Data Flows & Cookies
In order to allow users on your site to provide consent preferences to share their data, you first need to understand where data is sent from your site, why it’s collected and what it’s used for. Transcend’s consent manager makes it easy to do this with Data Flows. Data Flows are used to identify where data is going and tag that “flow” of data with a consent tracking purpose. Data flows with an assigned tracking purpose can then be regulated by the consent manager on your site, allowing you to respect users’ consent choices.
The rest of this guide further explains data flows and consent tracking purposes as well as how to manage data flows and cookies on your site.
A Data Flow in Transcend represents a rule that matches a network request sent from your website, with information about where the data is flowing and why. By regulating data requests at the network-level, Consent is able to not only regulate cookies, but ensure other tracking technologies like XHR, Fetch, Pixels, Web Beacons, iframe elements are regulated by users’ consent preferences.
For example, if your site makes requests to googleadservices.com with user data for the purpose of advertising, the consent manager will log a Data Flow with the value of googleadservices.com.
Consent’s data flow regulation setup implicitly regulates first-party and third-party cookies. Cookies are regulated through the same network-level regulation engine discussed in the previous Data Flow section. In this way network requests that include cookies can be labeled and tagged with a tracking purpose. To put it simply, Transcend treats cookies as a type of data flow. However, cookies are shown separately in the Transcend Dashboard to allow for more granularly classifying and regulating trackers on your site. Consent’s Cookies tab allows for the identification and categorization of individual cookies to give additional flexibility when configuring regulation.
Data Flows and cookies are populated in the Transcend Admin Dashboard in two ways: through telemetry from the Transcend script on your website and via manual entry. You can add a data flow or cookie manually to the Transcend Admin Dashboard to be regulated by your consent manager. This option is helpful if you want to add new cookies/data flows when a new script is added to your website, to add internal cookies and to collapse repeating data flows. We’ll talk more about these use cases and how to set them up in later sections.
The primary method for identifying cookies and data flows on your site is through telemetry data collected through Transcend’s Airgap.js script on the site. The script sends telemetry data back to Transcend to be processed and classified, where it will appear in the “Data Flows” and “Cookies” tables. Telemetry data is collected when users on your site encounter a data flow (network request or cookie). This means that the more visitors there are on the site, and the more pages they interact with, the more telemetry data there will be.
Telemetry data is available in Transcend for the previous 7 days. Any network requests or data transfers that have not been encountered in the previous seven days will be filtered out. This helps ensure only relevant telemetry data is present for review. For example, if a user has a browser extension that injects a script on your site once, and it's never seen again, it will be filtered out of telemetry data after 7 days.
In Transcend, a data flow can be labeled with one or more associated tracking purposes (AKA consent purpose). The tracking purposes allow you to define and track what the data in each data flow is being used for. Once a data flow is assigned a consent purpose(s), your consent manager (via the Airgap.js script on your site) will regulate that data flow given a user’s consent choices. In this way, Transcend Consent Management can block data flows labeled with a particular tracking purpose when a user has not given consent for that purpose.
Let’s revisit the Google Ads example where your site makes requests to googleadservices.com with user data for the purpose of advertising. The tracking purpose for this data flow can be set to “Advertising” and Transcend Consent Management will regulate this data flow according to whether the user has given consent for Advertising trackers. Transcend Consent Management would block the request to this Google Ads data flow googleadservices.com if the user hasn’t consented to Advertising tracking purpose, or allow the data flow request if the user has given consent.
Not every cookie/data flow will have an associated tracking purpose as defined under different privacy regimes. Some data flows and cookies are necessary for the site to load and work correctly, and some data flows don’t view, collect or transmit user data. For these cases, you can label the data flow with ‘Essential’ in place of a tracking purpose. ‘Essential’ means that the Transcend Consent Management will always allow all requests to this domain, resource path, or which match this regex.
| Purpose | Description |
|---|---|
| Essential | This tag is for data flows for which no consent is required. It can be used for essential functionality and flows that don’t transmit user data. |
| Functional | This tag is used to denote data flows that are not essential, but help your site work. Examples could include support live chat widgets or error logging that doesn't transmit user data, but won't break your site if they are blocked |
| Advertising | This tag represents data flows that collect or share data for marketing or advertising purposes |
| Analytics | This tag is used for data flows that collect or share information for analytics purposes |
| Sale/Sharing of Personal Information | This tag is used for data flows that are used to sell or share data to third parties for “commercial purposes” as opposed to “business purposes”. This most commonly refers to data that will be used for cross-context behavioral advertising. Different state privacy regulations approach and define this in slightly different ways, but the general concept is an advertising vendor that targets based on a profile of the user that is aggregated from a user’s experience across the current site as well as other information about their activities over time or on other third-party websites or apps. |
Remember: Data flows often may have multiple tracking purposes, which is why you can add multiple purpose tags. For example, many data flows that are Sale or Sharing of Personal Information are also Advertising.
Transcend auto-classifies data flows for known trackers. When one of these trackers is discovered through telemetry on your site, a data flow with a labeled tracking purpose will be recommended for review and approval. Transcend classifies these trackers at the network request level. This allows the tracker scripts to load while precisely regulating their subsequent emissions, which in turn allows for more granular control over assigning tracking purposes.
