How to audit cookies for compliance with PECR regulations
If your analysis reveals your cookie tracking is not strictly necessary or is more expensive than allowed by the PECR regulations, now is the time to plan corrective actions.
A cookie audit proceeds in two phases: a discovery (data gathering) phase and an analysis (and assessment) phase. This is an internal security audit in which you will record who is doing the audit, the date and time of the audit, the information reviewed and the findings from the review. Also provide information about any parties interviewed during the audit.
The discovery phase
In the discovery phase, there are three separate areas of the website to audit, and the audit approach differs for each.
Client-side cookies: The simplest way to audit these is to start by visiting the site using the Firefox browser (as an example). Then select Tools / Page Info / Security / View Cookies. A window will open and list all the cookies installed by the website. These cookies will include session ID and visitor ID cookies.
Server-side cookies: The only way to audit these cookies is to ask your website development team – whether external or internal - to carry out a code review (server-side source code) and provide a list of all the cookies that may be set. These cookies typically deal with tracking products transferred to baskets or campaign tracking.
For each cookie, your audit should obtain the following information:
Host website – The specific URL that is placing the cookie on the browser.
Site coverage – Whether the cookie is used by the whole website or by identified specific areas only.
CookieID – In Firefox, this will be the Cookie Name.
Cookie Common Name – A plain English name you create that identifies the cookie in your audit report.
Responsible party - First party or third party setting the cookie.
Description – A simple description of the cookie’s purpose and action.
Expiration date – This will either be a specific date (for persistent cookies) or the legend at end of session (for session cookies).< br /> Data - The data each cookie contains.
User information - The user information the cookie links to, such as username.
The analysis phase
For each cookie, you need to answer the following questions. Be sure to provide a brief description of the factors that led you to each conclusion.
Is this cookie strictly necessary? Determine if the information is necessary rather than important for the correct operation of the website and provision of the specific service requested by the visitor. If it is strictly necessary, you may not need to seek the browser’s explicit permission prior to setting the cookie.
How intrusive is the cookie? Intrusiveness relates to the extent to which the cookie reduces the privacy of the website user. For instance, cookies that help create detailed profiles of user activity are substantially more intrusive than those that simply track page usage. The more intrusive the cookie, the more information you will need to provide about the cookie when obtaining the informed consent of the website user.
If your analysis reveals your cookie tracking is not strictly necessary or is more extensive than allowed by the PECR regulations, now is the time to plan corrective actions. You can remove the cookie, change what it does, or obtain clear, informed consent from website users for the cookie’s use. To complete your analysis phase, record the action you will take in order to bring each cookie into compliance with PECR.