""" Cookie-Knowledge-Datenbank — maximal extrahierbares Wissen pro Cookie-Name. Pro Eintrag erfassen wir: - vendor : Setzender Anbieter (volle Firma + Sitzland) - exact_purpose : was der Cookie GENAU tut (nicht nur Kategorie) - data_collected : Welche Datenfelder (Client-ID, Timestamp, IP, etc.) - ip_relevant : Wird IP-Adresse erfasst/uebermittelt? - ip_anonymized : Per Default anonymisiert? - tcf_purpose_ids : IAB TCF v2.2 Purpose-IDs (1-11) - iab_vendor_id : IAB Global Vendor List ID (fuer TCF-Sync) - typical_lifetime : Wie lange persistiert - reid_risk : Re-Identifikations-Risiko (low/medium/high) - technical_necessity: Erforderlich nach §25(2) TDDDG? (none/partial/full) - schrems_ii_status : Drittlandtransfer-Bewertung - eugh_rulings : Relevante EuGH-/CNIL-/LfDI-Entscheidungen - eu_alternative_* : EU-Cookie/Vendor-Ersatz mit gleicher Funktion - notes : Sonstige Hinweise (Vermeidung, Konfiguration) Quellen: Cookiepedia, IAB Europe TCF v2.2 Vendor List, Cookiebot DB, CNIL Cookies & Trackers Guidelines 2024, EDPB Cookie Guidelines 2/2023, DSK-Orientierungshilfe Telemedien 2021, Vendor-eigene Dokumentation. Stand: 2026-05. Erweiterung: Pull-Requests willkommen — Format siehe TEMPLATE_ENTRY am Ende der Datei. """ from __future__ import annotations from typing import TypedDict class CookieKnowledge(TypedDict, total=False): vendor: str vendor_country: str exact_purpose: str data_collected: list[str] ip_relevant: bool ip_anonymized: bool tcf_purpose_ids: list[int] iab_vendor_id: int | None typical_lifetime: str reid_risk: str # 'low' | 'medium' | 'high' technical_necessity: str # 'none' | 'partial' | 'full' schrems_ii_status: str eugh_rulings: list[str] eu_alternative_cookies: list[str] eu_alternative_vendor: str notes: str # ─── Google ────────────────────────────────────────────────────────── _GOOGLE_BASE = { "vendor": "Google LLC", "vendor_country": "US", "schrems_ii_status": "Drittlandtransfer in die USA. Mit DPF " "(EU-US Data Privacy Framework, 2023) wieder zulaessig, " "aber bereits Klage NOYB anhaengig (Schrems III). " "Risiko-Bewertung empfohlen.", "eugh_rulings": [ "EuGH C-311/18 (Schrems II, 16.07.2020) — Privacy Shield gekippt", "CNIL SAN-2022-002 (10.02.2022) — Google Analytics ohne Anonymisierung " "unzulaessig", "Datenschutzkonferenz (DSK) Orientierungshilfe 2024 — GA4 mit " "Server-Side-Tagging als Mitigation moeglich", ], } KB: dict[str, CookieKnowledge] = { # ─── Google Analytics ───────────────────────────────────────────── "_ga": { **_GOOGLE_BASE, "exact_purpose": "Unterscheidet eindeutig Besucher; persistiert die " "ueber alle Sessions hinweg gueltige Client-ID.", "data_collected": ["client_id", "first_visit_timestamp", "ip_address"], "ip_relevant": True, "ip_anonymized": False, "tcf_purpose_ids": [8, 10], "iab_vendor_id": 755, "typical_lifetime": "2 Jahre", "reid_risk": "high", "technical_necessity": "none", "eu_alternative_cookies": ["_pk_id"], "eu_alternative_vendor": "Matomo", "notes": "Mit IP-Anonymisierung (`anonymizeIp: true`) + Server-Side-Tagging " "DSGVO-konfigurierbar. Ohne diese Massnahmen einwilligungspflichtig.", }, "_gid": { **_GOOGLE_BASE, "exact_purpose": "Unterscheidet Besucher innerhalb einer Session " "(24h-Bucket).", "data_collected": ["session_id", "ip_address"], "ip_relevant": True, "ip_anonymized": False, "tcf_purpose_ids": [8], "iab_vendor_id": 755, "typical_lifetime": "24 Stunden", "reid_risk": "medium", "technical_necessity": "none", "eu_alternative_cookies": ["_pk_ses"], "eu_alternative_vendor": "Matomo", }, "_gat": { **_GOOGLE_BASE, "exact_purpose": "Throttling-Cookie — begrenzt Anzahl Requests an " "Google Analytics pro Sekunde.", "data_collected": ["throttle_flag"], "ip_relevant": False, "ip_anonymized": True, "tcf_purpose_ids": [], "iab_vendor_id": 755, "typical_lifetime": "1 Minute", "reid_risk": "low", "technical_necessity": "none", "notes": "Reines Performance-Steuerungs-Cookie. Trotzdem einwilligungspflichtig " "da er Teil des GA-Trackings ist.", }, "_gat_gtag_UA_": { **_GOOGLE_BASE, "exact_purpose": "GTM-spezifisches Throttling — pro Universal-Analytics-Property.", "data_collected": ["throttle_flag"], "ip_relevant": False, "typical_lifetime": "1 Minute", "reid_risk": "low", "technical_necessity": "none", "notes": "Suffix nach `UA_` ist die Property-ID. Pattern-Match noetig.", }, "_ga_*": { **_GOOGLE_BASE, "exact_purpose": "GA4-Persistierung — eindeutige Stream-ID + Session-Daten.", "data_collected": ["stream_id", "session_count", "session_start_ts"], "ip_relevant": True, "ip_anonymized": False, "tcf_purpose_ids": [8, 10], "iab_vendor_id": 755, "typical_lifetime": "2 Jahre", "reid_risk": "high", "technical_necessity": "none", "notes": "GA4-Format. Suffix `_`. Server-Side-GTM " "ist die einzige praktikable DSGVO-Mitigation.", }, "NID": { **_GOOGLE_BASE, "exact_purpose": "Personalisiert Google-Suche, AdSense, Maps; " "speichert Praeferenzen + Sicherheits-Token.", "data_collected": ["user_pref_id", "session_id", "security_token"], "ip_relevant": True, "tcf_purpose_ids": [4, 9, 10], "iab_vendor_id": 755, "typical_lifetime": "6 Monate", "reid_risk": "high", "technical_necessity": "none", "notes": "Klassischer Google-Werbe-Cookie. Hohe Re-ID-Gefahr da Cross-Site.", }, "IDE": { "vendor": "Google LLC (DoubleClick)", "vendor_country": "US", "exact_purpose": "Conversion-Tracking + Werbe-Targeting bei " "Google Display Network / DoubleClick.", "data_collected": ["doubleclick_id", "ad_interactions"], "ip_relevant": True, "tcf_purpose_ids": [4, 9, 10], "iab_vendor_id": 755, "typical_lifetime": "13 Monate", "reid_risk": "high", "technical_necessity": "none", "schrems_ii_status": _GOOGLE_BASE["schrems_ii_status"], "eugh_rulings": _GOOGLE_BASE["eugh_rulings"], }, "test_cookie": { **_GOOGLE_BASE, "exact_purpose": "DoubleClick-Probe-Cookie — testet ob Browser Cookies akzeptiert.", "data_collected": ["browser_supports_cookies"], "ip_relevant": False, "typical_lifetime": "15 Minuten", "reid_risk": "low", "technical_necessity": "none", }, # ─── Meta / Facebook ────────────────────────────────────────────── "_fbp": { "vendor": "Meta Platforms Ireland Ltd.", "vendor_country": "IE/US", "exact_purpose": "First-Party-Pixel von Facebook/Meta — identifiziert " "den Browser fuer Werbe-Conversion-Tracking + Ad-Retargeting.", "data_collected": ["browser_id", "first_visit_ts"], "ip_relevant": True, "ip_anonymized": False, "tcf_purpose_ids": [4, 9, 10], "iab_vendor_id": 891, "typical_lifetime": "90 Tage", "reid_risk": "high", "technical_necessity": "none", "schrems_ii_status": "Daten gehen an Meta US trotz IE-Sitz. " "Aktuell DPF-abgedeckt, aber Schrems III erwartet.", "eugh_rulings": [ "EuGH C-311/18 (Schrems II)", "EDSA Aufsichts-Statement 2023 zu Meta-Pixel", "LDA Bayern Pruefverfuegung 2024", ], "eu_alternative_vendor": "Smart AdServer (Equativ, FR)", "notes": "Conversions API (CAPI) als Server-Side-Variante reduziert Cookie-" "Abhaengigkeit. Trotzdem werden Daten an Meta gesendet.", }, "_fbc": { "vendor": "Meta Platforms