When initially getting started with Consent, managing cookies and data flows will be a core piece of implementation.
As your website changes over time, you may need to adjust the data flows that Consent is regulating and review new data flows encountered through telemetry. This often results from new scripts getting added to the website to support new functionality, new widgets (ex: live chat support) or a new analytics tool. Additionally, new internal first party cookies and data flows may be added to your site to support native functionality. The following sections will go over how to manually add/edit data flows and cookies, discuss handling unwanted or “junk” data flows and review how unknown data flows are handled by the consent manager.
As telemetry data is collected from your website, Transcend will suggest a new data flow rule or cookie rule in the Triage tab of the Consent Dashboard.
Cookies and Data Flows that appear in the Triage tabs in the Admin Dashboard represent network requests discovered by the Airgap.js Script and are recommended as data flows/cookies, but still require review before they are regulated by the consent manager on your site. These data flows are not yet included in your live Airgap.js bundle until they are approved. This means that they may not be regulated by the consent manager until assigned a tracking purpose and approved.
Transcend auto-classifies recommended data flows with a consent tracking purpose for common trackers. When reviewing suggested data flows/cookies in the triage view, make sure to review the recommendation. To review, click on the highlighted row. You should see a modal pop up:
If the information looks correct to you, click “Approve”. Sometimes we are not able to guess the associated tracking purpose and Service info, so you’ll have to manually add that information.
For more information on how to research and approve recommended data flows and cookies in the Triage view, check out our full guide on Triaging Data Flows.
There will be cases where multiple versions of the same data flow/cookie are present on your site. It’s not uncommon to see some cookies being set hundreds of times. For example, the Google Analytics script sets a cookie, _ga{{UUID}} to track a user's page views and clicks with a unique ID. This cookie gets set with a unique ID for every distinct user on the site - ex: _ga128958374384. Because we expect the tracking purpose and consent options to be the same for every instance of this cookie, it doesn’t make sense to manually assign a tracking purpose to each unique occurrence and approve them every time a new occurrence happens.
Instead, you can create a New Cookie with a Regular Expression rule to proactively match every occurrence of that cookie. To do so:
- Select the button to add a new cookie/data flow
- Enable the “regular expression” toggle
- Enter the regular expression to match cookies on. Regex101 is a helpful tool to test whether a regular expression will match the desired cookie name
- Add the Tracking Purposes and Service to the Cookie/Data Flow
- Select the “Add button” to save the new Rule
You have the option to reset telemetry data. This can be helpful to remove noise from the Triage view once you've approved and saved the relevant data flows and cookies needed for regulation on your site. This can be done in the Transcend Dashboard under Consent Developer Settings.
Most data flows and cookies will be picked up automatically by the Airgap.js script on your site through telemetry and will be available for review in the dashboard. However, there may be cases when it’s worth manually adding a data flow with a tracking purpose to be regulated by the consent manager. For example, you may know that the marketing team is adding an Intercom chat widget to your website to offer a live chat option for users on the site. Instead of waiting for Airgap.js telemetry to pick up the Intercom data flows that users have encountered unregulated, you can add the necessary data flows with the correct tracking purpose directly to Transcend so the consent manager can regulate these flows against users’ consent preferences as soon as the widget goes live on your site.
To add a new data flow or cookie:
- Navigate to the Data Flows or Cookies pages and go to the Approved tab
- Select the button to Add Data Flow
- Populate in the domain, purpose, service, and other associated information.
- Once your changes and additions have been inputted, click Set Changes Live in the top right corner to sync these changes to your website.
HTTP only cookies are not discovered through telemetry of data flows on your site. We recommend manually creating a cookie rule in the Approved Cookies tab for any HTTP cookies on your site to ensure they are regulated by the consent manager.
If it becomes necessary to edit an existing data flow or cookie, say to add a new tracking purpose, it’s possible to do so by:
- Navigate to the Data Flows/Cookies Page and select the Approved tab.
- Select the data flow to be updated.
- This will bring up the “Edit Data Flow” dialog where you can adjust the domain, resource path, or regular expression which is being matched.
There are times when data flows are present on your site for scripts and trackers that are not loaded directly by your site. This is often the result of browser extensions or malware that are present on an end-users’ device or browser. For example, if an end user accessing your site has a browser extension running, that browser extension may inject a data flow into the site to accomplish its purpose.
Airagp telemetry may pick up these data flows. If you determine there’s no need for these data flows to be regulated by your consent manager, you can mark them as “junk” in Transcend to remove them from your Triage view. Data Flows that are marked as junk will not be added to your Airgap bundle and will not be regulated by your consent manager. Consent will safely ignore these flows when encountered on your site.
Unknown data flows & cookies are those that don't match any of the approved entries under Cookies > Approved and Data Flows > Approved. In other words, these are data flows and cookies are not "known" by your consent bundle.
Unknown flows and cookies are handled differently depending on the settings configured in Consent Developer Settings, where there are different options for when and how to allow unknown cookies and data flows through. By default, the settings are configured to allow through unknown cookies and data flows. This means that all network requests and data transfers that do not match an approved cookie/data flow rule will be allowed and will not be blocked.