How to Set Up a Script Approval Workflow for Your Website

Why Scripts Need Approval

On most websites, adding a new script is trivially easy. A developer pastes a snippet in the code. A marketer adds a pixel through Google Tag Manager. An agency drops in a tracking script for a client campaign. A WordPress plugin activates with three new scripts embedded.

None of these go through a review process. Nobody checks whether the script is privacy-compliant, whether it's covered by the consent banner, or whether it loads additional sub-scripts. The result: unknown scripts running on your site, collecting data you haven't disclosed, potentially violating GDPR.

The Approval Workflow Concept

A script approval workflow follows a simple principle: nothing runs unless it's been reviewed and approved. The workflow:

1. Detection — A new script is detected on your website (through a scan or real-time monitoring)
2. Alert — The responsible person (you, your developer, your agency) is notified
3. Review — The script is identified: what vendor, what purpose, what data does it collect, does it load sub-scripts?
4. Decision — Approve (it can run with consent), block (it should never run), or investigate further
5. Enforcement — The decision is enforced automatically. Approved scripts are added to the consent banner. Blocked scripts are prevented from loading.

Setting Up the Workflow in LegalBanner

Step 1: Enable Tag Governance

In your LegalBanner Pro dashboard, navigate to Governance and enable it for your site. Start in monitor mode — this detects and catalogues scripts without blocking anything.

Step 2: Review the Initial Inventory

After the first scan, you'll see every script currently running on your site. Go through each one:

• Known and needed? Approve it and assign the correct consent category.
• Unknown or unnecessary? Block it.
• Need more information? Flag for investigation.

Step 3: Set Up Alerts

Configure alerts for new script detection. You can receive alerts via the dashboard or email. Set the sensitivity: alert on any new script, or only on scripts from unknown vendors.

Step 4: Switch to Strict Mode

Once your initial inventory is reviewed and approved, switch to strict mode. Now, any new script that appears will be automatically blocked until you approve it. Your approved scripts continue running normally.

Step 5: Ongoing Review

When alerts arrive (new script detected), review and decide within your defined SLA. For most websites, a 24-hour review cycle is sufficient. For high-security environments, real-time review may be appropriate.

Best Practices

• Start in monitor mode — Don't enable strict mode until you've reviewed the full inventory. Blocking essential scripts breaks your site.
• Document decisions — When you approve or block a script, note why. This creates an audit trail for regulators.
• Review periodically — Even approved scripts change. Quarterly reviews ensure nothing has drifted.
• Educate your team — Make sure marketing and development know the workflow. Adding a new tool means it goes through approval first.