Our blog | equimedia

How to do a Cookie Audit

Written by Tim | 07-Jun-2011 10:55:00

The ICO has recommended that all businesses with a web presence audit their cookies in preperation for the e-privacy directive.

We've written a brief guide to get you started on how to tackle a cookie audit.

How do to a Cookie Audit

When doing your audit there are 3 areas to cover, each with their own method

How Cookie is Set Example How to Audit
Client Side Google Analytics tag Using your browser privacy section, or better still a firefox plugin.
Server Side Shopping Basket, Internal Campaign tracking etc. Only your web development team will be able to accurately list and identify these by looking at the server-side source code.
3rd Party container tags Tagman, Doubleclick floodlight Only the parties responsible for the container tags can accurately list and identify these cookies.

What to Include in your Audit

Below are the key elements you should record as part of your Cookie Audit:

CookieID ID of the cookie as it appears in the browser cache
Cookie Name Label of Cookie (something that makes sense for reading)
1st/2nd/3rd party Type of cookie
Expiration Date How long the cookie lasts after it’s set / reset
Source Domain Domain the cookie is associated with
Site Coverage Areas of your website that make use of the cookie
Description Explanation of what the cookie does

Once you've got this information you'll be in a position to rate each cookie's level of intrusiveness, and demonstrate you are taking the directive seriously.

Session Cookies

Cookies that last for just the duration of someone’s visit are called session cookies. When the browser is closed the cookie info is lost.

These are not "tracking cookies" and used for temporarily storing anything a website might need, usually functional - e.g.:

- Shopping basket
- Form data (e.g. for multi-page forms)
- Any type of login / customer area

Depending on how a site if coded, session cookies might appear as just one cookie, - e.g. on a .NET site it might look like "ASP.NET_SessionId" - although this single session might be used for a whole host of purposes.

We recommend you record every use of your session cookies.

Tracking Pixels / Web Beacons / Web Bugs.

These are all labels for essentially the same thing - a 1x1 tracking pixel called from a 3rd party server.

They are most commonly used for tracking email impressions and 3rd party publisher tracking.

The technology behind tracking pixels is complicated and it’s not always the case that a tracking pixel will lead to a cookie drop, but more often than not pixels & cookies come hand in hand.

We recommend you treat tracking pixels as though they were cookies in your audit.

Google Analytics

GA tags actually make use of 4/5 cookies - you can read about what they do here: http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html. You'll need to log each cookie seperately.

Although the future of how the UK businesses will technically implement the e-privacy directive remains un-clear, by doing a full cookie audit you will be able to demonstrate to the ICO that you are taking the first steps towards complying with the directive.