The ICO has recommended that all businesses with a web presence audit their cookies in preperation for the e-privacy directive.

We've written a brief guide to get you started on how to tackle a cookie audit.

How do to a Cookie Audit

When doing your audit there are 3 areas to cover, each with their own method

How Cookie is SetExampleHow to Audit
Client SideGoogle Analytics tagUsing your browser privacy section, or better still a firefox plugin.
Server SideShopping Basket, Internal Campaign tracking etc.Only your web development team will be able to accurately list and identify these by looking at the server-side source code.
3rd Party container tagsTagman, Doubleclick floodlightOnly the parties responsible for the container tags can accurately list and identify these cookies.

What to Include in your Audit

Below are the key elements you should record as part of your Cookie Audit:

CookieIDID of the cookie as it appears in the browser cache
Cookie NameLabel of Cookie (something that makes sense for reading)
1st/2nd/3rd partyType of cookie
Expiration DateHow long the cookie lasts after it’s set / reset
Source DomainDomain the cookie is associated with
Site CoverageAreas of your website that make use of the cookie
DescriptionExplanation of what the cookie does

Once you've got this information you'll be in a position to rate each cookie's level of intrusiveness, and demonstrate you are taking the directive seriously.

Session Cookies

Cookies that last for just the duration of someone’s visit are called session cookies. When the browser is closed the cookie info is lost.

These are not "tracking cookies" and used for temporarily storing anything a website might need, usually functional – e.g.:

– Shopping basket
– Form data (e.g. for multi-page forms)
– Any type of login / customer area

Depending on how a site if coded, session cookies might appear as just one cookie, – e.g. on a .NET site it might look like "ASP.NET_SessionId" – although this single session might be used for a whole host of purposes.

We recommend you record every use of your session cookies.

Tracking Pixels / Web Beacons / Web Bugs.

These are all labels for essentially the same thing – a 1×1 tracking pixel called from a 3rd party server.

They are most commonly used for tracking email impressions and 3rd party publisher tracking.

The technology behind tracking pixels is complicated and it’s not always the case that a tracking pixel will lead to a cookie drop, but more often than not pixels & cookies come hand in hand.

We recommend you treat tracking pixels as though they were cookies in your audit.

Google Analytics

GA tags actually make use of 4/5 cookies – you can read about what they do here: http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html. You'll need to log each cookie seperately.

Although the future of how the UK businesses will technically implement the e-privacy directive remains un-clear, by doing a full cookie audit you will be able to demonstrate to the ICO that you are taking the first steps towards complying with the directive.

About Tim

Tim has effortlessly brought project development in house at equimedia. His 'anything is possible' approach enables us to consistently deliver beyond client expectations.