Back to Privado blog

How Cookies Work and How to Conduct a Cookie Audit in 2021

Vaibhav Antil, CIPM
December 9, 2020

Most of the websites we use today have cookies embedded in them, and yet, many of us are unaware as to what they are exactly, how they function, and how they relate to users’ privacy. Even as the owner of a site that uses cookies, you probably aren’t entirely familiar with how they work. In today’s world, data privacy is taken seriously and is at the center of every digital interaction. Users are becoming more conscious of their digital privacy, and rightfully so. New laws and regulations are being framed around the world to regulate the use of cookies, among other things.

Organizations need to understand what cookies are and how they work to be able to use them effectively to avoid being caught off guard with new data privacy regulations looming. This blog breaks down what a cookie is, how they help in advertising, and how you can conduct a cookie audit to get a sense of how cookies are being handled on your websites.

What is a cookie?

A cookie is a file that is saved onto users’ computers to enrich their user experience by allowing them to personalize their sessions, as well as tracking them to offer better functionality. Cookies help websites remember things about individual users, such as what products they added to their carts or how far along they’ve gotten in a game.

Another important aspect of cookies is their ability to track user activity to deliver personalized and targeted ads to users. You can thank cookies for personalized and targeted ads if you’ve found yourself browsing the Internet for cars and see ads relating to cars elsewhere on the web. Albeit, one of the most important uses of cookies is that they aid in the faster loading of previously visited websites. 

How do cookies work?

Cookies are just text files and not executable programs themselves. First-party cookies are the ones served by the websites you visit. For example, you could visit a shopping site, and it would use cookies to make sure it keeps track of what products you’ve looked at to suggest similar items or to understand your shopping behaviour to give you better recommendations. 

On the other hand, third-party cookies are cookies that are served by the sites you visit on behalf of other websites. For instance, a blog might serve ads on behalf of an advertising company.

When a browser requests access to a page from a website’s server, it includes cookies that were saved onto the user’s device with the request. The server then reads this request along with the cookies in it to serve relevant content and may add new cookies to the page it delivers. The page is then read by the browser along with all the cookies sent to it by the server before finally displaying the page to the users. This continual cycle of exchanging cookies allow websites to track user activity to get a real-time understanding of usage patterns and other data that could aid in delivering personalized content and ads. 

Cookies and advertising 

There is not much controversy surrounding the first-party cookies that websites use to enhance user experience. For instance, when you type a query into a search engine, it can use cookies to deliver results that are most likely to be relevant to you, including your previous search history and your location. 

However, third-party cookies that websites serve on behalf of advertising services is where the plot thickens a little. The question is often about whether the user consents to provide data to a third-party whose site and cookies they did not intend to request. It is also an ethical issue to consider whether websites can choose to share information with third-party ad providers for marketing without the consent of users. Many jurisdictions in the US and EU have ruled that websites must inform users of how their cookies will be used and require their consent to share this data with ad providers. Some jurisdictions also specify that users should be given the opportunity to opt-out of such cookie sharing with advertisers. 

Advertisement providers often operate through networks of websites that consolidate cookies to build a profile of a user and deliver targeted advertisements based on it. Your browsing and internet activity across websites contribute to the profile, and it gets refined to the point where advertisers have an accurate idea of who you are, your interests, and what ads you would be interested in. 

Cookie regulation 

The increasing sophistication of cookies and how much data about you can be collected and used by these advertisement providers have called for more stringent data privacy regulations around the world.

Cookie laws were first brought into effect with Europe's amendment to the ePrivacy Directive in 2009 which made it mandatory to seek users' consent to access information stored on computers, phones, or other digital equipment under Article 5.3. This move would eventually lead the EU to address the need for specific personal data laws with the General Data Protection Regulation (GDPR). 

The EU brought the General Data Protection Regulation or GDPR into effect on May 25, 2018, and brought cookies into the ambit of ‘personal data’, thereby allowing them to be regulated. This made it essential for any website serving residents of the European Economic Area to seek users’ consent before serving third-party cookies that weren’t fundamental to the website itself.

The institution of such laws has brought third-party cookie use down considerably. However, there is a large contingent of websites that continue to be non-compliant with the GDPR, often out of a lack of understanding of the laws.

