1. Home
  2. Add-ons
  3. Cookie Smart Installation Guide

Cookie Smart Installation Guide

Overview

Cookie Smart is a managed cookie consent and script blocking add-on for contractor websites, landing pages, and hosted Launch365 sites. It helps show a consent banner, collect visitor choices, apply Google Consent Mode v2, and delay non-essential scripts until the visitor gives consent.

Cookie Smart does not require a WordPress plugin. It is installed with a hosted JavaScript snippet, a tag manager placement, or managed site injection.

  • Shows a cookie consent banner with Accept, Reject, and Preferences controls.
  • Stores visitor consent choices.
  • Provides a preference center so visitors can change choices later.
  • Sends consent decisions to Launch365 consent logs when logging is enabled.
  • Supports Google Consent Mode v2 defaults and updates.
  • Blocks or delays configured analytics, marketing, functional scripts, and embedded widgets until consent.
  • Supports Global Privacy Control when enabled.

Before You Start

You need:

  • Cookie Smart add-on activated for the company.
  • The website domain, such as example.com.
  • Privacy Policy label and link.
  • Cookie Policy label and link, if available.
  • Any additional banner links, such as do-not-sell pages.
  • A list of scripts that should wait for consent, such as:
    • Google Tag Manager
    • Google Analytics 4
    • Google Ads
    • Meta Pixel
    • Microsoft Clarity
    • chat widgets
    • session recording tools
    • optional embeds
  1. In Launch365, go to /company/addons/cookie-smart.
  2. Find the Cookie Smart Add-ons box.
  3. Enable the Cookie Smart add-on.
  4. Click Update add-ons.

This controls billing and entitlement access.

  1. Go to /company/cookie-smart.
  2. Turn on Enable Cookie Smart.
  3. Enter the website domain.
  4. Choose the regional consent behavior.
  5. Choose the banner position. Card positions render as compact notices pinned to the lower left or lower right of the page.
  6. Set banner title, message, button labels, and brand color.
  7. Add the Privacy Policy and Cookie Policy labels and links.
  8. Add any additional outbound links that should appear in the consent notice.
  9. Confirm these consent controls:
    • Google Consent Mode v2
    • Consent logging
    • Preference center
    • Respect Global Privacy Control
  10. Review or add script and widget blocking rules.
  11. Click Save Cookie Smart Settings.
  12. Use Scan Website to detect third-party scripts, iframe embeds, widgets, and inline script URLs. Add selected results as blocking rules.

The add-on activation controls whether the account can use Cookie Smart. The Enable Cookie Smart switch controls whether Cookie Smart is active for that specific domain.

Install the Runtime Script

Place the Cookie Smart runtime as the first script in the page <head>. Do not add async or defer.

<script src="https://go.launchsms.com/cookie-smart.js?site=COOKIE_SMART_SITE_UUID" data-cookie-smart-site="COOKIE_SMART_SITE_UUID"></script>

Replace COOKIE_SMART_SITE_UUID with the public install key shown in /company/cookie-smart after saving the site. This key is unique to the Cookie Smart site configuration. It is not a secret API key because it is visible in the browser.

Important Script Order Rule

Cookie Smart must load before non-essential trackers.

Load Cookie Smart before:

  • Google Tag Manager
  • Google Analytics 4
  • Google Ads
  • Meta Pixel
  • Microsoft Clarity
  • chat widgets and scheduler embeds
  • call tracking or DNI scripts that are not strictly necessary
  • session recording tools
  • remarketing tags

Cookie Smart can block scripts and embedded widgets before they run. It cannot undo a tracker that already loaded before Cookie Smart, and it cannot remove cookies already stored from earlier visits.

For strict pre-consent blocking, install direct third-party script tags as Cookie Smart placeholders in the site source. Client-side auto-blocking can catch many dynamic scripts, but browser parser requests can start before a consent runtime is able to rewrite a hardcoded <script src="...">.