Ireland Ltd.", "vendor_country": "IE/US", "exact_purpose": "Speichert die ClickID einer Meta-Ad-Kampagne; " "ordnet Conversion dem urspruenglichen Ad-Klick zu.", "data_collected": ["fbclid", "ad_campaign_id"], "ip_relevant": True, "tcf_purpose_ids": [4, 9], "iab_vendor_id": 891, "typical_lifetime": "90 Tage", "reid_risk": "high", "technical_necessity": "none", }, "fr": { "vendor": "Meta Platforms Ireland Ltd.", "vendor_country": "IE/US", "exact_purpose": "Werbe-Targeting + Cross-Site-Tracking auf " "Facebook-Plattform.", "data_collected": ["encrypted_user_id", "session_data"], "ip_relevant": True, "tcf_purpose_ids": [4, 9, 10], "iab_vendor_id": 891, "typical_lifetime": "3 Monate", "reid_risk": "high", "technical_necessity": "none", }, # ─── Adobe ──────────────────────────────────────────────────────── "s_cc": { "vendor": "Adobe Systems Software Ireland Limited", "vendor_country": "IE/US", "exact_purpose": "Cookie-Test — prueft ob der Browser Cookies " "akzeptiert (Adobe Analytics Bootstrap).", "data_collected": ["browser_supports_cookies"], "ip_relevant": False, "typical_lifetime": "Session", "reid_risk": "low", "technical_necessity": "partial", "schrems_ii_status": "Adobe-IE-Hosting, jedoch US-Datentransfer fuer " "Cloud-Services. DPF-abgedeckt.", }, "s_sq": { "vendor": "Adobe Systems Software Ireland Limited", "vendor_country": "IE/US", "exact_purpose": "Speichert den letzten Klick (URL + Position) " "fuer Click-Map-Reports.", "data_collected": ["last_click_url", "last_click_xy"], "ip_relevant": False, "tcf_purpose_ids": [8], "typical_lifetime": "Session", "reid_risk": "low", "technical_necessity": "none", }, "AMCV_": { "vendor": "Adobe Systems Software Ireland Limited", "vendor_country": "IE/US", "exact_purpose": "Adobe Marketing Cloud Visitor ID — Cross-Tool-ID fuer " "Analytics + Target + Audience Manager.", "data_collected": ["marketing_cloud_visitor_id", "first_visit_ts"], "ip_relevant": True, "tcf_purpose_ids": [4, 8, 9, 10], "typical_lifetime": "2 Jahre", "reid_risk": "high", "technical_necessity": "none", "notes": "Suffix nach `AMCV_` ist die Org-ID. Klassischer Cross-Tool-Track.", }, "mbox": { "vendor": "Adobe Systems Software Ireland Limited", "vendor_country": "IE/US", "exact_purpose": "Adobe Target — A/B-Testing, Personalisierung, " "Audience-Targeting.", "data_collected": ["mbox_visitor_id", "experiment_assignments"], "ip_relevant": True, "tcf_purpose_ids": [4, 9, 10], "typical_lifetime": "2 Jahre", "reid_risk": "high", "technical_necessity": "none", }, "s_target_qa": { "vendor": "Adobe Systems Software Ireland Limited", "vendor_country": "IE/US", "exact_purpose": "Adobe Target Premium-Feature — QA-Modus fuer Personalisations-Tests.", "data_collected": ["target_qa_session"], "typical_lifetime": "Session", "reid_risk": "low", "technical_necessity": "none", "notes": "Premium-Feature-Cookie. Anwesenheit = Enterprise-Lizenz Indikator.", }, # ─── Microsoft / Bing ───────────────────────────────────────────── "MUID": { "vendor": "Microsoft Corp.", "vendor_country": "US", "exact_purpose": "Microsoft-User-ID fuer Bing, Microsoft Advertising, " "Clarity Heatmaps.", "data_collected": ["microsoft_user_id"], "ip_relevant": True, "tcf_purpose_ids": [4, 8, 9, 10], "iab_vendor_id": 165, "typical_lifetime": "13 Monate", "reid_risk": "high", "technical_necessity": "none", "schrems_ii_status": "US-Transfer, DPF-zertifiziert.", }, "_uetsid": { "vendor": "Microsoft Corp.", "vendor_country": "US", "exact_purpose": "Universal Event