Cookies: best practice September 2012 by Fedelma Good, Barclays
Cookie Policy Verfication Framework
1. Site Review
A review and benchmark
of the XYZ website.
Scoring the level of
cookie compliance*
taking the consumer view.
*Based on sensible interpretation of the current legal
COOKIEREPORTS frame work around UK informed consent. 1
2. With the confusion around the current cookies Its being done – our agency provided it?
law, its important to have a independent view
for any site that’s is owned or operated for Unfortunately not all agencies are best placed
you – allowing you to be confident in your for cookie auditing – we often find 30-70%
brands position. more. Most do not have the appropriately
skilled resources or technology in place (often
Regulatory action is directly time relying on free tools).
consuming, costly – indirectly it can be far
more damaging in terms of losing trust and We are independent and have probably
the negativity associated. delivered more cookie solutions than most –
its all we do!
If not more important, rather than the
impact of regulatory action – is ensuring that It’s you and your brand that’s penalized if
you are seen to be open and transparent. there are errors or omissions - what's
essential is accuracy and efficiency. Typically
we can audit, categorise and provide cookies
Cookies are not considered as ‘bad’ in the reporting within hours – mutli site estates, can
main, most are comfortable – offer simple be delivered in a couple of days, including
clarity will ensure the confidence for your language and regulatory localization.
visitor's.
INTRODUCTION
COOKIEREPORTS 2
3. EXAMPLE ….. A pretty good starting
point. With probably 3 days of work
focused on improving clarity, more visitor
friendly information and better reporting
the site would be considerably improved.
On the cookies page there seem to be
errors limiting site function.
YOUR SUMMARY
COOKIEREPORTS 3
6. Category Found Reported
Necessary
These cookies are important to the underlying operation of the website, supporting important functionality such as
shopping baskets and supporting the technical operation of the website to ensure the website performs how you would 8 0
expect. No personal identifiable data is collected with these types of cookies.
Site experience
These cookies are used to support your experience on our site and include display options and login areas. No
personally identifiable data is collected with these types of cookies.
10 0
Performance & operation
These cookies are used in the management of the site and include customer survey's, recording visitor numbers and
other web analytics. Limited anonymous identifiable data is collected.
16 0
Marketing, anonymous cross site tracking
These cookies are used to track our customers across our websites. This can be used to build up a profile of search
and/or browsing history for every customer. Identifiable or unique data may be collected, however any stored
information is anonymous and not logged against an identifiable profile or customer. Any anonymous activity recorded
*25+ 0
may be reused by 3rd parties.
Marketing, targeted advertising
These cookies are used to track browsing habits and activity. We use this information to enable us to show you
relevant/personalised marketing content. Using these types of cookies, we may collect personally identifiable 42 0
information and use this to display targeted advertising and/or share this data with 3rd parties for the same purpose.
Any activity tracked and recorded using these cookies maybe sold to 3rd parties.
*in total over 90 cookies were found on the site (abc.site.com) XXXX operates across numerous
COOKIEREPORTS subdomains & requires further investigation to complete site mapping / cookies detail.
8. 0 2 4 6 8 10
3
Navigation
As this report is based on the requirements for a UK managed and
delivered website, the first (and arguably a key) requirement is to
Improvement suggestions
provide ‘clear navigation’ to your cookies statement / policy. (Not offered as part of the free summary)
A site should clearly inform a visitor that it users cookies no matter 1. Point one
what page of the site you arrive at or what device you are using to
connect to the site.
2. Point two
3. Point three
Two navigation options have been cited as both appropriate and
‘within requirements, these are; Graphical icon / device or a Text 4. Point four
link.
Where a text link is used, it should be clearly visible, if combined
with a selection of links (say in a top navigation) it should be
identified by a different color, font type or size. It should not be
below the page fold.
COOKIEREPORTS 8
9. 0 2 4 6 8 10
5
Function
Next stage down from the ‘front page’ navigation is it’s function.
Generally speaking the more complicated the navigation the more
Improvement suggestions
prone to error or problems it will be. (Not offered as part of the free summary)
Key areas are; 1. Point one
1. Are there any accessibility constraints? 2. Point two
2. Does the navigation unnecessarily interfere with the user 3. Point three
journey?
3. Does it function on all pages of the site? 4. Point four
4. Is it functionality that is limited on public access devices?
5. Does it work when redirects are followed?
A common navigation choice is a test bar at the very top of the
page – its important to check that this will not compromise your
search indexing and results.
