Knowledge Base

How do I find all services (cookies) on my website?

Real Cookie Banner provides you with many tools to easily obtain consent for cookies etc. on your WordPress website. There is also a service scanner that automatically detects most services used on your website. What the scanner detects and what it does not, we have explained in a separate article. Therefore, you should always check your website manually to make sure that you have really found all services that require consent and that you have adapted the templates to your specific case. In this article, we explain how you can find all cookies and services that process personal data on your website.

We must point out that the following statements do not constitute legal advice. Therefore, we can only give you evaluations from our intensive experience with the EU legal regulations in practice and a technical assessment of the situation.

For what you need consent on your website

Tools commonly known as “cookie banners” are, if they comply with the legal requirements of the EU, actually Consent Management Platforms (CMPs). In practical terms, they manage not only consent for cookies, but consent for additional data processing and its purposes. Cookies and these additional data processing are usually so closely linked that one does not exist without the other.

We have explained the legal background for you in more detail in the article What do I need consents for?. You should read this in order to be able to follow all the steps below.

You, as a website operator, should be able to answer the following questions to store relevant all information for obtaining consents in Real Cookie Banner:

  1. What content do I embed from external sources that could potentially process personal data?
  2. Which services, plugins and themes do I use that process personal data directly on my website (my web hosting)?
  3. What content from external sources, services, plugins and themes set cookies or cookie-like information on the client (browser) of my visitors and are they essential?

In the following article, we expect that you use Google Chrome or another Chromium-based browser that is not privacy-friendly (e.g. not Brave). We call them in general browser because the developer tools in these browsers are next to the same.

1. Embeds from external sources

First, we want to find all the content that your website embeds from external sources. This means visible content from e.g. YouTube and Vimeo videos, Twitter timelines, Facebook posts, Instagram images or Google Maps. However, it also means “invisible” or less obvious content such as Google Analytics, Matomo, Google Fonts, AddToAny Share Buttons or Google reCAPTCHA. All of this content has in common that it is integrated by third-party servers and transmits at least the IP address of your users. We recommend blocking this content before you have obtained consent, unless you think you have another justification for its use according to Art. 6 GDPR.

Note that each subpage of your website may contain different content, so you should perform the following steps on each subpage. Also, content can be post-fetched, like a YouTube video in a lightbox, which is why you should interact with the website in any way you can.

This is how you find the content in your browser:

  1. Make sure no content blocker is active on your website and no Adblocker is active for your website in your browser
  2. Open your website in Google Chrome or a Chromium browser in a private (incognito) window
  3. Right-click anywhere on your website to open the context menu, where you select Inspect
  4. A new bar will open in your browser with several tabs. You select the Sources tab.
  5. You will now see a three-column layout, where we are interested in the left column. In this column you can see which files were loaded from which domains (services) when you called this specific subpage of your website.
  6. The domain of your website is at the top and shows which files were downloaded from your website. All entries below are from other domains. Click through the whole entries. You will find images, videos, fonts etc. but also HTML, CSS and JavaScript code as well as iframes. Ask for each entry which service it comes from and if you have another justification for loading it – and thus transferring the IP address of your visitors – than the consent.
Example of embeds from external sources

The screenshot shows an example taken from the devowl.io blog (without a cookie banner). We can see the following entries and rate them as an example. The evaluation of whether something is essential or not may vary for each website.

  • cdn.paddle.com: This domain obviously belongs to the service provider Paddle.com. We use Paddle.com for our online store, through which, for example, the payment process is provided. Without this, visitors would not be able to shop at our site, which is why we assume a legitimate interest as a justification for this service. Therefore, we have to name Paddle.com as an essential service in our cookie banner, but their scripts may be included in any phase of the purchase.
  • www.google-analytics.com: The domain already reveals that we use Google Analytics on our website. The tool records extensive statistics about the behavior of visitors on the website. Therefore, we consider Google Analytics to be a statistics service for whose use we require consent. So Google Analytics is only allowed to load after we obtained the consent of the visitor.
  • INJ_sS81ua8: The name of this element is not self-explanatory. However, the icon in front of the name indicates that it is an iframe (embeds another website into your website). Also, we can see from which domains within the iframe files are downloaded. If you look closely at the individual files, you will notice that this is a YouTube video that we have embedded into the blog article. A video from YouTube complements the content of our website. Without the video, however, our website would continue to work. Therefore, we consider YouTube to be a functional service that we require consent to use. The YouTube video can therefore only be loaded after obtaining the consent of the visitor.

