How Cookies Work and How to Conduct a Cookie Audit

  • by Noah Ramirez, JD / CIPP
  • last updated October 5, 2020
How Cookies Work and How to Conduct a Cookie Audit

Cookies play a significant role in the way websites and online services function. But cookies are a mystery for many people, even for site owners who serve them. This lack of clarity causes many organizations to serve cookies inappropriately, which exposes them to the risk of financial penalties and public relations headaches. 

As the data privacy landscape evolves, cookies have become a big part of the global conversation. Users want to control which cookies are saved to their computers and how websites and their vendors use the data stored in those cookies. 

In this article, we explain cookies and break down their role in data collection and sharing. We also explain how to conduct a cookie audit that checks your compliance. 

What is a Cookie?

A cookie is a small text file that websites pass to your computer through your web browser. Its purpose is to extend the website's functionality and create a better user experience, usually through personalization, session management, and tracking. A cookie might save user inputs, shopping carts, login information, or wish lists. It can also be used for advertising and analytics. 

how-cookies-work

A cookie is not a program. It doesn’t perform a function. It’s just text. You can open and read cookies with a basic word processor. The two most common types of cookies are first-party cookies and third-party cookies

A first-party cookie is created by the website you’re currently visiting to save your preferences for that same website. For example, www.acme.com might put a cookie on your computer to save your last shopping cart on their site. 

A third-party cookie is created by a different website than the one you’re visiting. For example, www.acme.com might put ads on its site through www.easyads.com. In this case, www.easyads.com creates a cookie and puts it on your browser even though you never visited their site. www.acme.com passes the cookie to your computer on behalf of www.easyads.com.

Cookies and Advertising

Few people have problems with first-party cookies because they’re typically used to enhance the user experience. When you visit Home Depot’s website, for instance, a cookie remembers your location so the website can offer local prices and promotions. 

Most of the controversy regarding cookies relate to their use in marketing and advertising. The issue hinges on consent. Is it right to collect data on users and share it with other parties without their permission? The European Union, a few U.S. states, and other major jurisdictions believe that users should be aware of the cookies a website serves and have the opportunity to opt-out of using them. 

Advertising cookies are almost always third-party cookies. They collect and share user data through networks of websites, often without the user’s consent. These networks aggregate and sync countless data points. In the end, they know more about you than you expect.

Look at it like this: You visit three websites - A, B, and C. On website A, you take some action that signals you want to buy running shoes. On website B, you do something that indicates you are a man (maybe you browse the men’s section). On website C, you see an ad for men’s running shoes, even though you haven’t given that site any information yet. You wouldn’t expect Website C to know anything about you, but the cookies saved on your computer from other websites provide it with plenty of information.

As cookie use became sophisticated, users became less comfortable. The first time you browse for a product on Amazon and then see an ad for it on Facebook is unsettling. It’s a clear sign that your Internet habits aren’t as anonymous as you thought.

This concern boosted the demand for privacy tools like VPNs and ad blockers. Most web browsers have tools to clear cookies on a schedule and at-will. Apple’s Intelligent Tracking Prevention is an example of the industry’s response to user concerns about cookies. 

Cookie Regulation

As the data privacy landscape evolves and more jurisdictions address privacy concerns, cookies are almost always included in some way. 

The General Data Protection Regulation (GDPR) and ePrivacy Directive are the strongest examples of this. These EU laws treat cookies as “personal data,” which makes them subject to regulation. Any website that serves EU residents must collect consent from users before serving any non-essential cookies to the user’s device. 

According to the Reuters Institute and the University of Oxford, third-party cookie use fell 22% on average immediately after the GDPR’s implementation in May 2018. Nevertheless, many websites still fail to comply with the GDPR due to ignorance or willful refusal. 

third-party-graphSource: Reuters Institute

Most importantly, the EU’s efforts to protect personal data ignited a global trend, and that’s changing the data privacy landscape. Other jurisdictions have passed or are working on passing their own data privacy initiatives. 

  • The California Consumer Privacy Act (CCPA) gives California residents the right to know the types of personal information organizations collect about them and the right to prohibit the sale of their personal information to other parties. (It’s a big law with other data security measures as well.)
  • The Brazilian General Data Protection Law (LGPD) is an entirely new legal framework in Brazil to protect personal information. Users must consent to the use of third-party cookies when data is transferred. 
  • The Vermont Act 171 of 2018 Data Broker Regulation requires data brokers (businesses that collect and sell data on individuals they don’t have a relationship with) to register with the state, provide users with an opt-out mechanism, and comply with a list of security requirements. 
  • The Stop Hacks and Improve Electronic Data Security (SHIELD) Act creates a definition for privacy information, encompassing many of the data points typically stored within cookies. 
  • India, Chile, and New Zealand are working on similar data privacy laws. 

