This website works best using cookies to improve your experience... »

NoNonsenseCookies.info

Friday 19th October 2018

What is a Cookie Audit?

Cookie

Despite the grand title, (bandied about mostly by those companies that want you to use their services), this is just a record of which cookies your website uses and how it uses them. See the example below.

How you gather this information depends on the size and complexity of your website. For most small business websites this should be a relatively simple task that could be undertaken by the website owner. If you don't have the time or the expertise to do this yourself, you could ask your web developers to do it for you.

Alternatively, there are a number of third party companies offering this as a service (surprise, surprise). Starting prices range from £200 - £1,500 depending where you look and the size of your website. There are also a number of online auditing tools available (some are even free).

Sample Cookie Audit

Here is an example of how an audit would look for this website:

Name:CookieCompliance
Expires:30 days from visit
Ownership:1st Party
Domain:www.nononsensecookies.info
Purpose:To allow/disallow cookies in line with current legislation
Coverage:All pages
Category:Functional
Name:__utma
Expires:2 years from visit
Ownership:1st Party
Domain:www.nononsensecookies.info
Purpose:Google Analytics
Coverage:All pages
Category:Performance
Name:__utmb
Expires:30 minutes from visit
Ownership:1st Party
Domain:www.nononsensecookies.info
Purpose:Google Analytics
Coverage:All pages
Category:Performance
Name:__utmc
Expires:At end of session
Ownership:1st Party
Domain:www.nononsensecookies.info
Purpose:Google Analytics
Coverage:All pages
Category:Performance
Name:__utmz
Expires:6 months from visit
Ownership:1st Party
Domain:www.nononsensecookies.info
Purpose:Google Analytics
Coverage:All pages
Category:Performance
Name:c_usr
Expires:At end of session
Ownership:3rd Party
Domain:.facebook.com
Purpose:Facebook 'Like' button
Coverage:All pages
Category:Targeting
Name:datr
Expires:2 years from visit
Ownership:3rd Party
Domain:.facebook.com
Purpose:Facebook 'Like' button
Coverage:All pages
Category:Targeting
Name:fr
Expires:1 month from visit
Ownership:3rd Party
Domain:.facebook.com
Purpose:Facebook 'Like' button
Coverage:All pages
Category:Targeting
Name:lu
Expires:2 years from visit
Ownership:3rd Party
Domain:.facebook.com
Purpose:Facebook 'Like' button
Coverage:All pages
Category:Targeting
Name:s
Expires:At end of session
Ownership:3rd Party (encrypted)
Domain:.facebook.com
Purpose:Facebook 'Like' button
Coverage:All pages
Category:Targeting
Name:xs
Expires:At end of session
Ownership:3rd Party
Domain:.facebook.com
Purpose:Facebook 'Like' button
Coverage:All pages
Category:Targeting
Name:locale
Expires:7 days from visit
Ownership:3rd Party
Domain:.facebook.com
Purpose:Facebook 'Like' button
Coverage:All pages
Category:Targeting
Name:VISITOR_INFO1_LIVE
Expires:240 days from visit (approx)
Ownership:3rd Party
Domain:.youtube.com
Purpose:Embedded YouTube video
Coverage:what-are-cookies.htm
Category:Targeting
Name:PREF
Expires:10 years from visit (approx)
Ownership:3rd Party
Domain:.youtube.com
Purpose:Embedded YouTube video
Coverage:what-are-cookies.htm
Category:Targeting
Name:use_hitbox
Expires:At end of session
Ownership:3rd Party
Domain:.youtube.com
Purpose:Embedded YouTube video
Coverage:what-are-cookies.htm
Category:Targeting
Name:clickcheck
Expires:Never
Ownership:1st Party
Domain:www.nononsensecookies.info
Purpose:HTML5 Web Storage check
Coverage:web-storage.htm
Category:Functionality
Name:zombieData
Expires:Never
Ownership:1st Party
Domain:www.nononsensecookies.info
Purpose:Flash Local Shared Object demonstration
Coverage:flash-cookies.htm
Category:Functionality

The audit might look quite long and complicated, but it is actually pretty simple as we only have four groups of cookies: Compliance, Google Analytics, Facebook Like, and Embedded YouTube media. Don't worry if you don't understand all of the entries at the moment, we will explain them as we go along.

How did we get this information?
As mentioned above, there are several options available and it really depends on you as to which suits your website best. Here is a brief outline of how do a manual audit for yourself:

Please note: it is best to use a different browser (or even a different PC) from the one you use on a daily basis, as this technique involves removing all existing cookies before auditing your website.

Here we used Firefox 13.0 as we felt it was the best browser suited to the task. If you prefer to use one of the other major browsers, please see the cookie management info on Can I control Cookies?

  1. Make sure that cookies are enabled!
  2. Open the browser and clear all existing cookies (Tools > Options > Privacy > Show Cookies > Remove All Cookies)
  3. Close the Privacy and Options windows, then navigate to your website home page.
  4. Visit EVERY page on your website, and make sure that you interact with each page as fully as possible, including:
    • Fill in any dynamic forms you may have
    • Log in to any members area if you have one, including Content Management Systems
    • Interact with any embedded Flash, YouTube, Google Maps, or similar media content if you have it
    • Click on any Social Media buttons, such as Facebook Like, Google+, etc.
    • If your website offers registration of any kind, fill this in as a new visitor would
    • If you offer personalisation such as color schemes, location tracking, accessibility tools, etc., use them all
    • If you have a shopping cart or online ordering, use it to its' fullest extent
  5. Go to Tools > Options > Privacy > Show Cookies
  6. Click on each cookie in turn (you will need to open the folder for each domain to see the individual cookies)
  7. Make a note of the following for each cookie:
    • Name
    • Domain (relevant for 3rd party cookies)
    • Path (relevant for sub-directories or sub-domains)
    • Send for (relevant for secure cookies via https, etc.)
    • Expires
  8. Include a brief description (purpose) for each cookie
  9. Indicate which pages of your website (coverage) make use of the cookie
  10. Assign a category to each cookie *

* The International Chamber of Commerce (ICC) has defined these categories as follows:

  1. Strictly Necessary
    These cookies are absolutely essential to the workings of your website, such as remembering items added to a shopping cart, logging in to a members' area or Content Management System.
  2. Performance
    These cookies collect (anonymous) information about visitors to your website to enable analysis of traffic and provide improved website content, e.g. Google Analytics.
  3. Functionality
    These cookies remember a visitors' previous choices such as language or location preferences, personalised layout or user name.
  4. Targeting and Advertising
    These cookies are used to track browsing habits to serve up targeted advertising, etc. They are usually third party cookies.

This fourth category is the most contentious, most intrusive regarding privacy issues, and the main reason that many of us are having to deal with the [new] cookie law in the first place.

You may find that some of your cookies fall into more than one category. If so, simply list them as such, and follow the advice in the next section.

Important Note:
This technique (at the time of writing) does not include Flash Cookies or HTML5 Web Storage. Please read our What are Flash Cookies? and What is Web Storage? sections for further information on these.

Congratulations, you have taken your first steps towards compliance!

Interpreting the Audit Results

Now that you have your audit, we need to assess your cookies and treat them accordingly. Please see our next section - Is my website compliant? for details on how to do this.