What makes cookie and script classification challengingIt’d be nice if we could just take note of a user’s consent or lack thereof and allow or block all cookies correspondingly, but it’s not that simple.
Some cookies and scripts are essential to the functionality of your site. A classic example is ecommerce, where cookies help websites remember what items the user put into their shopping cart for checkout. Or, if your website requires a login, then a session cookie will be used to remember that the user is indeed logged in as they navigate the site. When classifying cookies and scripts, you need to determine which are tracking user behavior for essential versus nonessential purposes.
What’s more, several data privacy regulations require that you provide users with the option of consenting or not consenting to specific sub-categories of cookies and scripts. These include:
- Marketing (also known as advertising or targeting)
- Functionality (also known as personalization)
EssentialAs mentioned above, some cookies and scripts are essential for the user to move through a website and use its basic features. You can determine whether a cookie or script is essential if the site would not function without it.
AnalyticsWithout these cookies and scripts, your website will still function, but you won’t have access to certain data from your users. These trackers collect aggregated data (i.e., data that measures behavior en masse and does not collect individuals’ personally identifiable information). For example, these enable you to evaluate how visitors use your website, which pages are more or less popular, where traffic originates from, how long visitors spend on individual pages, and so on.
- Google Analytics
Marketing (also known as advertising or targeting)If you participate in an advertising network, then you most likely use marketing cookies and scripts. These enable advertisers to show relevant ads to users. Your website drops a cookie onto the users’ browser when they visit your website. Then, when they visit another site with ad space belonging to an advertising network you participate in, your brands’ advertisements may appear.
These types of cookies and scripts may also limit the number of times a user sees an advertisement, help you measure clicks and conversions of an advertising campaign, and so on.
- Most social network components
Functionality (also known as personalization)These enable websites to remember the user's choices, such as user name, language, region, and so on.
- Delivering localized weather reports or traffic updates
- Remembering shopping cart contents between sessions
- Displaying lists of favorited items
Approaches to identify cookies and scriptNow that you know the general categories of cookies and scripts, you’ll be better equipped to classify them after identifying which cookies and scripts are running on your website.
There aren’t any 100% reliable approaches to identifying and classifying cookies, but there are different methods you can apply. We’ve listed a few from the most reliable to the least.
1. Use a consent management platformConsent management platforms (CMPs) help businesses manage the end-to-end process of cookie consent — they:
- Present a legally compliant cookie banner
- Record users’ consent or lack of consent to all cookies or the cookie subcategories described above
- Automatically block or allow those cookies appropriately
However, cookies and scripts have a lot of variety in structure, content, and how they’re injected into your website, and new ones are being developed all the time. As a result, CMPs aren’t able to classify every cookie 100% of the time. Usually, they’ll ask the customer to provide a category for unclassified cookies. In these circumstances, you’ll want to try the next approach.
2. Look into the vendor documentationIf you know the vendor who initially provided the cookie or script, you can navigate to their website and see whether they provide documentation detailing that cookie's purpose.
For example, you might see a cookie called “__hssc” that’s being dropped in your users’ browsers. You know this cookie originates from Hubspot, so you navigate to their knowledge base. There, you can see that the __hssc cookie keeps track of user sessions and therefore qualifies as an analytics cookie.
3. Consulting a cookie database or a third-party sourceNot all vendors have robust documentation, and not all cookies and scripts have a clear vendor. In these circumstances, you may want to consult a third-party cookie database. These are often crowd-sourced, so commonly searched-for cookies and scripts will be more accurate than rarer ones.
For example, if you weren’t familiar with the vendor associated with the __hssc cookie, you could plug it into cookiedatabase.org. On its associated page, you can see that this cookie is related to session tracking.
4. Use in-browser developer toolsIf you don’t know enough about the cookies and scripts on your site, you may be able to glean more information through your browser’s developer tools.
You can usually access these by right-clicking on a page and selecting “Inspect” or by clicking on the browser’s dropdown menu and selecting “Developer Tools.” In the developer tools, you’ll have access to various tabs with different information about your website.
Make sure you do this in Incognito mode and, if your browser provides the option, allow third-party cookies. This will ensure you don’t see data from previous sites and receive all the cookies and scripts that a genuine visitor would receive.
You’ll want to pay attention to two tabs in particular: the Network tab and the Application tab.
The Application tab shows information about what’s stored in your browser, including cookies. Here, you’ll be able to see more details on the cookie that may be useful in classifying it, and you can use the cookie name to search for the script that’s setting the cookie in the Network tab.
5. Search for what others are sayingIf you’re really struggling to classify a cookie, then your last resort should be to see what other individuals online are saying about that particular cookie. There might be some discussion on forums or social media from others who have struggled to identify cookies or scripts, and some of that discussion could prove useful. This, however, is the least reliable approach and should only be used as a last resort.
Automate your classification with a CMPClearly, there are a lot of approaches available to you when it comes to identifying and classifying your cookies and scripts. But for the most part, you shouldn’t have to have developer tools and a search engine open to identify your website’s cookies. Ninety percent of the time, your CMP should identify cookies for you.
Because CMPs automate the bulk of cookie and script classification in addition to handling all of the other aspects of consent management — like showing the appropriate banner per region and language, recording consents, and blocking non-consensual cookies and scripts — you’ll be able to identify outlier cookies and scripts without taking hours out of your day.
Different CMPs lie along a spectrum when it comes to the effectiveness of their classification systems. Some might require you to make the bulk of classification decisions, while others might have recommended classifications for nearly all cookies and scripts on your website. That’s why it’s essential to take the time to evaluate a CMP thoroughly before making a decision. If you’re looking for a CMP to assist you with cookie classification and consent management, consider starting with Osano by scheduling a demo today.