Tracking — Session-Cookie fuer " "Microsoft Advertising Conversion-Tracking.", "data_collected": ["session_id"], "ip_relevant": True, "tcf_purpose_ids": [9], "typical_lifetime": "30 Minuten", "reid_risk": "medium", "technical_necessity": "none", }, "_uetvid": { "vendor": "Microsoft Corp.", "vendor_country": "US", "exact_purpose": "Universal Event Tracking — persistente Visitor-ID.", "data_collected": ["visitor_id"], "ip_relevant": True, "tcf_purpose_ids": [4, 9], "typical_lifetime": "13 Monate", "reid_risk": "high", "technical_necessity": "none", }, # ─── LinkedIn ───────────────────────────────────────────────────── "bcookie": { "vendor": "LinkedIn Ireland Unlimited Company", "vendor_country": "IE/US", "exact_purpose": "Browser-Identifikation; wird genutzt fuer Anmelde-" "Vorgang + LinkedIn Insight-Tag-Tracking.", "data_collected": ["browser_id"], "ip_relevant": True, "tcf_purpose_ids": [4, 8, 9], "iab_vendor_id": 14, "typical_lifetime": "1 Jahr", "reid_risk": "high", "technical_necessity": "none", "schrems_ii_status": "US-Datenuebermittlung (Mutter Microsoft).", }, "lidc": { "vendor": "LinkedIn Ireland Unlimited Company", "vendor_country": "IE/US", "exact_purpose": "Daten-Routing zwischen LinkedIn-Datacentern.", "data_collected": ["routing_id"], "ip_relevant": True, "typical_lifetime": "1 Tag", "reid_risk": "low", "technical_necessity": "partial", }, "li_gc": { "vendor": "LinkedIn Ireland Unlimited Company", "vendor_country": "IE/US", "exact_purpose": "Speichert die Cookie-Einwilligung fuer LinkedIn-Embeds.", "data_collected": ["consent_state"], "ip_relevant": False, "typical_lifetime": "6 Monate", "reid_risk": "low", "technical_necessity": "full", }, # ─── Matomo (EU-Alternative) ────────────────────────────────────── "_pk_id": { "vendor": "InnoCraft Ltd (Matomo)", "vendor_country": "NZ-mit-EU-self-hosting", "exact_purpose": "Matomo Visitor-ID — Pendant zu _ga, aber DSGVO-konform " "wenn IP-Anonymisierung aktiv.", "data_collected": ["visitor_id", "first_visit_ts"], "ip_relevant": True, "ip_anonymized": True, "tcf_purpose_ids": [8], "typical_lifetime": "13 Monate", "reid_risk": "low", # bei aktivierter Anonymisierung "technical_necessity": "none", "schrems_ii_status": "Bei On-Premise-Deployment KEIN Drittlandtransfer. " "Matomo Cloud EU mit Frankfurt-Hosting verfuegbar.", "notes": "Empfohlener Drop-in-Ersatz fuer Google Analytics.", }, "_pk_ses": { "vendor": "InnoCraft Ltd (Matomo)", "vendor_country": "NZ-mit-EU-self-hosting", "exact_purpose": "Matomo Session-Cookie.", "data_collected": ["session_id"], "ip_relevant": False, "typical_lifetime": "30 Minuten", "reid_risk": "low", "technical_necessity": "none", }, # ─── Captcha ────────────────────────────────────────────────────── "hcaptcha": { "vendor": "Intuition Machines Inc. (hCaptcha)", "vendor_country": "US", "exact_purpose": "hCaptcha Bot-Erkennung — Session-Token fuer Challenge-Solver.", "data_collected": ["bot_score", "session_id", "ip_address"], "ip_relevant": True, "typical_lifetime": "Session", "reid_risk": "medium", "technical_necessity": "full", "schrems_ii_status": "US-Transfer (Intuition Machines, San Francisco).", "eu_alternative_vendor": "Friendly Captcha (DE), Turnstile (Cloudflare EU)", "notes": "Technisch erforderlich fuer Bot-Schutz, aber EU-Alternativen " "ohne Drittland-Risiko verfuegbar.", }, "cf_clearance": { "vendor": "Cloudflare Inc.", "vendor_country": "US", "exact_purpose": "Cloudflare-Bot-Management Pro — bestaetigt dass User " "die JS-Challenge