How to run a successful cookie audit
Tech Bytes contents
- How to run a successful cookie audit
- Dot brand applications
- App-based payments: UK regulator issues guidance
- The impact of the proposed Data Protection Regulation on technology and outsourcing services providers
- UK "Call for Evidence" on Common European Sales Law: have your say
- Injunction against social networking site is too wide, rules European Court
Cookie audits sound so simple in theory, don’t they? I mean, how hard can it be to identify what cookies you have, assess their intrusiveness, and decide on your strategy for obtaining consent?
Having now worked with a number of clients to conduct cookie audits, I can report that they are in fact fraught with legal, commercial and technical difficulties that only website operators with the most minimal online presence could hope to escape. For operators with more substantial web portfolios, cookie audits can prove very complex and time-consuming.
As a case in point, we recently helped a client audit its web portfolio of some 60+ Internet domains, serving around 3,000 cookies. Fully identifying all the cookies they served, let alone what they do and how intrusive they are, was a substantial task in itself. Another client has set up a large internal stakeholder group to address cookie consent requirements, comprising representatives from legal, IT, marketing and data analytics teams, all of whom have different needs and face different demands when deciding how to use the humble cookie. Some of our clients are technology service providers, many non-EU based, who want to pursue risk-based consent strategies that are at odds with those of the website operators they serve, and reaching a common ground can therefore be a challenge.
So, for enterprises struggling to figure out a way to deal with their cookie consent compliance demands, here are the top tips I have gleaned from our experience running cookie audit projects to date:
1. Outsource your technical cookie audit. While it may be manageable for a website operator with just one (or maybe just a few) Internet domain(s) to rely on their IT staff to audit their cookie use, this approach just doesn’t scale for large enterprises. Sophisticated websites will often drop 10, 20 or more cookies through a page and, when scaled up across hundreds of pages and tens of different domains, this quickly becomes an unassailable task for any internal IT function, who often will have little knowledge of how third party service providers deploy their cookies. A number of third party vendors now offer comprehensive cookie audit services, and engaging one of these vendors to help you in your task is a must.
2. KYC – Know your cookies! Lawyers need to know and understand what cookies do in general and, more precisely, they need to know what each specific cookie served through the website(s) does. Without this, there’s simply no way that they can meaningfully assess their intrusiveness or advise on an appropriate strategy for obtaining cookie consent. If relying on an in-house legal function to perform this role, take time to ensure your in-house lawyers are fully educated by your IT, analytics and marketing teams, all of whom will use different cookies for different purposes. It’s important that your lawyers can ‘speak the language’ of your IT, analytics and marketing teams in order to turn their technical descriptions of the cookies they use into meaningful, legal disclosures that meet e-privacy transparency requirements.
4. One size does not fit all. Don’t take a sledgehammer to crack a nut – a single consent strategy across the entire cookie environment cannot hope to obtain meaningful consumer consent and can impair legitimate data collection practices. Enterprises need to understand the different consent strategies available to them – from cookies that are exempt from the consent requirement, to cookies where implied consent strategies are an acceptable solution (with or without enhanced contextual notices, depending on the intrusiveness of the cookies in question), to cookies where more express forms of consent may be appropriate. Adopting a tiered consent strategy allows for better, clearer disclosures to consumers, more granular control and better levels of data collection.