Articles

How Cookies Work, and How to Conduct a Cookie Audit

Written by Matt Davis, CIPM (IAPP) | May 25, 2022

Though cookies play an essential role in website functionality, they’re still a mystery for many people — even for site owners who serve them. Cookies can cause big headaches for organizations that lack clarity on how to use them appropriately, exposing them to penalty fines and PR woes. 

In terms of data privacy, cookies have become an integral part of the conversation. Today, site visitors and app users seek to control which cookies are saved to their devices and how websites use the data stored in those cookies. And it’s up to an organization to meet this demand — in this case, through a cookie policy.

But first…

What's a Cookie?

A cookie is a small text file — sent by visited websites — to your computer through your browser. Its purpose is to extend a website's functionality and create a better user experience, usually through personalization, session management, and tracking. A cookie might save user inputs, shopping carts, login information, or wish lists. It can also be used for advertising and analytics.

A cookie is not a program; it doesn’t perform a function. It’s just text, which means you can open and read cookies using a basic word processor. The two most common types of cookies are first-party cookies and third-party cookies (though the latter might soon be phased out).

A first-party cookie is created by the website you’re currently visiting to save your preferences for that same website. For example, www.acme.com might put a cookie on your computer to save your last shopping cart on their site. 

A third-party cookie is created by a different website than the one you’re visiting. For example, www.acme.com might put ads on its site through www.easyads.com. In this case, www.easyads.com creates a cookie and puts it on your browser even though you never visited their site. www.acme.com passes the cookie to your computer on behalf of www.easyads.com.

How Advertising Uses Cookies

First-party cookies don’t often cause problems because they’re typically used to enhance the user experience. For example, when you visit Home Depot’s website, a cookie remembers your location so the website can offer local prices and promotions.

Most of the cookie controversy actually stems from how marketing and advertising uses them. The issue hinges on consent: Is it right to collect data on users and share it with other parties without their permission? The European Union, a few U.S. states, and other significant jurisdictions believe users should be aware of the cookies a website serves and be able to opt-in or opt-out of using them.

Advertising cookies are almost always third-party cookies. These collect and share user data through networks of websites, often without the user’s consent. These networks aggregate and sync countless data points. In the end, they know more about you than you expect.

Look at it like this: You visit three websites — A, B, and C. On website A, your activity signals that you want to buy running shoes. On website B, you do something that indicates you are likely male (i.e, you browse the men’s shoe section). On website C, you see an ad for men’s running shoes, even though you haven’t given that site any information yet. You wouldn’t expect website C to know this about you, but the cookies saved on your computer from other websites provide it with plenty of information.

Thus, over the last several years, cookie use has become sophisticated, and users have become uncomfortable. Remember the first time you browsed for something on Amazon, only to see an ad for it hours later on Facebook? It’s unsettling — and a clear sign that your web habits aren’t as anonymous as you thought.

Concerns like this boosted the demand for privacy tools like virtual private networks (VPNs) and ad blockers. Most web browsers have tools to clear cookies on a schedule and at will. In 2017, Apple’s Intelligent Tracking Prevention helped spearhead the industry’s response to user concerns about cookies. Seven years later, that response has expanded to the potential removal of third-party cookies altogether.

Cookie Regulations and Privacy Laws

As the data privacy landscape evolves and more jurisdictions address concerns, cookies are almost always included in the narrative.

The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD) are the strongest examples of this. These EU laws treat cookies as “personal data,” making them subject to regulation. Any website that serves EU residents must collect consent from users before serving any non-essential cookies to the user’s device.

According to the Reuters Institute and the University of Oxford, third-party cookie use fell 22% on average immediately after the GDPR’s implementation in May 2018. Nevertheless, many websites still fail to comply with the GDPR due to ignorance or willful refusal.

Source: Reuters Institute

The EU’s efforts, rolled out in 2018 to protect personal data, have since ignited a global trend that’s changing the data privacy landscape. Other jurisdictions have passed or are working on passing their own data privacy initiatives:

  • The California Consumer Privacy Act (CCPA) — and now the California Privacy Rights Acts (CPRA) —gives California residents the right to know what personal information organizations collect about them — as well as the right to prohibit the sale of their information to other parties. (It’s also a big law with other data security measures.)
  • The Brazilian General Data Protection Law (LGPD) is an entirely new legal framework in Brazil protecting personal information. Users must consent to the use of third-party cookies when transferring data.
  • The Vermont Act (No. 171) of Data Broker Regulation requires data brokers — businesses that collect and sell data on individuals they don’t have a relationship with — to register with the state, provide users with an opt-out mechanism, and comply with a list of security requirements.
  • The Stop Hacks and Improve Electronic Data Security (SHIELD) Act defines privacy information, encompassing many of the data points typically stored within cookies.
  • Privacy Act 2020, New Zealand’s data privacy law, was amended six months after its inception to cover a broader range of topics, including new mandatory data breach notification requirements, data subject access requests, compliance notice changes, and more.
  • India and Chile are working on similar data privacy laws.