bestanden hat.", "data_collected": ["challenge_token"], "ip_relevant": True, "typical_lifetime": "30 Minuten", "reid_risk": "low", "technical_necessity": "full", "notes": "Premium-Feature-Cookie. Anwesenheit = Cloudflare Bot-Management " "Pro im Einsatz.", }, # ─── CDN / Performance ──────────────────────────────────────────── "__cf_bm": { "vendor": "Cloudflare Inc.", "vendor_country": "US", "exact_purpose": "Cloudflare Bot Management — basis Bot-Erkennung.", "data_collected": ["bot_score", "client_hash"], "ip_relevant": True, "typical_lifetime": "30 Minuten", "reid_risk": "low", "technical_necessity": "full", "notes": "Strictly necessary nach §25(2) TDDDG (Sicherheit). Keine Einwilligung noetig.", }, "aws-alb": { "vendor": "Amazon Web Services Inc.", "vendor_country": "US", "exact_purpose": "AWS Application Load Balancer Sticky Sessions — " "routet Anfragen konsistent an dieselbe Backend-Instanz.", "data_collected": ["target_instance_id"], "ip_relevant": False, "typical_lifetime": "1 Stunde", "reid_risk": "low", "technical_necessity": "full", "schrems_ii_status": "AWS Frankfurt verfuegbar — bei korrektem Region-Setup " "kein US-Transfer.", }, # ─── Retargeting / Advertising ──────────────────────────────────── "_pin_unauth": { "vendor": "Pinterest Europe Ltd.", "vendor_country": "IE/US", "exact_purpose": "Pinterest Tag — Conversion-Tracking + Audience-Aufbau.", "data_collected": ["pinterest_user_id"], "ip_relevant": True, "tcf_purpose_ids": [4, 9, 10], "iab_vendor_id": 762, "typical_lifetime": "1 Jahr", "reid_risk": "high", "technical_necessity": "none", }, "cto_dna": { "vendor": "Criteo S.A.", "vendor_country": "FR", "exact_purpose": "Criteo Dynamic Retargeting — produktspezifische " "Werbeauslieferung basierend auf Browser-History.", "data_collected": ["criteo_user_id", "product_views"], "ip_relevant": True, "tcf_purpose_ids": [4, 9, 10], "iab_vendor_id": 91, "typical_lifetime": "13 Monate", "reid_risk": "high", "technical_necessity": "none", "schrems_ii_status": "Criteo ist FR-basiert, aber Daten gehen auch in die USA. " "Multi-Region-Setup pruefen.", "notes": "Trotz FR-Sitz nicht automatisch DSGVO-konform — CNIL-Bussgeld " "EUR 60M 2022 wegen mangelnder Einwilligungs-Granularitaet.", }, "afm": { "vendor": "Adform A/S", "vendor_country": "DK", "exact_purpose": "Adform Audience Matching — Cross-Device-Identifikation " "fuer programmatische Werbung.", "data_collected": ["adform_user_id", "device_signals"], "ip_relevant": True, "tcf_purpose_ids": [4, 9, 10], "iab_vendor_id": 50, "typical_lifetime": "30 Tage", "reid_risk": "high", "technical_necessity": "none", "schrems_ii_status": "Adform ist DK-basiert, EU-Hosting Standard. Keine " "Schrems-II-Probleme bei Standard-Setup.", }, # ─── Consent / Funktional (Strictly Necessary) ──────────────────── "JSESSIONID": { "vendor": "Java EE / Tomcat (Site-Software)", "vendor_country": "N/A", "exact_purpose": "Server-Session-ID fuer Java-basierte Anwendungen.", "data_collected": ["session_id"], "ip_relevant": False, "typical_lifetime": "Session", "reid_risk": "low", "technical_necessity": "full", "notes": "Strictly necessary. Keine Einwilligung nach §25(2) TDDDG.", }, "PHPSESSID": { "vendor": "PHP (Site-Software)", "vendor_country": "N/A", "exact_purpose": "PHP-Session-ID — serverseitige Sitzungs-Persistierung.", "data_collected": ["session_id"], "ip_relevant": False, "typical_lifetime": "Session", "reid_risk": "low", "technical_necessity": "full", }, "cookie_consent": { "vendor": "BreakPilot