Conducting a Cookie Audit

Cookies pile up as you add services and features to your website. That live chat box is great for customer service, but it also serves its own cookie. So does the analytics tool you installed. And that simple line of Javascript given to you by your ad broker? That serves several cookies that can be accessed by dozens of services. 

As you can imagine, it becomes difficult to track all of your site’s cookies. Nevertheless, you are responsible for lawfully handling the personal data you gather from your site's visitors, even if third parties create the cookies used to collect that data. That’s hard if you aren’t aware of all of the cookies you serve to your visitors. 

The solution is to conduct a cookie audit. This is a simple process that serves several purposes:

  • Understand what you’re gathering from your users and whether you are compliant with data privacy regulations. If you are non-compliant, the audit helps you determine how to resolve your issues.
  • Ensure you are not accidentally serving cookies that have no business purpose.
  • Check compliance with your policies and other security regulations. You can make sure you are compliant with industry-specific rules. For instance, the healthcare and financial sectors have lots of security regulations to comply with. 
  • Identify potential data breach threats. Some cookies may be used by malicious parties to steal data in cyberattacks. You should take steps to protect your cookies using encryption, so they aren’t available to anyone.
  • Update your privacy policy. Privacy policies are essential for compliance and transparency, but many organizations fail to mention cookies in their policy and how those cookies operate. 

Let’s go over the three steps to conduct a cookie audit. 

Step 1: Identify the Cookies You’re Serving

Your first step is to get a clear picture of your cookie profile. In later steps, you’ll investigate whether those cookies jeopardize your compliance and if they are listed in your privacy policy. 

You can check for cookies manually by simply clearing your browser’s cookies and re-visiting your website. Then recheck your cookie list to see what downloaded. There’s a limitation to this approach, however. Not all cookies download immediately. Some are delayed. Others only download when a user triggers a specific action. So you may not see all the cookies your website is serving right away. 

The other method is to use a tool like Osano to scan your site for cookies. A simple scan using our privacy audit tool will show you a list of cookies that are being passed to visitors.

Step 2: Investigate Each Cookie

Once you have a list of your cookie profile, go through each cookie and investigate its origin and purpose, especially if you’ve never seen it before. Look for issues that could make you non-compliant with whichever data privacy laws apply to you. Here are some questions to ask yourself about each one:

  • Does it collect personally identifiable information (data that can be used to identify a person)?
  • Is there a clear reason for collecting this information?
  • What is the purpose of the cookie?
  • What is the duration of the cookie?
  • What tools does it use to function (i.e., JavaScript, PHP, Secure/HTTP Only, etc.)?
  • Can you associate it with a vendor?
  • Does the vendor offer a data processing agreement?
  • What does that vendor do with the information it gleans?

Step 3: Resolve Any Compliance Problems

Your final step is to identify any problems with the cookies you’re serving that could break your compliance with data privacy laws. If your jurisdiction lacks data privacy regulation, you still need to comply with the regulations of your users’ local jurisdiction.

Any compliance issues you have will depend on the nature of each cookie, but here are the top offenders:

Cookies without an expiration date (or with unnecessarily long expirations). While most privacy regulations don’t restrict the lifespan of cookies, you’re expected to expire your cookies within a reasonable time period. According to the ePrivacy Directive, persistent cookies (ones that don’t expire when you close your web browser) shouldn’t last longer than a year. After all, there isn’t much sense in tracking someone who hasn’t accessed your website in months or years. 

Cookies installed without the user’s consent. Serving cookies without receiving user consent is a significant compliance problem, especially under the GDPR. Users need to be empowered to accept or deny any cookies that are not strictly necessary. You should provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received. It’s best to use a consent management platform to prevent cookies from serving before the user has given consent. This tool also records all visitor consents, so you can manage requests to withdraw consent and always have a log to protect yourself. 

Cookies that track users in sensitive areas of your site. Certain areas or components of your website may involve sensitive user information. For instance, there’s a lot of private information behind the log-in of an online banking portal. If you use third-party cookies in these areas, you may lose control of that sensitive information to your vendors or their vendors. 

Cookies that don’t comply with your privacy policy. You may fail to comply with data privacy regulations if you don’t abide by your own privacy policy. Ensure your cookies are all mentioned in your policy, and operating as you describe in your privacy policy. You need to inform users about what data you collect, why, what you will do with it, and how they can delete cookies placed by you on their computer.

Get Instant Compliance

To use cookies appropriately, you need consent before you can load those scripts. But how do you collect and track the consent of every website user? With a consent management platform like Osano. 

Osano automatically displays and enforces the correct consent requirement based on the regulations and guidance specific to  each visitor’s location. It also automatically blocks and unblocks third-party scripts to ensure unsanctioned third parties don't install cookies that get you in trouble. 

Legal requirements and the public’s knowledge about data privacy are growing every day. Compliance doesn’t have to be a burden. Use Osano to protect your organization and boost your bottom line. Get compliant now.

Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.