Old man on the street
Old man on the street
Writing a letter
Boy writing a letter
Girls on their mobiles
Girls on their mobiles
Photographing an event
Photographing an event
Girl with laptop
Girl with laptop
Man on phone
Man on phone
Clothing on a rail
Clothing on a rail
Shopping at a market
Shopping at a market
Girl on phone
Girl on phone
Market Seller
Market Seller
People at a station
People at a station
Busy street
Busy street
Earth from space
Earth from space
Man on Laptop
Man on laptop
Man on mobile
Man on mobile
Man on laptop
Man on laptop
Construction workers
Construction workers
Girls on mobiles
Girls on mobiles
Kids on mobiles
Kids on mobiles
Girls on mobiles
Girls on mobiles
Man in a hat
Man in a hat
British postbox
British postbox
Cartwheel on a beach
Cartwheel on a beach
Woman on a phone
Woman on a phone
Monopoly board
Monopoly board
Woman
Woman
People in office
People in office
Video recording
Video recording
Men talking
Men talking
Woman
Woman
On a tablet
On a tablet
People
People
Woman on bench
Woman on bench
Man waiting for train
Man waiting for train
Something
Something
Woman
Woman
Busy street
Busy street
JMS Connect
JMS Connect
JMS Innov8
JMS Innov8
JMS Inspire
JMS Inspire
JMS Shout
JMS Shout
JMS SEO Thermostat
JMS SEO Thermostat

How to audit cookies for compliance with PECR regulations

If your analysis reveals your cookie tracking is not strictly necessary or is more expensive than allowed by the PECR regulations, now is the time to plan corrective actions.

A cookie audit proceeds in two phases: a discovery (data gathering) phase and an analysis (and assessment) phase. This is an internal security audit in which you will record who is doing the audit, the date and time of the audit, the information reviewed and the findings from the review. Also provide information about any parties interviewed during the audit.

The discovery phase

In the discovery phase, there are three separate areas of the website to audit, and the audit approach differs for each.

Client-side cookies: The simplest way to audit these is to start by visiting the site using the Firefox browser (as an example). Then select Tools / Page Info / Security / View Cookies. A window will open and list all the cookies installed by the website. These cookies will include session ID and visitor ID cookies.

Server-side cookies: The only way to audit these cookies is to ask your website development team – whether external or internal - to carry out a code review (server-side source code) and provide a list of all the cookies that may be set. These cookies typically deal with tracking products transferred to baskets or campaign tracking.

Third-party tags (such as JavaScript tags, container tags and universal tags): These are placed by third parties that have access to browsers on your site. The tags they set in place can only be identified by approaching each third party directly and requiring full information about their tags. For instance, Google Analytics uses tags that make use of a number of cookies. Tracking pixels from third-party servers (sometimes also known as Web Beacons or Web Bugs) are used to track email and similar impressions and may or may not involve placing a cookie on a browser. As you, or your developers, will have installed these cookies in the first place, you should know which third parties to turn to for further information.

For each cookie, your audit should obtain the following information:

Host website – The specific URL that is placing the cookie on the browser.
Site coverage – Whether the cookie is used by the whole website or by identified specific areas only.
CookieID – In Firefox, this will be the Cookie Name.
Cookie Common Name – A plain English name you create that identifies the cookie in your audit report.
Responsible party - First party or third party setting the cookie.
Description – A simple description of the cookie’s purpose and action.
Expiration date – This will either be a specific date (for persistent cookies) or the legend at end of session (for session cookies).< br /> Data - The data each cookie contains.
User information - The user information the cookie links to, such as username.

The analysis phase

For each cookie, you need to answer the following questions. Be sure to provide a brief description of the factors that led you to each conclusion.

Is this cookie strictly necessary? Determine if the information is necessary rather than important for the correct operation of the website and provision of the specific service requested by the visitor. If it is strictly necessary, you may not need to seek the browser’s explicit permission prior to setting the cookie.

How intrusive is the cookie? Intrusiveness relates to the extent to which the cookie reduces the privacy of the website user. For instance, cookies that help create detailed profiles of user activity are substantially more intrusive than those that simply track page usage. The more intrusive the cookie, the more information you will need to provide about the cookie when obtaining the informed consent of the website user.

What additional disclosure is required? To what extent does your current privacy policy provide full information about each type of cookie? Consider what your visitor needs to know about each cookie in order for you to comply with PECR.

If your analysis reveals your cookie tracking is not strictly necessary or is more extensive than allowed by the PECR regulations, now is the time to plan corrective actions. You can remove the cookie, change what it does, or obtain clear, informed consent from website users for the cookie’s use. To complete your analysis phase, record the action you will take in order to bring each cookie into compliance with PECR.

Back to Cookie Law

Internet of Manufacturing
  Tue 6th Mar/2018
    3:00 pm - 11:30 pm