Add this link in the footer, privacy page, or cookie policy page so visitors can change their choices later:

<a href="#" data-cookie-smart-preferences>Cookie preferences</a>

For a California-style privacy choices link, copy the Privacy choices link snippet from /company/cookie-smart and place it anywhere on the site:

<a href="#" data-cookie-smart-privacy-choices alt="Privacy Choices" aria-label="Privacy Choices">Your Privacy Choices</a>

Cookie Smart will render the label with a compact blue check/X badge. When visitors click it, Cookie Smart opens the preferences modal so they can reject all, accept all, or save category-level choices.

Converting Existing Tags

Do not only add data-cookie-smart-category to an existing script. The category tells Cookie Smart which consent choice controls the tag, but type="text/plain" is what prevents the browser from running an inline script before consent.

For inline scripts, add both type="text/plain" and data-cookie-smart-category.

Before:

<script>
  gtag('config', 'G-XXXXXXX');
</script>

After:

<script type="text/plain" data-cookie-smart-category="analytics">
  gtag('config', 'G-XXXXXXX');
</script>

For external scripts, remove the real src, move it to data-cookie-smart-src, and add type="text/plain" plus the category.

Before:

<script src="https://example.com/widget.js"></script>

After:

<script
  type="text/plain"
  data-cookie-smart-category="functional"
  data-cookie-smart-src="https://example.com/widget.js">
</script>

For iframes, remove the real src, move it to data-cookie-smart-src, and add the category.

Before:

<iframe src="https://scheduler.example.com/embed" title="Scheduler"></iframe>

After:

<iframe
  data-cookie-smart-category="functional"
  data-cookie-smart-src="https://scheduler.example.com/embed"
  title="Scheduler">
</iframe>

Blocking External Scripts

For the most reliable blocking, convert non-essential external scripts to placeholders.

Example for an analytics script:

<script
  type="text/plain"
  data-cookie-smart-category="analytics"
  data-cookie-smart-src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX">
</script>

Cookie Smart will load the script only after the visitor allows the matching category.

Blocking Embedded Widgets

For iframe-based schedulers, chat widgets, quote tools, and optional embeds, use data-cookie-smart-src instead of src.

<iframe
  data-cookie-smart-category="functional"
  data-cookie-smart-src="https://scheduler.example.com/embed"
  title="Scheduler">
</iframe>

ScheduleEngine Widgets

Convert the ScheduleEngine widget script to a functional placeholder so it waits for consent.

Before:

<script defer
  data-api-key="SCHEDULE_ENGINE_API_KEY"
  id="se-widget-embed"
  src="https://embed.scheduleengine.net/schedule-engine-v3.js">
</script>

After:

<script
  nitro-exclude
  defer
  type="text/plain"
  data-cookie-smart-category="functional"
  data-cookie-smart-src="https://embed.scheduleengine.net/schedule-engine-v3.js"
  data-api-key="SCHEDULE_ENGINE_API_KEY"
  id="se-widget-embed">
</script>

If the site has a custom click handler for .se-widget-button, make it safe for the pre-consent state. The ScheduleEngine global may not exist until the visitor accepts functional cookies.

Replace this pattern:

<script>
  (function () {
    const scheduleButton = document.querySelectorAll('.se-widget-button');
    scheduleButton.forEach(btn => {
      btn.addEventListener('click', () => {
        ScheduleEngine.showRepair({ roomKey: null })
      });
    });
  })();
</script>

With this guarded version:

<script>
(function () {
  function attach() {
    document.querySelectorAll('.se-widget-button').forEach(function (btn) {
      btn.addEventListener('click', function () {
        if (window.ScheduleEngine && ScheduleEngine.showRepair) {
          ScheduleEngine.showRepair({ roomKey: null });
        }
      });
    });
  }

  if (document.readyState === 'loading') {
    document.addEventListener('DOMContentLoaded', attach);
  } else {
    attach();
  }
})();
</script>

Blocking Inline Scripts

Inline scripts that depend on consent should also be converted to placeholders.

<script type="text/plain" data-cookie-smart-category="analytics">
  gtag('config', 'G-XXXXXXX');
</script>

Use these categories when configuring script rules or placeholder scripts.

