I started this series with a long, hard look at the implications of privacy laws for websites that use Google Analytics, and came to the conclusion that if the only cookies your website is setting are for Google Analytics, you don’t have too much to worry about (though there are a few small things you can do to be squeaky clean compliant). But what if your website uses other cookies too? How would you even know what cookies your website uses?

Let’s first find out what cookies your website is using

Personally I have been using a combination of several tools:

  • Attacat’s free cookie audit tool is a free Google Chrome extension, made in Scotland just like me 🙂 If you don’t use Chrome, there may be a similar tool available for your browser of choice
  • Cookiebot’s free compliance test will scan 5 pages of your website and then email you a very handy list of all of the cookies it detected, with some useful information about each. As it is limited to 5 pages, it may very well be missing some cookies, but for many small, simple websites, all of the cookies that are going to be set, will be on the first page.
  • I also use my browser’s in-built tools. To find out how to view and manage cookies in your browser, try a search for “view and manage cookies in Firefox”, for example. Here is a great tutorial for Google Chrome. The audit tool simplifies the process, but the principle is always the same:
    1. Delete all cookies from your browser (I would also suggest deleting browser cache first as cached files can set cookies)
    2. Browse your website as any visitor would, making sure to use all available functionality
    3. Check to see what cookies have been set during your browsing session. As you deleted all cookies before you started, any cookies that now exist will have been placed by your own website

    So what to do with that information?

    Now that you have a list of cookies that your website is setting, it’s time to figure out what they all do, if they are really necessary, and if any of them are spying on your visitors! Having this information to hand will allow you to find a way to remove the offensive ones and to document the others in your privacy policy.

    Having been through this process with quite a number of websites now, here are some of the more innocent cookies that I see again and again. These just need a quick mention each in your privacy policy:

    • Various Google Analytics cookies (no surprise, not essential but inoffensive)
    • Google ReCAPTCHA – here’s some information on that
    • Google Fonts and Google Maps – anything that ends in .googleapis.com is probably just serving content, such as fonts and maps. Google state that the data they gather from these cookies is used purely in order to provide the service, and is handled separately from any other data they hold on individual users.
    • Various functional and essential cookies, used by Woocommerce shopping cart
    • Various functional and essential cookies, used by Shopify shopping cart
    • wordfence_verifiedHuman and wfvt_xxxxx, set by Wordfence, inoffensive but easily disabled in Wordfence settings
    • PHPSESSID – various uses, nearly always essential to function
    • __cfduid – essential cookie, set by Cloudflare for security purposes (on websites that use Cloudflare directly, or perhaps use resources that use Cloudflare)
    • DYNSRV – essential cookie, set by the web hosts of some cloud hosted websites, used to manage server load
    • Cookie set by whatever script is used for the cookie popup banner to remember preferences

    And here are a few that will require a bit more explanation to your visitors, and possibly prior consent:

    Anything that includes Addthis, Sharethis, Addtoany, etc

    These caught me by surprise and I’m certain they’ll catch a lot of others out too. If you have social sharing buttons on your website, of the sort that link straight to the social networks to allow visitors to share your content on their accounts, they are probably spying on your visitors. There are some alternatives available that do not set cookies (such as Jetpack for WordPress), but, not being satisfied with any of them, I have ended up creating my own plugin that won’t slow down the website and does not use any cookies. The one that really had me scratching my head was a Google Analytics plugin for WordPress that was installed on 3 of the sites I have checked so far. The plugin was created by Sharethis, but even deleting the plug-in did not remove the cookie. The plugin had to be first set to “disable all functionality” and then deleted. Naughty!

    Facebook

    Have you installed a Facebook pixel on your website to track your visitors and retarget them with Facebook ads?  If so, it should come as no surprise that Facebook are planting cookies on your visitors’ devices. The question is how to disclose this to your visitors in a way that is fair to them, compliant with the law, and without depriving you of a marketing channel. You could:

    • Go the whole hog and use a sophisticated cookie popup banner (like Cookiebot as mentioned above for example, or perhaps Cookie Notice plug-in for WordPress) that will allow you to apply the pixel script only after the visitor has given their explicit consent. You’re likely to find a lot of people will not give consent – why would they?
    • Have the pixel script run regardless, but make it very clear in your cookie popup that they are being tracked, and give clear information in your privacy policy about how you are tracking their behaviour and what they can do to opt out. More on this in another post. Possible arguments in favour of this approach are that the alternative could be very damaging to your marketing, and that it looks likely that the new e-Privacy Directive will make this sort of consent manageable by the user in their browser, rather than on individual websites.

    Google AdWords, AdSense, any sort of Google advertising

    If you are using Google AdWords or AdSense rather than straightforward Analytics, you will find yourself in very similar territory to users of the Facebook Pixel and can expect to see a lot of cookies. Google use many different domains for this, including some that sound nothing like “Google”. Look out for “doubleclick” for example.

    YouTube & Vimeo

    If you have embedded YouTube or Vimeo videos on your website, did you know that they will be placing their cookies on your users’ devices? You may decide that the best you can manage is to mention this in your privacy policy, but if you would like to embed the content without the cookies, here is some information on how to go about it. Frankly, if a privacy policy mention is good enough for the BBC, I think it will be adequate for most of  us, especially where the alternative is so difficult to implement.

    In Conclusion

    I am a web designer, I handle web technology all day, every day, and it has taken me hours and hours of research to gather this information. What that tells me is that the average small business owner is not going to come close to this level of understanding and compliance on their own. Part of the problem is that as things currently stand (5th April 2018), the introduction of the GDPR is quite imminent, and the updated e-Privacy law is lagging probably at least a year behind. By the time that new e-Privacy law does come in to effect, it is widely anticipated that very many of the current cookie related obligations faced by individual website owners, will be passed to the browser vendors (Firefox, Chrome, Edge, et al).

    This is to say that, if you can demonstrate that you have made a reasonable effort to understand and to comply with both the GDPR and existing electronic data laws (PECR in the UK), it’s probably quite safe to sit tight and wait for the e-Privacy law to come in to effect before worrying a great deal about complying to the letter of the law. On the other hand, if compliance is very important to your business, and you would like assistance to identify the cookies used by your website, as well as any other potential areas of concern: contact me for a quote.