Auditing a site for the EU cookie directive

As the deadline to comply with the new EU directive draws ever closer, I’ve been giving some thought on how to audit a website – a blog in particular – to see which cookies are being stored.  This information can then be used to update the privacy policy, cookie information, or to take a decision on where to put such information.

Step 1: Checking the cookie cache

The simplest way to see which cookies a new visitor receives is to clear the browser cache – all of it, and obviously including the cookies – and then to visit the site.  I even use a different Windows account or computer to do this.

Then, look at the cookies that the browser has stored.

a. Are they all from your domain, or are there already “third party” cookies stored at this stage?

b. Evaluate which ones are from your domain and what purpose they serve.  Do they contain personal information?  Are they being used to track the user through the website, or to recognise a returning visitor?

WordPress, for example, does save some session cookies, but as long as the user does not log into WordPress itself I am not aware of them storing any tracking or personal information.  However, I obviously cannot guarantee that!

Step 2: Analytical and Tracking software

If you installed your own site, then you should know if there is any analytical or tracking software running on it.  Do you self-host the software on your webspace or server, or is the data stored on the software’s own server?  Most importantly, does the software use cookies?  Not all do.

Step 3: Membership sites and shopping carts

If you run a membership site or an online shop, then you probably need cookies for these.  For example, to remember who is logged into the site or what they have placed in their shopping cart.

Of course, these are essential to the running of the system, and some interpretations of the EU directive claim that they are therefore exempt.  Ironically, they are the easiest to cope with by informing new users in the Terms of Service before they become members / customers, so there is probably no reason not to put that information in there.

Step 4: Check your plug-ins

WordPress plug-ins often get installed and forgotten about.  It is worth going through the list of plug-ins in the administration dashboard to see which ones are active.  Which function do they provide on the site?  Statistics and social media plug-ins in particular may store cookies, so it is worth trying out their functions and seeing what gets added to the cookie cache.

Step 5: Affiliates

If your site has affiliate advertising, then you may find that when the reader clicks on a link, a cookie is placed.  This is used to recognise that the buyer was re-directed from your site.  Most likely you are not placing this cookie yourself and your affiliate parameters are in the link, but it may be worth advising your readers.  After all, if they click on the link and the affiliate site then asks for permission to place the cookie, you do not want them to block it – and with it your commission!

Similarly, if you run your own affiliate scheme then you may be placing cookies on incoming visitors’ computers to track who to pay your commissions to.

Step 6: Advertisers

If you accept advertising on your site, then you should look at how that advertising works.  Do you have complete control over the code, or did the advertiser give you the HTML code to use which in turn runs a script on their site?

If you have different advertisers on different sites, then you may need to look at each one individually, but as soon as one adds a cookie – and hence a third-party cookie – you need to decide how to deal with this.

Step 7: IFRAME

Some advertisers and affiliate programmes use IFRAME code.  This is useful because it means they can update the banner or widget without you needing to change anything, but it also means that you are “forcing” your readers to execute code from a different domain, ie. that of the advertiser.

This is, of course, just my own idea of how to audit a website to comply with the new EU directive.  But I am not a lawyer, and I do not think that anyone knows exactly what to expect next week.   However from the advice that I have seen so far, it is better to have at least prepared yourself and updated your privacy information, than to have done nothing at all!

To get you started…

I have already started looking closely at the cookies my sites are placing.  I have already found the following 3rd party cookies:

  • Amazon Associates
  • eBay Affiliates
  • Google AdSense
  • Twitter Flash Widget
  • AddThis
  • Disqus

I cannot say exactly what these cookies are doing, but they are 3rd party none the less, and the are being stored when you visit one of my sites.

Have you looked at the cookies on your own site yet?  Which well-known sites or plug-ins can you add to the list?

About Graham Tappenden

Graham Tappenden is a blogger from Germany. He has written code for WordPress themes since 2006 and been creating websites since 1994.
This entry was posted in News and tagged , , , , , , , , , , , . Bookmark the permalink.