COOKIEREPORTS 9
10. 0 2 4 6 8 10
2
Policy
In looking at the policy and perhaps the only area of the report that
can be considered as subjective is reading and reviewing of the
Improvement suggestions
content and explanation text of the policy. (Not offered as part of the free summary)
The areas that we feel are important for any policy are; 1. Point one
1. Contact details – who to contact with any questions (email 2. Point two
suggested)?
2. Date of the audit – demonstrate that you have audited your 3. Point three
site, if externally even better as it offers the visitor confidence 4. Point four
and a level of openness, building trust.
3. Opt out for LSO / Flash based cookies – does the policy offer
support for this?
4. Clearing of cookies – does the policy offer detail, by browser of
how this can be achieved?
COOKIEREPORTS 10
11. 0 2 4 6 8 10
1
Cookie Detail
After many hundreds of thousands of audits, we now have a very
comprehensive data set of pretty much all cookies. We have
Improvement suggestions
examined the cookies with this allowing us to create hopefully a (Not offered as part of the free summary)
very consumer focused categorisation – we also have another key
element to look at the likely privacy impact, that of each cookies 1. Point one
'density of use’. 2. Point two
These categories (groups) are as clear as we believe possible (they
have been defined by leading industry experts and were the result 3. Point three
of checking many thousands of sites and looking at the detail of all 4. Point four
cookies found (3rd Party predominantly). The categories (groups)
reflect the potential level of privacy intrusion the visitor.
We are comparing the detail reported on a site, against what’s been
discovered. If a site doesn’t provide the basic detail of the cookies
(name etc) then it can not claim to offer any level of ‘informed’
consent, as the basis a visitor has to make a decision is that of
being informed – and with no information they are clearly not.
COOKIEREPORTS 11
12. 0 2 4 6 8 10
1
Opt in / Opt out options
Its not in anyway sufficient to rely on 3rd parties who set cookies to
offer a suitable mechanism to opt out their cookies. Most are
Improvement suggestions
cumbersome to use (perhaps intentionally) and to date the solutions (Not offered as part of the free summary)
offered by collective bodies seem to operate with sporadic success.
1. Point one
You should also offer a visitor a method of removing your (any)
cookies from their device (covered in more detail within the policy
2. Point two
review and check). 3. Point three
Finally and essentially but so far limited across sites we have checked 4. Point four
– the opt out method should actually work.
For countries where opt-in has been taken as the legal
requirement, we review the site before and after opt-in.
COOKIEREPORTS 12
14. We have a book covering
a great deal of the
questions you may be
asking, for a printed
version please contact
us.
Its also available to
download @
http://www.cookiereports.com/do
wnload/journeybook
COOKIEREPORTS 14
15. On request;
• extracts from ICO
discussions
• the latest updated from
the EU.
Presentation is @
http://misc.cookiereports.com/CookieR
eports_Deloitte_Event.ppsx
COOKIEREPORTS 15
17. • UK owned and
operated company
• Presence in
UK, FI, DK, DE, AT
• Our own unique IP
and methodology
• No VC, bank or
external funding
• Only service to be
independently certified
• UK member body &
partners include;
COOKIEREPORTS 17
18. Who have we worked
together with?
Most recently….
COOKIEREPORTS 18
20. This material is proprietary to Cookie
Reports Limited and has been furnished
on a confidential and restricted basis.
Cookie Reports Limited hereby expressly
reserves all rights, without waiver, election
or other limitation to the full extent
permitted by law, in and to this material
and the information contained therein.
Any reproduction, use or display or other
disclosure or dissemination, by any
method now known or later developed, of
this material or the information contained
herein, in whole or in part, without the prior
written consent of Cookie Reports Limited
is strictly prohibited.
COPYRIGHT
COOKIEREPORTS 20
21. This document is offered as an overview
and a starting point only – it should not be
used as a single, sole authoritative guide.
You should not consider this as legal
guidance.
The services provided by Cookie Reports
Limited is based on an audit of the
available areas of a website at a point in
time. Sections of the site that are not open
to public access or are not being served
(possibly be due to site errors or
downtime) may not be covered by our
reports.
Where matters of legal compliance are
concerned you should always take
independent advice from appropriately
qualified individuals or firms.
DISCLAIMER
COOKIEREPORTS 21