Category Use For Consent Behavior
necessary Required site functionality, security, core operations Always allowed
analytics GA4, GTM analytics, Microsoft Clarity, performance measurement Waits for analytics consent
marketing Meta Pixel, Google Ads, remarketing, conversion tags Waits for marketing consent
functional Chat widgets, embeds, personalization, optional UX tools Waits for functional consent

The preference center displays these categories as expandable panels. When script or widget blocking rules are assigned to a category, visitors can see the controlled resources for that category before saving their preferences.

Regional Rules

When Regional rules is selected, Cookie Smart chooses the runtime behavior from detected visitor location:

  • GDPR regions, the UK, and Switzerland use strict opt-in. Optional analytics, marketing, and functional scripts are blocked until consent.
  • Selected US restricted states use strict opt-in. California is selected by default for new Cookie Smart sites.
  • Other US states and other non-GDPR regions use notice with opt-out. Optional scripts are allowed by default, and visitors can reject or change preferences.
  • Unknown regions default to strict opt-in.

Cookie Smart detects region from common CDN/proxy headers such as Cloudflare, CloudFront, Vercel, App Engine, and Azure. If no geo header is available, it falls back to the browser Accept-Language country when present. US state-specific rules require a geo header that includes the visitor’s state or subdivision; country-only detection can identify US visitors but cannot distinguish California from another state.

Scanner

The scanner fetches the saved website homepage, reads external script tags, iframe/embed/object sources, and URL literals inside inline scripts. It ignores Cookie Smart and first-party assets, then compares third-party resources against active blocking rules.

Use the scanner after saving the Cookie Smart site:

  1. Click Scan Website.
  2. Review the uncovered script and widget sources.
  3. Adjust the suggested name, category, match type, or pattern if needed.
  4. Select the rows to add.
  5. Click Add Selected Rules.

The scanner only sees resources present in the initial HTML response or URL literals inside inline scripts. Resources injected later by tag managers, plugins, or user interaction may require manual rules or a later scan after those resources are exposed in the page source.

Consent logs are available at /company/cookie-smart/consent-logs. The page shows recent decisions with pagination and includes a CSV export for audit or compliance review.

New logs include the visitor IP address, IP hash, detected city, country, state or region, geo header source, visitor hash, user agent, consent decision, category choices, and timestamps. City and state/region are populated when the site or CDN forwards location headers such as Cloudflare, CloudFront, Vercel, App Engine, or similar proxy headers.

Common Installation Patterns

Direct Site Install

Add Cookie Smart first in the <head>, then convert non-essential scripts to placeholders.

<head>
  <script src="https://go.launchsms.com/cookie-smart.js?site=COOKIE_SMART_SITE_UUID" data-cookie-smart-site="COOKIE_SMART_SITE_UUID"></script>

  <script
    type="text/plain"
    data-cookie-smart-category="analytics"
    data-cookie-smart-src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX">
  </script>
</head>

Tag Manager Install

Cookie Smart can be installed through a tag manager, but it must fire before other analytics, marketing, chat, or tracking tags.

Recommended setup:

  1. Create a Cookie Smart tag.
  2. Set it to fire on all pages as early as possible.
  3. Update other non-essential tags to wait for the correct consent category.
  4. Test in an incognito browser before publishing.

If GTM itself loads before Cookie Smart, GTM may run tags before Cookie Smart can block them. For strict blocking, place Cookie Smart directly in the page <head> before the GTM container.

Managed Hosted Site Install

For Launch365-managed hosted pages, install Cookie Smart through the managed site injection path and place it before tracking, chat, analytics, and marketing snippets.

When Google Consent Mode v2 is enabled, Cookie Smart sets Google consent defaults to denied before consent is granted. After the visitor makes a choice, Cookie Smart updates Google consent state based on selected categories.

Analytics consent maps to:

  • analytics_storage

Marketing consent maps to:

  • ad_storage
  • ad_user_data
  • ad_personalization

Functional consent maps to:

  • functionality_storage
  • personalization_storage

Security storage remains granted.

