How to audit cookies for compliance with PECR regulations

Concerned about the PECR regulations for website tracking cookies? Learn how to audit cookies on your site to find out if you are in compliance.

The Privacy and Electronic Communications Regulations (PECR) governing the use of electronic cookies, announced in 2011, will be enforced in May 2012. In advance of that date, organisations are expected to take appropriate steps to be compliant.

If your analysis reveals your cookie tracking is not strictly necessary or is more expensive than allowed by the PECR regulations, now is the time to plan corrective actions.

A cookie is a small file of letters and numbers that websites place on their visitors’ computers, and despite its small size, it can reveal a lot of information website visitors may not be eager to share. The Information Commissioner’s Office (ICO) provides specific guidance on PECR compliance and recommends a cookie audit as the first step. This article will explain how to audit cookies on your organisation’s website.

There are two types of cookies: session and persistent. Session cookies expire after a browser session and are not stored long-term. Persistent (tracking) cookies are stored between browser sessions and are used, for instance, to remember user preferences or to target advertising in a later session. Cookies may be set by the site operator (first-party cookies) or by a third party operating through that website. Both types of cookies need to be identified during the cookie audit.

A cookie audit proceeds in two phases: a discovery (data gathering) phase and an analysis (and assessment) phase. This is an internal security audit in which you will record who is doing the audit, the date and time of the audit, the information reviewed and the findings from the review. Also provide information about any parties interviewed during the audit.

Reviewing PECR regulations on cookies

Review the ICO’s initial announcement of cookie regulations

Read the ICO’s warnings and advice to prepare for the regulations

The discovery phase
In the discovery phase, there are three separate areas of the website to audit, and the audit approach differs for each.

  • Client-side cookies: The simplest way to audit these is to start by visiting the site using the Firefox browser. Then select Tools / Page Info / Security / View Cookies. A window will open and list all the cookies installed by the website. These cookies will include session ID and visitor ID cookies.
  • Server-side cookies: The only way to audit these cookies is to ask your website development team – whether external or internal -- to carry out a code review (server-side source code) and provide a list of all the cookies that may be set. These cookies typically deal with tracking products transferred to baskets or campaign tracking.
  • Third-party tags (such as JavaScript tags, container tags and universal tags): These are placed by third parties that have access to browsers on your site. The tags they set in place can only be identified by approaching each third party directly and requiring full information about their tags. For instance, Google Analytics uses tags that make use of a number of cookies. Tracking pixels from third-party servers (sometimes also known as Web Beacons or Web Bugs) are used to track email and similar impressions and may or may not involve placing a cookie on a browser. As you, or your developers, will have installed these cookies in the first place, you should know which third parties to turn to for further information.

For each cookie, your audit should obtain the following information:

  • Host website – The specific URL that is placing the cookie on the browser.
  • Site coverage – Whether the cookie is used by the whole website or by identified specific areas only.
  • CookieID – In Firefox, this will be the Cookie Name.
  • Cookie Common Name – A plain English name you create that identifies the cookie in your audit report.
  • Responsible party -- First party or third party setting the cookie.
  • Description – A simple description of the cookie’s purpose and action.
  • Expiration date – This will either be a specific date (for persistent cookies) or the legend at end of session (for session cookies).
  • Data -- The data each cookie contains.
  • User information -- The user information the cookie links to, such as username.

Guide to EU cookie compliance

This article is part of the EU cookie compliance guide which contains news and advice for organisations in Europe and around the world for complying with the cookie law.

The analysis phase
For each cookie, you need to answer the following questions.  Be sure to provide a brief description of the factors that led you to each conclusion.

  1. Is this cookie strictly necessary? Determine if the information is necessary rather than important for the correct operation of the website and provision of the specific service requested by the visitor. If it is strictly necessary, you may not need to seek the browser’s explicit permission prior to setting the cookie.
  2. How intrusive is the cookie? Intrusiveness relates to the extent to which the cookie reduces the privacy of the website user. For instance, cookies that help create detailed profiles of user activity are substantially more intrusive than those that simply track page usage. The more intrusive the cookie, the more information you will need to provide about the cookie when obtaining the informed consent of the website user.
  3. What additional disclosure is required? To what extent does your current privacy policy provide full information about each type of cookie? Consider what your visitor needs to know about each cookie in order for you to comply with PECR.  

If your analysis reveals your cookie tracking is not strictly necessary or is more extensive than allowed by the PECR regulations, now is the time to plan corrective actions. You can remove the cookie, change what it does, or obtain clear, informed consent from website users for the cookie’s use. To complete your analysis phase, record the action you will take in order to bring each cookie into compliance with PECR.

About the author:
Alan Calder is a leading author on information security and IT governance issues. He is also chief executive of IT Governance Limited, the one-stop-shop for books, tools, information and advice on governance, risk management and compliance in the UK. Alan was previously CEO of Wide Learning, a supplier of e-learning; of Focus Central London, a training and enterprise council; and of Business Link London City Partners, a government agency focused on helping growing businesses to develop. He was a member of the Information Age Competitiveness Working Group of the UK Government's Department for Trade & Industry, and is a member of the DNV Certification Services Certification Committee, which certifies compliance with international standards including ISO27001.

Read more on Security policy and user awareness