Whilst undertaking a cookie audit of our website, a requirement of the new EU Privacy and Electronic Communications Directive, I was reminded of one of my kids favourite stories. Half way through We’re going on a bear hunt the family “stumble, trip, stumble, trip, stumble, trip” through a dark, deep forrest. Now that’s exactly how I felt whilst trying to log and identify each of the cookies on our website. I trialled a number of tools and processes so I thought it would be useful to share the the approach I ended up settling on.
How to find cookies on your website
Step 1: Select and update two browsers
I decided to use Firefox and Chrome.
In Firefox: click on “Firefox”. Select “About Firefox” and click on the “Check for Updates” button. Install any necessary updates.
In Chrome: click on “Chrome”. Select “About Chrome” and click on the “Update Now” button if you are not running the latest version of Chrome.
Step 2: Delete any and all cookies
Remove all of the cookies stored on your computer prior to testing your website:
In Firefox: click on “Preferences” on a Mac or “Options” on a PC. Select “Privacy” and click on the “remove individual cookies” link. Then click on the “Remove All Cookies” button.
In Chrome: click on the “Tool” icons in the top right of the browser window, then select “Preferences”, “Under the hood” and “Clear browsing data”.
Step 3: Use your website
Go to your website and use every page and all functionality available. Do not browse other websites whilst you do this.
Step 4: Log your findings
Note down all of the cookies that your website has installed on your computer. Then click on the name or source of each cookie to reveal further information. Log the following for each cookie you find:
- Cookie name
- Expiry date
- Source or host of cookie
In Firefox: click on Preferences. Select “Privacy” and click on the “remove individual cookies link”. Click on the arrow next to the name of each website that has installed a cookie. Then click on the name of each cookie this website has installed. This will display the information required at the bottom of the pop-up window.
In Chrome: click on the “Tool” icon in the top right of the browser window, then select “Preferences”, “Under the hood”, “Content Settings”, and “All cookies and Site Data”. Click on the name of each website. This will display each cookie the website in question has installed. Click on the button that represents each cookie to reveal the necessary information you need to log.
Step 5: Repeat steps 1-4 using a different browser and/or tool of your choice
To ensure you find all of the cookies in use on your website I’d highly recommend multiple passes with different tools. You could use your secondary browser or you could install an add-on or extension to your primary browser such as Firecookie for Firefox’s Firebug. Repeating the process with different tools should help you reduce the risk of failing to find and log all of the cookies in use on your website.
Analysing the cookies you’ve found
Identifying the “invasiveness” and “necessity” of each and every cookie you find is the bare minimum required to show that you are taking steps to comply with this new legislation.
I don’t think it is appropriate for me to get into what is “invasive” or “necessary” as in the end of the day this is a) purely subjective, and b) I’m not the ICO. Therefore, my personal opinion really doesn’t matter. So I’d highly recommend that you refer to the following guidance documentation published by the ICO:
- Changes to the rules on using cookies and similar technologies for storing information
Following this you will then need to:
- Decide which cookies will require “explicit consent”.
- Decide which if any cookies you can do without.
- Remove any invasive or unnecessary cookies that you do not wish to keep.
- Plan and test how to obtain “explicit consent” on your website.
Presenting these changes to website visitors
This is certainly the hardest element of complying with this legislation. Due to this we are taking an incremental approach. Phase 1 is to update our legal documents and phase 2 will be testing ways to obtain “explicit consent”.
In terms of phase 1 we’ve taken our lead from the ICO themselves and have compiled the following table which details the cookies in use on this website and blog:
|Border Crossing Media||_PHPSESSID||This allows the website to function as intended. We use this session to log information from page to page, such as the search term used to generate results.||This first-party cookie is deleted as soon as you close your browser window.|
|Olark is used to provide real-time customer support via our website. These cookies collect information on how this feature is used in an anonymous form, and no personally identifiable information is logged or stored.||These third-party cookies adhere to Olark’s terms of service.|
Maps is used on our Contact Us page to help people locate our office.
We’ve tried to make it as clear and useful as possible whilst detailing all of the information required.
In terms of phase 2 we certainly won’t be adopting the ICO’s approach. Vicky Brock has shared some sobering data that indicates the ICO has only managed to convince 1 in 10 people to provide them with “explicit consent”. With a few minor copy and interface design tweaks I’m sure the ICO could improve this. But the real issue for me is that more often that not people are simply going to ignore or deny consent.
Why? Because granting “explicit consent” simply isn’t what people wish to do when they use a website. After all they’re only on our websites because they want to find or do something. And I think it’s safe to say that providing “explicit consent” is just about the last of a user’s priorities unless it’s a blocker to them completing their goal(s). So yes, we’re going to continue testing a number of different ways to secure explicit consent – who doesn’t love a challenge! But I’m not sure we’re going to find one that gives us access to all of the data we’ve grown to love.
A promising solution
On a more positive note I did come across a number of companies who are working on solutions. The best of these was Cookie Control developed by the clever folks at Civic. Will Civic’s solution have a profound impact on the number of people willing to “grant explicit consent”? I’m not sure, but the ICO should definitely give it a go and see if it fares any better than their current implementation.
If you’re undertaking a cookie audit and want to share your thoughts about compliance please do get in touch!