Verify Installation

After installing Cookie Smart:

  1. Open the site in an incognito window.
  2. Confirm the banner appears.
  3. Before accepting, check that non-essential trackers have not fired.
  4. Click Reject and confirm analytics and marketing tags stay blocked.
  5. Clear browser storage or use another incognito window.
  6. Click Accept and confirm allowed tags load.
  7. Open the preference link and confirm choices can be changed.
  8. In Launch365, confirm consent logs are being recorded if logging is enabled.

Focused Widget Blocking Test

Use this test when validating ServiceTitan, Contractor Commerce, or NitroPack-related blocking on a live site.

  1. Open a brand-new Incognito window.
  2. Open DevTools before loading the site.
  3. Go to Network.
  4. Enable Preserve log.
  5. Enable Disable cache.
  6. Load the test URL:
https://www.hydesac.com/?cs_test=nitro_excluded_1

Before clicking Accept, filter the Network tab for these terms one at a time:

servicetitan
contractorcommerce
nitro-min-scheduler
nitrocdn

Expected before Accept:

  • nitro-min-scheduler should have no results.
  • ServiceTitan script or iframe requests should not load with 200.
  • Contractor Commerce requests should not load with 200.
  • Canceled or blocked attempts can appear, but successful widget scripts or documents should not.

Then run this in the Console before clicking Accept:

[...document.scripts].map((s, i) => ({
  i,
  src: s.src,
  type: s.type,
  blockedSrc: s.dataset.cookieSmartSrc,
  category: s.dataset.cookieSmartCategory
})).filter(x =>
  JSON.stringify(x).toLowerCase().includes('servicetitan') ||
  JSON.stringify(x).toLowerCase().includes('contractorcommerce') ||
  JSON.stringify(x).toLowerCase().includes('nitro')
)

Good result before Accept:

  • Blocked scripts have type: "text/plain".
  • blockedSrc contains the original ServiceTitan or Contractor Commerce URL.

Then click Accept.

Expected after Accept:

  • ServiceTitan scripts and iframes load.
  • Contractor Commerce loads.
  • Chat, scheduler, or commerce UI becomes available.
  • Console shows accepted consent:
CookieSmart.consent()

If nitrocdn.com/...servicetitan... still appears before Accept, NitroPack did not fully exclude that resource or the cache was not fully cleared. Update the NitroPack exclusion and run a full cache purge before retesting.

Troubleshooting

The banner does not appear

  • Confirm Cookie Smart is active for the company.
  • Confirm Enable Cookie Smart is turned on in /company/cookie-smart.
  • Confirm the data-cookie-smart-site value matches the public install key in /company/cookie-smart.
  • Confirm the runtime script is installed on the page.
  • Confirm the runtime URL includes ?site=COOKIE_SMART_SITE_UUID.
  • Check browser console errors.
  • Move the Cookie Smart runtime higher in the <head>.
  • Confirm trackers are not hardcoded above Cookie Smart.
  • Convert hardcoded third-party <script src="..."> and widget <iframe src="..."> tags to Cookie Smart placeholders.
  • Convert non-essential scripts to type="text/plain" placeholders.
  • If using GTM, confirm tags are not firing before Cookie Smart loads.
  • Confirm the placeholder has data-cookie-smart-category.
  • Confirm the visitor allowed that category.
  • Confirm external scripts use data-cookie-smart-src, not src.
  • Confirm the category is one of analyticsmarketingfunctional, or necessary.
  • Confirm consent logging is enabled.
  • Confirm the public consent endpoint is reachable.
  • Confirm the domain in the request matches the configured Cookie Smart site.
  • Check whether browser extensions are blocking the request.

Compliance Note

Cookie Smart is a technical consent management tool. It should be used with accurate privacy and cookie policies, regular script reviews, and legal guidance appropriate for the business and jurisdictions involved.

Updated on June 28, 2026
Was this article helpful?

Related Articles

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.