On February 4, 2021, the French Data Protection Authority, the CNIL announced that it contacted private and public organizations to remind them of its updated rules on cookies and encouraged them to conduct cookie audits of their websites and apps to comply with it by March 31, 2021. Such audits help in understanding how cookies work.
The CNIL published its updated guidelines and recommendations on October 1, 2020, and gave the organizations a transition period of six months to comply with the new rules. The law came into force on April 1, 2021.
Read what constitutes the CNIL’s updated guidelines and recommendations on cookies here.
Cookies are part of data privacy regulation since some of them collect and share visitors’ personal data with third parties. The CNIL observed that many websites still do not comply with the regulatory norms for cookies.
We will cover the importance of cookie audit and how to perform a cookie audit of your website.
What are cookies and how do they work?
A cookie is a text file containing small pieces of data that a website generates and stores on the users’ device through the web browser. It is largely used for remembering user information and tracking the users’ browsing activities. In a broad sense, the cookies are used to improve the browsing experience and help the website function.
When you visit a website, the browser sends a request to the site server to access the page. The server generates a unique ID or value and sends the cookies with it. The browser stores the cookies on the user device locally in a cookie file.
On revisits when the browser sends the request to the server, it will check the user information, identify the unique ID, and return the relevant data.
This is how cookies work:
A cookie comprises three parts: name, value, and attribute.
A website or a third-party server identifies a cookie using the name. Value is a random alphanumeric generated by the server to identify the users when they revisit the website or to cross-track across websites. An attribute stores cookie information, such as the expiration date, domain, path, and flags.
To find out information about the parts of cookies on a website, you can use inspect element in your web browser.
Cookies are of different types depending on various factors, such as their source, duration, and necessity/purpose. Here are the most common types of cookies:
First-party cookies and third-party cookies
First-party cookies are generated by the website that the user is visiting. They are used for improving the user browser experience and for authentication. E.g. when the users log in to a website, the server creates and sends first-party cookies with unique IDs to collect the login information. So, when they revisit the website some other time, the server will recognize them from the ID, and hence, the users do not need to log in again.
Third-party cookies are generated by a website different from the one that the user is visiting. They are mostly used for advertisements, analytics, or cross-site tracking. The third parties either have their own purpose or an agreement with the first party (website) to use these cookies. Here, the agreement often means the third-party services that the website makes available, e.g. Google Analytics is a popular tool for measuring website analytics. If you use Analytics, it will send and store cookies on the users’ devices via your website to collect and generate the site’s analytics report.
An example of third-party cookies used for personalized advertising is cross-site tracking of e-commerce websites. When the users visit an online store and search for products, the site server will place cookies that will collect information about the browsing activity. When they go to other unrelated websites, the online store server will recognize the users and display ads about the searched products. Therefore, third-party cookies are most often referred to as tracking or tracker cookies because of how they work. Many data privacy regulations have restricted their use without a lawful purpose.
Did you know that Google Chrome will completely phase out third-party cookies by 2022? Read about it here.
Necessary and non-necessary cookies
Necessary or essential cookies are necessary for a website to function or offer the services that the user requests. Disabling these cookies may affect the partial or full primary functionality of the website and it may not be able to provide the services explicitly requested by the users. Let’s take another example of an e-commerce website. When the users add items to the shopping cart, they expect them to remain there if they have to log out or exit the site. The online store will place a cookie that will assign an ID to the users to recognize them when they revisit. This way, it will retain the cart items.
Non-necessary or non-essential cookies are cookies used for additional website services that the users may not request. Even without these cookies, the website will continue to work properly and offer its primary services. E.g. social media plugins used by some websites use non-essential cookies to let logged-in users share site content on the social platform. However, these cookies do not contribute to the primary functionality or services of the website.
What are the criteria for strictly necessary cookies? Find out the answer here.
Session and persistent cookies
Session cookies are short-lived cookies that expire when a user session is over. They are used for short-lived purposes such as online form submission or remembering information while navigating the web pages. E.g. when you fill in an online form, the website uses session cookies to remember the information you provided when you proceed to the next page. They expire once you submit the form or close the browser.
Persistent cookies have a longer expiration date that could be up to years. These cookies remain in the user device until their expiration date or whenever the users clear them from the browser. E.g. when the users choose a UI preference, the persistent cookies will remember it and load it every time they revisit.
