5 Ways to Identify Cookies and Scripts

Data privacy laws like the GDPR require user consent before you can track their data. So, businesses that want to comply with these regulations need to know which cookies and scripts are tracking what data — that way, they can block them before data collection can begin.

Unfortunately, there’s a panoply of different cookies and scripts, and more are released every day. Even if you’re paying attention to what cookies the different tools you implement on your website are dropping, it can become easy to lose track. And many web development teams are more focused on a given tool’s functionality rather than whether and how it’s tracking user data. Whether a business builds an in-house compliance solution or uses a commercial solution, they often find themselves buried in a mountain of unclassified cookies and scripts.

What makes cookie and script classification challenging

It’d be nice if we could just take note of a user’s consent or lack thereof and allow or block all cookies correspondingly, but it’s not that simple.

Some cookies and scripts are essential to the functionality of your site. A classic example is ecommerce, where cookies help websites remember what items the user put into their shopping cart for checkout. Or, if your website requires a login, then a session cookie will be used to remember that the user is indeed logged in as they navigate the site. When classifying cookies and scripts, you need to determine which are tracking user behavior for essential versus nonessential purposes.

What’s more, several data privacy regulations require that you provide users with the option of consenting or not consenting to specific sub-categories of cookies and scripts. These include:

• Essential
• Analytics
• Marketing (also known as advertising or targeting)
• Functionality (also known as personalization)

To identify cookies and scripts running on your website and become compliant with data privacy laws, you’ll need to understand the difference between these different categories.

Cookie Categories

Essential

As mentioned above, some cookies and scripts are essential for the user to move through a website and use its basic features. You can determine whether a cookie or script is essential if the site would not function without it.

Examples include:

• Query
• Bootstrap
• React

Analytics

Without these cookies and scripts, your website will still function, but you won’t have access to certain data from your users. These trackers collect aggregated data (i.e., data that measures behavior en masse and does not collect individuals’ personally identifiable information). For example, these enable you to evaluate how visitors use your website, which pages are more or less popular, where traffic originates from, how long visitors spend on individual pages, and so on.

Examples include:

• Google Analytics
• Newrelic
• Pingdom
• Matomo

Marketing (also known as advertising or targeting)

If you participate in an advertising network, then you most likely use marketing cookies and scripts. These enable advertisers to show relevant ads to users. Your website drops a cookie onto the users’ browser when they visit your website. Then, when they visit another site with ad space belonging to an advertising network you participate in, your brands’ advertisements may appear.

These types of cookies and scripts may also limit the number of times a user sees an advertisement, help you measure clicks and conversions of an advertising campaign, and so on.

Examples include:

• Adroll
• Facebook
• Most social network components

Functionality (also known as personalization)

These enable websites to remember the user's choices, such as user name, language, region, and so on.

Examples include:

• Delivering localized weather reports or traffic updates
• Remembering shopping cart contents between sessions
• Displaying lists of favorited items

Approaches to identify cookies and script

Now that you know the general categories of cookies and scripts, you’ll be better equipped to classify them after identifying which cookies and scripts are running on your website.

There aren’t any 100% reliable approaches to identifying and classifying cookies, but there are different methods you can apply. We’ve listed a few from the most reliable to the least.

1. Use a consent management platform

Consent management platforms (CMPs) help businesses manage the end-to-end process of cookie consent — they:

• Present a legally compliant cookie banner
• Record users’ consent or lack of consent to all cookies or the cookie subcategories described above
• Automatically block or allow those cookies appropriately

To do that, CMPs need to be able to recognize and classify cookies and scripts. Since these vendors’ business depends on keeping businesses compliant, they’re usually fairly accurate and up to date on cookie classification.

However, cookies and scripts have a lot of variety in structure, content, and how they’re injected into your website, and new ones are being developed all the time. As a result, CMPs aren’t able to classify every cookie 100% of the time. Usually, they’ll ask the customer to provide a category for unclassified cookies. In these circumstances, you’ll want to try the next approach.

2. Look into the vendor documentation

If you know the vendor who initially provided the cookie or script, you can navigate to their website and see whether they provide documentation detailing that cookie's purpose.

For example, you might see a cookie called “__hssc” that’s being dropped in your users’ browsers. You know this cookie originates from Hubspot, so you navigate to their knowledge base. There, you can see that the __hssc cookie keeps track of user sessions and therefore qualifies as an analytics cookie.

3. Consulting a cookie database or a third-party source

Not all vendors have robust documentation, and not all cookies and scripts have a clear vendor. In these circumstances, you may want to consult a third-party cookie database. These are often crowd-sourced, so commonly searched-for cookies and scripts will be more accurate than rarer ones.

For example, if you weren’t familiar with the vendor associated with the __hssc cookie, you could plug it into cookiedatabase.org. On its associated page, you can see that this cookie is related to session tracking.

4. Use in-browser developer tools

If you don’t know enough about the cookies and scripts on your site, you may be able to glean more information through your browser’s developer tools.

You can usually access these by right-clicking on a page and selecting “Inspect” or by clicking on the browser’s dropdown menu and selecting “Developer Tools.” In the developer tools, you’ll have access to various tabs with different information about your website.

Make sure you do this in Incognito mode and, if your browser provides the option, allow third-party cookies. This will ensure you don’t see data from previous sites and receive all the cookies and scripts that a genuine visitor would receive.

You’ll want to pay attention to two tabs in particular: the Network tab and the Application tab.

The Network tab includes information on all the assets that your website is loading, including the different scripts. There will be a subtab or column header you can click on to filter by just the javascript files. When you click on a given script, you’ll be able to look through various information related to it, including the entire script and the referrer or initiator. Sometimes, knowing the initiator is enough to tell how a script should be classified. In other cases, it serves as another clue you can use in your search.

The Application tab shows information about what’s stored in your browser, including cookies. Here, you’ll be able to see more details on the cookie that may be useful in classifying it, and you can use the cookie name to search for the script that’s setting the cookie in the Network tab.

5. Search for what others are saying

If you’re really struggling to classify a cookie, then your last resort should be to see what other individuals online are saying about that particular cookie. There might be some discussion on forums or social media from others who have struggled to identify cookies or scripts, and some of that discussion could prove useful. This, however, is the least reliable approach and should only be used as a last resort.

Automate your classification with a CMP

Clearly, there are a lot of approaches available to you when it comes to identifying and classifying your cookies and scripts. But for the most part, you shouldn’t have to have developer tools and a search engine open to identify your website’s cookies. Ninety percent of the time, your CMP should identify cookies for you.

Because CMPs automate the bulk of cookie and script classification in addition to handling all of the other aspects of consent management — like showing the appropriate banner per region and language, recording consents, and blocking non-consensual cookies and scripts — you’ll be able to identify outlier cookies and scripts without taking hours out of your day.

Different CMPs lie along a spectrum when it comes to the effectiveness of their classification systems. Some might require you to make the bulk of classification decisions, while others might have recommended classifications for nearly all cookies and scripts on your website. That’s why it’s essential to take the time to evaluate a CMP thoroughly before making a decision. If you’re looking for a CMP to assist you with cookie classification and consent management, consider starting with Osano by scheduling a demo today.