Skip to main content

How to run a successful cookie audit

Phil Lee
Cookie audits sound so simple in theory, don't they?  I mean, how hard can it be to identify what cookies you have, assess their intrusiveness, and decide on your strategy for obtaining consent?Having Cookie audits sound so simple in theory, don't they?  I mean, how hard can it be to identify what cookies you have, assess their intrusiveness, and decide on your strategy for obtaining consent?

Having now worked with a number of clients to conduct cookie audits, I can report that they are in fact fraught with legal, commercial and technical difficulties that only website operators with the most minimal online presence could hope to escape.  For operators with more substantial web portfolios, cookie audits can prove very complex and time-consuming. 

As a case in point, we recently helped a client audit its web portfolio of some 60+ Internet domains, serving around 3,000 cookies.  Fully identifying all the cookies they served, let alone what they do and how intrusive they are, was a substantial task in itself.  Another client has set up a large internal stakeholder group to address cookie consent requirements, comprising representatives from legal, IT, marketing and data analytics teams, all of whom have different needs and face different demands when deciding how to use the humble cookie.  Some of our clients are technology service providers, many non-EU based, who want to pursue risk-based consent strategies that are odds with those of the website operators they serve, and reaching a common ground can therefore be a challenge.

So, for enterprises struggling to figure out a way to deal with their cookie consent compliance demands, here are the top tips I have gleaned from our experience running cookie audit projects to date:

1.  Outsource your technical cookie audit.  While it may be manageable for a website operator with just one (or maybe just a few) Internet domain(s) to rely on their IT staff to audit their cookie use, this approach just doesn't scale for large enterprises.  Sophisticated websites will often drop 10, 20 or more cookies through a page and, when scaled up across hundreds of pages and tens of different domains, this quickly becomes an unassailable task for any internal IT function, who often will have little knowledge of how third party service providers deploy their cookies.  A number of third party vendors now offer comprehensive cookie audit services, and engaging one of these vendors to help you in your task is a must.  A good example is Evidon, which offers a comprehensive technical audit service that scales easily across large web portfolios and provides detailed cookie reporting in a well-structured, readily-accessible format. 

2.  KYC - Know your cookies!  Lawyers need to know and understand what cookies do in general and, more precisely, they need to know what each specific cookie served through the website(s) does.  Without this, there's simply no way that they can meaningfully assess their intrusiveness or advise on an appropriate strategy for obtaining cookie consent.  If relying on an in-house legal function to perform this role, take time to ensure your in-house lawyers are fully educated by your IT, analytics and marketing teams, all of whom will use different cookies for different purposes.  It's important that your lawyers can 'speak the language' of your IT, analytics and marketing teams in order to turn their technical descriptions of the cookies they use into meaningful, legal disclosures that meet e-privacy transparency requirements.  A careful choice of vendor for your technical cookie audit will simplify this task enormously – Evidon, for example, maintains a lookup database of third party tracking cookies that describes the purposes these cookies fulfil and the technical basis on which they collect data, significantly simplifying legal investigation into cookie intrusiveness.

3.  Disclosures by type, not by identity.  For large scale cookie deployment, listing in a privacy policy every single cookie that your website serves and what it does is a laborious, back-breaking task that helps no one.  The purpose of the e-Privacy cookie rules is to better inform users about what cookies do and to put them in control of cookie data collection.  A cookie-by-cookie list of tens, hundreds or thousands of cookies does not achieve this.  It's far better to group cookies by type ('advertising cookies', 'analytics cookies', 'content sharing cookies' etc.) and disclose these categories of cookies, explaining what they do and allow consumers to choose whether or not they want to receive those types of cookies.  This is not only easier to understand, it also makes forward-facing maintenance of your cookie disclosures much, much simpler.

4.  One size does not fit all.  Don't take a sledgehammer to crack a nut - a single consent strategy across the entire cookie environment cannot hope to obtain meaningful consumer consent and can impair legitimate data collection practices.  Enterprises need to understand the different consent strategies available to them - from cookies that are exempt from the consent requirement, to cookies where implied consent strategies are an acceptable solution (with or without enhanced contextual notices, depending on the intrusiveness of the cookies in question), to cookies where more express forms of consent may be appropriate.  Adopting a tiered consent strategy allows for better, clearer disclosures to consumers, more granular control and better levels of data collection.


Sign up to our email digest

Click to subscribe or manage your email preferences.