These are just different classifications of cookies. A cookie can classify as third-party generated, non-necessary and persistent.
How to conduct a cookie audit?
Conducting a cookie audit is easy if you have the right resources. Here is 3-step action for auditing cookies on your website.
1. Identify the cookies
The very first step in auditing the cookies on your website is to identify them. You will need to know about the cookies set by your website and the third parties.
To identify the cookies, you can check them using your internet browser. In the browser, open the developer console and look for the list of cookies set by the website. (Note: use incognito or private mode and do not activate third-party cookie blocking or Do Not Track in the browser).
Find out how to manually check for cookies set by your website here.
However, this method is time-consuming, and if any cookie takes time to download, it will not show in the list. The better option is to use a scanning tool to identify the cookies. Online cookie scanner tools like CookieYes cookie scanner scans your website for cookies in seconds and generates a detailed report. They are faster, more efficient, and free!
2. Understand the cookies
After you identify the cookies on your website, the next step is to analyze them. You know what cookies your website uses. Now, you need to understand their details like source (domain), purpose, duration, and path, and how these cookies work. Once again, you can get most of this information from web browsers. However, it will not give you the complete picture you require to do a complete cookie audit. As mentioned earlier, online tools like CookieYes’ cookie scanner will generate a detailed report after scanning your site for cookies. This report will give you all the details you need to understand about the cookies.
If you understand the cookies, you know the type of cookies your website uses and how they work. If the domain is different from your website, they are most likely third-party cookies.
Another important detail that you must be aware of is what type of user data these cookies collect. If they collect personally identifiable information of the users, then you may need to adopt measures for privacy compliance.
3. Be cookie compliant
After you identify the type of cookies, you need to check whether your website is compliant with privacy regulations for these cookies.
Privacy regulations like GDPR and CCPA are applicable worldwide. They have strict standards that will apply to websites receiving traffic from the EU and the US (California).
If your website has not taken the following measures, you may be at risk of non-compliance, which is a punishable offense.
- Inform the users about cookies on your website and details about them in clear and plain language.
- Get user consent before storing non-essential cookies on their device.
- Allow opt-out for non-essential cookies and tell them about it.
- Opting out is as easy and clear as opting in.
- Let the users selectively opt-in to each cookie type.
- Let the users easily withdraw consent at any time and inform them about it.
- Keep proof of cookie consent registered by the users.
CookieYes for cookie compliance
Now that you know your website’s status regarding cookie compliance, it’s time to work on it. If you do not satisfy the privacy requirements, then you should get right into it. The best way to get started with it is to identify and use the right tools. The perfect tool will offer everything that a website must fulfill to be compliant and is compliant itself.
We have already seen how CookieYes cookie checker helps to easily and quickly scan your website for cookies and understand their properties. The next tool that will be perfect for conducting a cookie audit and taking further steps is CookieYes.
CookieYes is a cookie consent management platform (CMP) that helps to obtain user consent and block third-party cookie scripts before consent. You can add a fully customizable cookie banner to your site and decide its design and content. You can allow users to selectively opt-in cookie categories that CookieYes identifies based on its in-app cookie scan and after checking against its own cookie database.
CookieYes auto-blocks third-party cookie scripts set by services like Google Analytics, YouTube, Hotjar, and Facebook Pixel. You can also add cookie scripts under categories that the website will block before getting user consent.
The users can easily withdraw the consent if you enable the consent revisit button.
axYou can enable a geo-targeted cookie banner for GDPR or CCPA so that only the user from places where the laws apply will see the banner. Not only that, it will auto-translate the banner to 28 languages.
Keeping proof of user consent is easy with CookieYes. When enabled, it logs the consent received with relevant details so that you can demonstrate the proof, if and when required.
Demonstrating proof of cookie consent is easy with CookieYes. Find out how.
You can manage multiple websites in one account and it supports major website CMS like WordPress, Magento, Shopify, Wix, Weebly, MODX, Drupal, Squarespace, and Joomla. The installation is simple, and you can seamlessly navigate across the app with ease.
To understand how CookieYes’ cookies banners work, click here.
The features do not end here. It is a complete cookie compliance solution for your website.