There is a lot of choice in terms of tools to scan and capture
the cookies on your site, some are manual, some have automation,
and there are pros and cons to each camp: manual can be time
consuming, whilst automated crawlers can miss some cookies without
you knowing! However, the tools can be grouped in the following
categories:
- Your Browser: you can use your browser as a
(very basic) auditing tool. Go into your settings and clear cookies
from the cache (In Internet Explorer, this is done by selecting
Tools/InternetOptions/Delete Browsing History and select cookies).
Then go to your site and visit all the pages, perform the different
actions etc. As you pick up cookies, you can then see them appear
in your browser.
- Free browser plugins: there are a number of
free plugins on offer from software developers, search agencies and
cookie specialists such as the Cookie Collective. For example our
plugin, the Optanon
Cookie Audit Tool, picks up cookies on a site and presents them
with some basic information such as whether they are first- or
third party
- Enterprise Level Tag/Privacy Platform: a
lot of large companies with complex online advertising needs use
third party platforms to manage their tags and privacy statements,
and most of these offer cookie capture as well. The problem of
course is that you have to also take lot of functionality you
don't need, and they are by their nature very expensive.
There is a wide variety of outputs from a cookie
audit. At one end of the spectrum, you have a simple list
of cookies that you picked up. The problem is this doesn't tell you
anything about what the cookies are, or what they do.
It's not helped by the fact many of the cookies have long names
of seemingly meaningless strings of characters which don't give any
clues to the uninitiated as to what the cookie is for and where it
came from - a classic example would be as follows:
recs-e2a9c9cb90acff81927260bad4f4d817
So, we see that listing the cookies is just one output of the
audit; there also needs to be an explanation of the cookie and its
origin. Experts such as those at the Cookie Collective have
experience of seeing hundreds of different cookies and can
recognise the meaning in these codes.
We also have a database of over 100 million cookies which have
been captured by users through our Optanon tool. Another, free
resource is Cookiepedia, where you can enter the name
of a cookie and obtain information about its host, how long it
hangs around on your machine, and whether it is session or
persistent.
It is only possible to get cookie compliant once you know
what the cookies are and what they do. You then need to
classify them. Some of them are deemed 'essential to the operation
of the site in question'; examples of this would be session cookies
used in navigation, or a shopping cart function.
Once those are separated out, the auditor needs to categorise
the remainder by their purpose. The ICC has produced a useful guide
to cookie
categories which we user when carrying out a cookie audit for
a client.
Finally, the audit should take this information and produce a
set of recommendations for the site, or a single/multiple strategy
for a family of sites; bear in mind that the law and its
interpretation differs from country to country.
All of this should come together in an integrated cookie audit
report, which is arguably the first deliverable in a strategy
towards cookie compliance. Just remember that according to the
regulator, the passing of the May 26th represents merely the end of
the beginning of a world where website owners, and increasingly
consumers need to be more aware of how they use and are used by
cookies and other means of online tracking.
Have fun !