comma-separated value of this attribute to one or more of the cookie categories "preferences", "statistics" and "marketing" in accordance with the types of cookies being set by the script.
To ensure that a script can't load prior consent you need to change the value of the type
attribute from "text/javascript" to "text/plain" (or add it if the type
attribute is missing).
Example on modifying an existing Google Analytics Universal script tag:
<script type="text/plain" data-cookieconsent="statistics"> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function()
{(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})
(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-00000000-0', 'auto'); ga('send', 'pageview'); </script>
If your website is loading scripts dynamically, use the functions of the Cookiebot API to hold back scripts and cookies that require consent.
Comments
0 comments
Please sign in to leave a comment.