The ICO has recommended that all businesses with a web presence audit their cookies in preperation for the e-privacy directive.
We've written a brief guide to get you started on how to tackle a cookie audit.
How do to a Cookie Audit
When doing your audit there are 3 areas to cover, each with their own method
|How Cookie is Set||Example||How to Audit|
|Client Side||Google Analytics tag||Using your browser privacy section, or better still a firefox plugin.|
|Server Side||Shopping Basket, Internal Campaign tracking etc.||Only your web development team will be able to accurately list and identify these by looking at the server-side source code.|
|3rd Party container tags||Tagman, Doubleclick floodlight||Only the parties responsible for the container tags can accurately list and identify these cookies.|
What to Include in your Audit
Below are the key elements you should record as part of your Cookie Audit:
|CookieID||ID of the cookie as it appears in the browser cache|
|Cookie Name||Label of Cookie (something that makes sense for reading)|
|1st/2nd/3rd party||Type of cookie|
|Expiration Date||How long the cookie lasts after it’s set / reset|
|Source Domain||Domain the cookie is associated with|
|Site Coverage||Areas of your website that make use of the cookie|
|Description||Explanation of what the cookie does|
Once you've got this information you'll be in a position to rate each cookie's level of intrusiveness, and demonstrate you are taking the directive seriously.
Cookies that last for just the duration of someone’s visit are called session cookies. When the browser is closed the cookie info is lost.
These are not "tracking cookies" and used for temporarily storing anything a website might need, usually functional - e.g.:
- Shopping basket
- Form data (e.g. for multi-page forms)
- Any type of login / customer area
Depending on how a site if coded, session cookies might appear as just one cookie, - e.g. on a .NET site it might look like "ASP.NET_SessionId" - although this single session might be used for a whole host of purposes.
We recommend you record every use of your session cookies.
Tracking Pixels / Web Beacons / Web Bugs.
These are all labels for essentially the same thing - a 1x1 tracking pixel called from a 3rd party server.
They are most commonly used for tracking email impressions and 3rd party publisher tracking.
The technology behind tracking pixels is complicated and it’s not always the case that a tracking pixel will lead to a cookie drop, but more often than not pixels & cookies come hand in hand.
We recommend you treat tracking pixels as though they were cookies in your audit.
GA tags actually make use of 4/5 cookies - you can read about what they do here: http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html. You'll need to log each cookie seperately.
Although the future of how the UK businesses will technically implement the e-privacy directive remains un-clear, by doing a full cookie audit you will be able to demonstrate to the ICO that you are taking the first steps towards complying with the directive.