Consent-Banner (own)", "vendor_country": "DE", "exact_purpose": "Speichert die Einwilligungsentscheidung des Nutzers " "pro Kategorie.", "data_collected": ["consent_state_per_category", "timestamp"], "ip_relevant": False, "typical_lifetime": "180 Tage", "reid_risk": "low", "technical_necessity": "full", "notes": "Strictly necessary nach Art. 7(1) DSGVO Nachweispflicht.", }, # ─── Templated / pattern-based entries (Suffix variabel) ────────── # Diese werden via regex-Lookup gefangen, der Eintrag dient als Fallback. "_uet_": { "vendor": "Microsoft Corp.", "vendor_country": "US", "exact_purpose": "Microsoft Universal Event Tracking — Suffix nach `_uet_`.", "data_collected": ["event_id"], "ip_relevant": True, "typical_lifetime": "30 Minuten", "reid_risk": "medium", "technical_necessity": "none", }, } # ─── Pattern-Lookup fuer Cookies mit variablem Suffix ─────────────── _PATTERN_LOOKUPS: list[tuple[str, str]] = [ (r"^_ga_[A-Z0-9_]+$", "_ga_*"), (r"^_gat_gtag_UA_", "_gat_gtag_UA_"), (r"^AMCV_", "AMCV_"), (r"^_uet[a-z]+", "_uet_"), (r"^aws-alb", "aws-alb"), (r"^_pk_id\.", "_pk_id"), (r"^_pk_ses\.", "_pk_ses"), ] def lookup_cookie(name: str) -> CookieKnowledge | None: """Return rich knowledge for a cookie name, or None if unknown.""" import re if not name: return None # Direct hit if name in KB: return KB[name] # Pattern-based for pattern, kb_key in _PATTERN_LOOKUPS: if re.search(pattern, name): return KB.get(kb_key) # Strip common suffixes (.bmw.de, .domain etc.) base = name.split(".", 1)[0] if base != name and base in KB: return KB[base] return None def enrich_vendor_with_knowledge(vendor: dict) -> dict: """Add per-cookie knowledge to each cookie in vendor['cookies'].""" cookies = vendor.get("cookies") or [] enriched = [] for c in cookies: info = lookup_cookie(c.get("name", "")) if info: enriched.append({**c, "knowledge": info}) else: enriched.append(c) return {**vendor, "cookies": enriched} # ─── Hilfen fuer Aggregate-Reports ────────────────────────────────── def summarize_compliance_risk(vendor: dict) -> dict: """Aggregiere Re-ID-Risiko + Drittland-Status ueber alle Cookies eines Vendors.""" cookies = vendor.get("cookies") or [] risk_counts = {"high": 0, "medium": 0, "low": 0} schrems_affected = 0 technical_only = 0 for c in cookies: k = c.get("knowledge") or lookup_cookie(c.get("name", "")) if not k: continue risk = k.get("reid_risk", "low") risk_counts[risk] = risk_counts.get(risk, 0) + 1 if "us" in k.get("vendor_country", "").lower() or "schrems" in k.get("schrems_ii_status", "").lower(): schrems_affected += 1 if k.get("technical_necessity") == "full": technical_only += 1 return { "reid_risk_distribution": risk_counts, "high_risk_cookie_count": risk_counts["high"], "schrems_ii_affected_cookies": schrems_affected, "strictly_necessary_cookies": technical_only, "total_classified": sum(risk_counts.values()), } # ─── TEMPLATE_ENTRY (fuer Kuratierung neuer Cookies) ─────────────── TEMPLATE_ENTRY: CookieKnowledge = { "vendor": "", "vendor_country": "", "exact_purpose": "<1-2 Saetze was der Cookie GENAU tut>", "data_collected": ["", ""], "ip_relevant": False, "ip_anonymized": False, "tcf_purpose_ids": [], # TCF v2.2: 1-11 "iab_vendor_id": None, # Aus https://iabeurope.eu/tcf-vendor-list/ "typical_lifetime": "", "reid_risk": "low", # low | medium | high "technical_necessity": "none", # none | partial | full "schrems_ii_status": "", "eugh_rulings": [], "eu_alternative_cookies": [], "eu_alternative_vendor": "", "notes": "", }