Conducting a Cookie Audit

Cookies quickly pile up as you add services and features to your website. That live chat box is excellent for customer service, but it also serves its own cookie; the analytics tool you installed does, too. And that simple line of Javascript your ad broker gave you? That creates several cookies that dozens of services can access.

As you can imagine, it becomes difficult to track all of your site’s cookies. Nevertheless, you’re responsible for lawfully handling the personal data garnered from your visitors, even if third parties create the cookies used to collect that data. And that’s difficult if you’re not aware of all the cookies you serve to visitors.

The solution? Conducting a cookie audit. It’s a simple process that helps you:

  • Understand what you’re gathering from users and whether you’re compliant with data privacy regulations. If you’re not compliant, the audit helps determine how to resolve the issue.
  • Ensure you’re not accidentally serving cookies that have no business purpose.
  • Check whether your cookie policies and other security regulations are compliant. You can also make sure you’re compliant with industry-specific rules.
  • Identify potential data breach threats. Malicious parties might use cookies to steal data in cyberattacks. Protect your cookies by using encryption, making them unavailable to anyone.
  • Update your privacy policy. Privacy policies are essential for compliance and transparency, but many organizations fail to introduce a cookie policy to cover how their cookies operate.

Conducting a cookie audit involves three steps:

Step 1: Identify the cookies you’re serving.

Your goal is to get a clear picture of your cookie profile. In later steps, you’ll investigate whether those cookies jeopardize your compliance and whether they’re listed in your privacy policy.

To manually check your website for cookies, clear your browser’s cookies, then revisit your site. Afterward, re-check your cookies to see what downloaded. However, there’s a limitation to this approach: Not all cookies download immediately. Some are delayed. Others only download when a user triggers a specific action. So you may not immediately see all the cookies your website serves.

The other method is conducting a privacy audit with a resource like Osano. Our privacy audit tool can identify the list of cookies passed to visitors from your website.

Step 2: Investigate each cookie.

With cookie profile in hand, review each cookie to investigate its origin and purpose, especially if you’ve never seen it before. Look for cookies that could pose compliance issues with applicable data privacy laws. Consider the following questions about each cookie:

  • Does it collect data that can be used to identify a person?
  • Is there a clear reason for collecting this information?
  • What is the purpose of the cookie?
  • What is the duration of the cookie?
  • What tools does it use to function (i.e., JavaScript, PHP, Secure/HTTP Only, etc.)?
  • Can you associate it with a vendor?
  • Does the vendor offer a data processing agreement?
  • What does the vendor do with the information it gleans?

Step 3: Resolve any compliance problems.

Finally, identify any problems with your site’s cookies that could disrupt your data privacy compliance. If your jurisdiction lacks data privacy regulation, you must still comply with the regulations of your users’ jurisdiction(s).

Any compliance issues you have will depend on the nature of each cookie, but top offenders include:

  • Cookies without an expiration date (or unnecessarily long expirations): While most privacy regulations don’t restrict a cookie’s life span, your organization should expire its cookies within a reasonable time period. According to the GDPR, persistent cookies — those that don’t expire when you close a browser — shouldn’t last longer than a year. There’s not much sense in tracking someone who hasn’t accessed your site in months or years.
  • Cookies installed without a user’s consent: Under the GDPR, serving cookies without receiving user consent is a big compliance problem. Users must feel empowered to accept or deny any cookies that are not strictly necessary. Additionally, you should provide detailed information about the data each cookie tracks (and its purpose) before consent is received. Consider using a consent management platform to prevent cookies from serving before a user has consented.
  • Cookies that track users in sensitive site areas: Certain sections or components of your website may involve sensitive user information. For instance, a lot of private information exists behind the login of an online banking portal. If you use third-party cookies here, you may lose control of that sensitive data to vendors (and their vendors).
  • Cookies that don’t comply with your privacy policy: Believe it or not, if you don’t abide by your own privacy policy, you may fail to comply with greater data privacy regulations. Be sure to mention a thorough cookie policy in your overall privacy policy — and that you operate in the same manner as you’ve described. Inform users about the data you collect, why, what you’ll do with it, and how they can delete your cookies from their device.

Get Instant Compliance

To use cookies appropriately, user consent is necessary. But how do you collect and track the consent of every website user? With a consent management platform like Osano.

Based on the regulations specific to a visitor’s location, Osano automatically displays and enforces the correct consent requirement. It also blocks and unblocks third-party scripts to ensure unsanctioned third parties don't install problematic cookies.

Legal requirements and the public’s knowledge about data privacy are growing daily, but compliance doesn’t have to be a burden. Osano can protect your organization and boost your bottom line: Get compliant now.