Discovery and Classification of Trackers (Cookies & Scripts)

To comply with stricter data privacy laws like GDPR, all trackers (cookies, scripts, iframes, etc.) that store, send, or process any type of user data (including things like IP address or other items that could be used to tie data back to an individual), should be classified and blocked prior to consent unless they are strictly necessary. Concord provides a best-in-class multi-method scanning and blocking engine to avoid compliance issues, including common problems with basic cookie consent tools and implementations that are simply non-compliant or that require  ongoing manual technical maintenance steps to stay compliant.

Concord provides both manual and scheduled scans in our Admin UI, while also offering  advanced options (including our real-time and deep scan technology). The underlying scanning engine will automatically detect and categorize a wide array of tracking scripts and their cookies for you, making it easier to get and stay compliant.

This document includes information on:

• Understanding the Scanning & Classification Process
• Consent Categories
• Blocking Mode & Initial Discovery of Cookies & Scripts
• Categorizing Trackers (Cookies & Scripts)

More details can be found in the following related help docs:

Understanding & Configuring Auto-Blocking of Cookies & Scripts

Scanning Your Site for Trackers (Cookies & Scripts)

Understanding the Scanning & Classification Process

Concord uses multiple methods to build a picture of your site’s tracking technologies. Depending on your plan and preferences, this can include:

1. Manual Scans – Run on demand when you want to quickly check for new or changed trackers.
2. Scheduled Scans – Run automatically at intervals you choose (daily, weekly, monthly, etc.) to keep your inventory updated.
3. Real-Time Scans – Monitor your site continuously as users interact with it, using optimized smart client-side scanning to detect trackers that may not show up in scheduled snapshots.
4. Deep Scan (Advanced) – An optional feature for organizations that need maximum coverage. It surfaces a much larger set of items (scripts, iframes, links, images, etc.), but generally requires more review. Best suited for audits or compliance checks where stricter visibility is needed, since many items found will not require classification.
5. Manual Additions – If the scanner doesn’t detect a tracker, you can add it directly to the Cookies & Scripts table. This ensures your production list always reflects the actual technologies present, even if they weren’t automatically discovered.

As scans run, Concord’s advanced detection engine automatically identifies cookies, scripts, iframes, and other elements that may process user data. Known trackers are automatically categorized and added to your production Cookies & Scripts list. Newly discovered or unclassified items appear in the Scan Results table, where you can review and add them as needed.

Together, these scanning modes create a compliant-ready feedback loop: real-time and scheduled scans keep your tracker inventory up to date automatically, manual scans let you spot-check at any time, our deep scan technology provides broader visibility when required, and manual additions let you fill any gaps. By combining automated detection with simple review workflows, Concord reduces the manual effort usually associated with maintaining compliance and helps ensure that every tracker requiring consent is properly identified, categorized, and blocked until a user opts in.

‍

Consent Categories

Trackers can fall into many categories. The particular category will determine if a tracker is blocked or not and blocking is based on which types of categories a user decides to block based on their consent choices.  We use the following base categories:

• Strictly Necessary: These trackers are required by the site for proper functionality. They may include things like authentication cookies, session cookies, shopping cart status cookies, and others. Strictly necessary scripts and cookies are never blocked, so only items that are truly strictly necessary should be categorized as such.
• Analytics: These types of trackers will track visitors’ activities, typically in aggregate form, allowing website owners to better grasp how their sites or apps are being used.
• Functional: These trackers are not “strictly necessary” but can result in a better, more personalized web site experiences. As they may collect more data than needed for basic site functionality, they are considered non-essential.
• Marketing: These trackers are used for behavioral and demographic targeted marketing. If your project has Global Privacy Control (GPC) enabled, which is recommended in the United States and other jurisdictions that require signal detection, users with a detected GPC browser signal will have this category automatically disabled.
• Unclassified: Any tracker that can’t be categorized automatically by Concord. It is highly recommended that these scripts be properly categorized to enable compliance with users’ consent choices.
• Malicious: Trackers that are known to be used for improper purposes will be listed here. Any scripts found here are automatically blocked by Concord and should be removed from your site as soon as possible.

‍

Blocking Mode & Initial Discovery of Cookies & Scripts

Concord can be configured to automatically block the trackers you use on your website based upon user consent, regionally applicable privacy legislation(s), and your preferred blocking and implied/express consent settings (also referred to as implicit/explicit consent).

If this is your first time configuring Concord for you organization, we typically recommend starting in the Discovery mode found within the Blocking Mode setting within Consent → Consent Settings. That mode isn’t GDPR compliant, but allows you to capture the cookies and scripts on your site for categorization without blocking while you are initially setting things up. More details on those settings can be found here: Understanding & Configuring Auto-Blocking of Cookies & Scripts

‍

Once any of the blocking modes are active on your site for the first time or after a manual or scheduled scan is run, we will start populating a list of all the cookies and trackers that we find.  To view the list of discovered cookies and scripts:

• Navigate to Consent Settings → Cookies & Scripts.
• You will see a list of all discovered cookies and scripts.
• Click on the “+” symbol by each script in order to see the full details.

To trigger a scan or configure your automatic scan settings, refer to this document: Scanning Your Site for Trackers (Cookies & Scripts)

‍

Categorizing Trackers (Cookies & Scripts)

Once a comprehensive list of trackers is populated, they should be correctly categorized in order for your consent settings to work properly. To categorize trackers:

• Navigate to Consent → Cookies & Scripts.
• You will see a list of all discovered cookies and scripts.
• If desired, click on the + symbol by each script in order to see the full details.

• If you want to change the details for a specific cookie or script, including the desired category, click on the Edit button.

You may now change the following fields:

• ~Name: Use this to create a user friendly and meaningful name.
• ~Category: Use this to categorize the tracker. It is crucial to properly categorize the tracking script for proper handling of user consent choices.
• ~Pattern: A regular expression identifying the script’s name. In most cases, Concord administrators won’t need to change this, but can be used for advanced adjustments when needed.
• ~Company: The originating organization for the tracking script.
• ~Domain: The domain of the company associated with the tracker.
• ~Description: Use this to input any additional information you wish about the tracker.
• Click on the Ok button when you are done.