We now know all three services that we embed in our website and that we should mention in the cookie banner (consent management tool). You will learn at the end of the article how to mention them in the cookie banner and how to prevent the loading of the services before the consent by using a content blocker.

2. Processing of personal data on your webspace

Secondly, we would like to find out whether and if so, which personal data is processed on our own webspace. This question is rather difficult to answer by technical means, but it is more important to ask yourself questions about the structure of your website.

The web server of your website, PHP, etc. (all components that are necessary to run your website at all) will at least process the IP address of your visitor. This should be clarified by an implicit (tacit) consent of your visitor already before the visit, since he has visited your website willingly, or by the legitimate interest as a justification.

The situation is different if, for example, you use Matomo to collect statistics about visitors to your website, processing and/or storing the visitor’s IP address in an unabbreviated form. Matomo is a popular alternative to Google Analytics that you can run on your own server. If you want to collect more detailed data about your visitors by processing the complete IP address, we believe that you need to obtain a consent for your visitors, even if you run the tool on your own webspace or server.

If you have detected services of this type on your own webspace, and they require consent, you should also name them in your cookie banner and allow the processing of personal data only after you have obtained consent.

3. Cookies and cookie like information

Last but not least we take care of cookies and cookie like information from a technical point of view, not all cookies are the same. The term “cookie” legally stands for so-called HTTP cookies. However, the applicable laws also require that cookie-like information is subject to the same rights. Technically, there are a variety of ways to store such information. The most common methods are briefly explained below:

  • HTTP Cookie: Classic cookie that is transferred to the server in every connection.
  • Local Storage: Modern local storage of information similar to cookies, but which can only be read by JavaScript applications.
  • Session Storage: Same as Local Storage, but technically limited to the respective tab in the browser in which the information was set.
  • Pixel Tracker: Loading of a (mostly) invisible graphic that can uniquely identify the user.
  • Flash Local Shared Object: Object for storing information about users in Flash files (rarely used anymore).
  • IndexedDB: Modern alternative to local storage for larger amounts of data (still rarely used).

Pixel tracking we have usually already captured with the action in the previous steps. Of the cookies and cookie like information (in the following simple “cookies” called) mentioned in the list, HTTP cookies, Local Storage and Session Storage are used in almost every case to store the information relevant to us. For this reason, we will only discuss these cookie types in the following.

Note that each subpage of your website may set different cookies, so you should perform the following steps on each subpage. In addition, cookies are not always set when the website loads, but only when you interact with it (e.g. send a contact form). Therefore, to record all cookies, you should try every possible way of interacting with your website and check each time whether new cookies are set. Also, if an external service such as YouTube sets cookies, the type and characteristics of the cookies often depend on whether the visitor to your website is logged in to the respective service. You should therefore also try each of the previous combinations as a logged-in and non-logged-in user.

This is how you find the cookies in your browser:

  1. Make sure no cookie banner or content blocker is active on our website and no Adblocker is active for your website in your browser. In addition, in a private (incognito) window of your Google Chrome, the browser blocks 3rd-party-cookies by default. That’s shown directly after opening a private window. You have to deactivate this privacy feature to see all cookies.
Incognito window in Google Chrome with 3th-party-cookies allowed
  1. Open your website in Google Chrome or a Chromium browser in a private (incognito) window
  2. Right-click anywhere on your website to open the context menu, where you select Inspect
  3. A new bar will open in your browser with several tabs. You select the Application tab.
  4. You will now see a two-column layout (sidebar and content area), where we are interested in the section Storage in the left column. With a click on the triangles next to Local Storage, Session Storage and Cookies you can see cookies are set for websites in the currently opened tab. If here is not only your own domain, you embed e.g. iframes. Iframes are independent websites, which you embed in your website, and they are therefore shown separately. However, you are still responsible if they set or read cookies, or cookie-like information, since you have loaded this website (without the explicit decision of your visitor). We therefore need to look at all listed domains regarding cookies or cookie-like information in the following.
  5. If you click on a domain name, in the left column you see all concrete cookies set on your computer with all its properties and flags like name, value, domain, expires etc. HTTP Cookies have more properties than Local Storage and Session Storage cookies. Depending on the type of cookie, you need to put different information into your cookie banner (the user interface of Real Cookie Banner shows only required fields).
  6. Now we should take a look at the individual cookies. Often the name in combination with the domain already tells us which service has set this cookie. Sometimes, however, this is not understandable. In this case, it is worth searching for the cookie name to find out e.g. in the privacy policy of the respective service provider which cookie is set by which service. Our goal is always to find out which cookie belongs to which service.
  7. If we know the service of the cookie, we can assess whether the service and therefore the cookie is essential. A service is only essential if our website would no longer work without it. It is irrelevant whether, for example, our website looks bad without the service or only functions somehow, but no longer makes economic sense.
  8. We have to store every service with all its technical cookies in Real Cookie Banner. How to do this is explained in the next section of this article.
Example of cookies on a WordPress website

