When our solution is implemented correctly it disables elements that set cookies. To enable these elements certain rules determine whether the element should be enabled based on a visitor's consent.
If an element sets cookies in only a single category, the conditions that need to be met for the element to be allowed to load are very simple; If a visitor has accepted that category of cookies (or all categories), the element will be allowed to load. If the opposite is true the element will remain blocked.
Things become more complicated when a single element sets cookies in multiple categories. This is particularly true for script bundles. These are files that essentially contain a collection of scripts that fulfill a variety of functions and can potentially set cookies in multiple categories.
To better understand when you can expect a file to be blocked and when it will be allowed to load, it is important to understand the rules the Cookiebot script uses to determine whether to allow an element to load, or to block it.
An element that sets cookies will load prior consent if:
- It exclusively sets "Necessary" cookies
- It exclusively sets "Unclassified" cookies
- It exclusively sets a combination of "Necessary" and "Unclassified" cookies
An element will remain blocked if it sets any combination of cookies that includes one or several of the following categories: "Preferences", "Statistics", or "Marketing" until consent has been given for those categories.
All of the required cookie categories for this element must be accepted by a visitor before it is allowed to load, even if the cookies set by the element include "Necessary" cookies.
When using auto blocking
After each scan a file is generated which provides instructions for the auto blocker. The URL of this file will always look similar to this: https://consentcdn.cookiebot.com/consentconfig/00000000-0000-0000-0000-000000000000/domain.com/configuration.js
For every element that must be blocked prior consent, the file has instructions such as these:
Most of this information enables the auto blocker to recognize the element that needs to be blocked prior consent:
type indicates the element type,
tagID will be the value of the
id attribute if the element has one.
outerHash is used to identify inline scripts, which by definition will not have a
scr attribute. Conversely, external scripts will not have hashes, but they will have
resolvedUrl, which will match the
All this information determines which element will be blocked if a match is found.
cat is what will determine whether the element will be blocked, and what conditions must be met for the element to be allowed to load.
The cookie categories are as follows:
As mentioned above only when necessary, unclassified, or a combination of the two are set by the element will it be allowed to load prior consent.
This means that the following values of
cat will allow a script to load prior consent:
Any other combination will require the categories other than 1 or 5 to be accepted before the element will be allowed to load.
cat: [1, 4] will require the visitor to consent to marketing cookies before the element is loaded, despite the fact that one of the cookies set by it was deemed necessary.
In this example, a script will be marked up as follows:
"Necessary" is not added to the
data-cookieconsent attribute, since necessary cookies do not require consent. Similarly, "Unclassified" will never be included either, as it is not an accepted value. Unclassified cookies are by definition in one of the other four categories, it is just unknown which.