The EU’s regulations set a global precedent and brought data privacy and the debate surrounding the use of cookies into the spotlight, prompting many other jurisdictions to follow suit and bring regulations of their own. 

New York’s Stop Hacking and Improve Electronic Data Security or SHIELD Act has defined what constitutes personal data and includes many of the parameters that cookies use. 

California also brought in a comprehensive regulatory framework called the California Consumer Privacy Act or CCPA that gives residents an understanding of what personal data is being collected about them and the choice to disallow the sale of such data to third-parties. 

India is another major jurisdiction that is working on bringing in a regulatory framework Personal Data Protection Bill to prevent the misuse of cookies and empower users with the option to opt-out of third-party cookies, among other data protection measures. 

GDPR and other data privacy laws such as those mentioned above require website owners to add a banner and buttons to their websites that would give users options to accept or deny consent to cookies as well as an option to give purpose-specific consent.

How to conduct a cookie audit?

It is in the best interest of website owners and hosts to ensure compliance with these laws and regulations to avoid heavy fines and penalties that such a default could cause. To ensure compliance with data protection laws, it’s important to conduct a website cookie audit

You end up a lot of adding a lot of cookies that track users’ data and sell them to third parties as you add more features and elements to your website, and you might not realize it. While your intentions might not have been malicious, ensuring compliance with regulations is still your duty and, you can be held accountable for non-compliance. To ensure that you aren’t unknowingly serving third-party cookies that track personal data on your website, you need to know all the cookies that your website serves. 

Conducting a cookie audit is a straightforward process that will help you:

  • Analyze what data your website collects from users.
  • Ensure compliance with data protection laws and helps resolve issues that might result in non-compliance.
  • Remove any cookies that are not essential
  • Comply with industry-specific standards and regulations
  • Reduce the chance of data breaches by removing malicious cookies and encrypting cookies.
  • Revise your privacy policy for transparency and compliance

You can conduct a free cookie audit in three simple steps:

Step 1: Knowing What Cookies You’re Serving

Identifying what cookies your website is serving can be done by simply deleting your cookie history on your browser and revisiting your website. This is the simpler way to go about it; however, it might not be the best way to do it. Some cookies are delayed and aren’t downloaded until after a while, and others might be trigger-based, which are only downloaded when you perform certain actions on the website. 

A comprehensive privacy audit tool like Privado can help you make sure you’re not missing any cookies and identify them all in an intuitive list form. 

Step 2: Analyzing individual cookies

Going through each cookie will help you understand its purpose and source. This will allow you to identify which cookies are non-essential to your website and need to be removed. Make sure to keep an eye out for new or unfamiliar cookies.

Some things to keep in mind while investigating these cookies are whether the cookies collect personally identifiable data, if there’s any purpose the cookie serves, what tools it uses, and if it can be associated with a vendor.

Step 3: Ensuring Compliance 

Once you’ve investigated each cookie, you should have an idea of what cookies could be problematic in terms of data protection regulation compliance. 

To comply with data privacy regulations like GDPR, you should have a popup or banners like this so that provides information on how the cookies served on your site are used and a link to your privacy policy. One of the key aspects of data privacy regulations is to give users the option to either accept cookies or reject them. Additionally, you can provide users the option to opt of select purposes of cookie use such as advertising. It is important for you to provide users with the option to withdraw their consent to cookies which is usually on the privacy policy page. 

Keep in mind that you still have to comply with users’ local regulations, even if your jurisdiction does not have laws concerning cookie use. 

The most problematic cookies are often the ones that have a long expiration duration, track your users’ sensitive personal data, and are in contravention of your privacy policy.

That’s it. You’ve successfully conducted a cookie audit!

Privado: Managing cookies made easier

Ensuring compliance with many jurisdictions can be a tedious task to do yourself. Using a comprehensive privacy solution like Privado can take care of that for you! Privado allows you to conduct comprehensive cookie audits, manage cookie consent from users, as well as automatically get rid of problematic scripts on your website. 

Get Privado now to make compliance a breeze! 

Vaibhav is the founder of privado.ai and a CIPM certified privacy professional.

Subscribe to privado newsletter

Get updates, articles and resources related to data privacy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.