The screenshot again shows an example from the devowl.io blog (without cookie banner). We can see the following cookies and try to find out their services. This is done in the example only for HTTP cookies, but should also be done for any other cookie-like information. The evaluation of whether something is essential or not may vary for each website.

  • wp-wpml_current_language: In the name of the first cookie we see the string “wpml”, which is the name of a WordPress plugin we use. A quick search led us to an article by the developer, in which he tells us that WPML sets this and other cookies. Thus, we have the essential information regarding the technical cookies for this service. Without this service, our website would not be available in multiple languages, which is why we consider it essential.
  • paddlejs_checkout_variant: In the previous sections we have already seen that we use Paddle.com. The name “paddlejs” indicates that the cookie comes from this service. However, during a search, we did not find any official documentation about the service’s cookies. However, we found some other websites that set this and other cookies for the Paddle.com service in their privacy policy statements. We could trust that these websites have provided correct information, or we could ask the provider of the service to surely get the complete and correct list of cookies.
  • _gid, _ga: The name “ga” could be an abbreviation for Google Analytics, which we can confirm. Through a quick search we find a detailed documentation in which you can read that “_gid” also comes from the service.
  • _cfduid: The name does not immediately indicate which service is behind it. However, a short research leads directly to the documentation of Cloudflare where we find this and other cookies, whereby certain cookies are only set when using certain services. So, here we have to differentiate which of the information applies to our case. We use Cloudflare to protect our website from malicious attacks, which is why we assume this to be an essential service.
  • NID, CONSENT: For the last two cookies, we can’t tell from the name exactly what these cookies are supposed to be. However, we can see in the Domain column that the cookies were set for “.google.com”. In the previous section we have already seen that we embed YouTube in an iframe and YouTube loads data from google.com. So, the assumption is that these cookies come through the YouTube video. On the other hand, they can also come from Google Analytics – another Google service we use. In this case, it is often worth temporarily disabling one of the two services to see if the cookie is still set afterwards (in a new private window). In this case, we determine with the help of Google’s privacy policy that these cookies come from YouTube.

How do I create a service and content blocker in Real Cookie Banner?

In the previous steps, we have identified which services we use on our website. With this, the most complex part of the task to collect all cookies etc. is done. This information (and additional information) only needs to be added to our cookie banner.

Real Cookie Banner tries to make it easy for you. The WordPress plugin offers you many templates under Services (Cookies) or Content Blocker. In these service templates are not only the technical cookies etc. already stored, but also a description text, link to the privacy policy and other necessary legal information. You can save a lot of time with these templates! It is recommended to create services first and then content blockers because our service templates will redirect you, if necessary, directly to the appropriate content blocker template.

If there is no template available for a service you are using, you can request one from us for free. Alternatively, you can, of course, create individual services and content yourself. How to do this is explained step by step in the following articles:

Your head exploded? Our Cookie Experts are here to help!

We admit, it is not easy to find all the services, cookies, etc. The legal requirements in the EU require something quite complex for any website operator. We can understand if you feel overwhelmed after reading this article – if this goes far beyond what you can technically do. Maybe the question of how to ever make your website privacy compliant, after knowing what all needs to be considered, won’t let you sleep easy either.

Don’t worry, we have a solution for you! Our Cookie Experts have already set up many cookie banners and know exactly what they are doing. They can also set up your cookie banner quickly and easily. So, we can simply take this worry away from you.

WordPress Plugins by devowl.io

Find helpful articles

Topics