I started this series with a long, hard look at the implications of privacy laws for websites that use Google Analytics, and came to the conclusion that if the only cookies your website is setting are for Google Analytics, you don’t have too much to worry about (though there are a few small things you can do to be squeaky clean compliant). But what if your website uses other cookies too? How would you even know what cookies your website uses?
Let’s first find out what cookies your website is using
Personally I have been using a combination of several tools:
- Attacat’s free cookie audit tool is a free Google Chrome extension, made in Scotland just like me 🙂 If you don’t use Chrome, there may be a similar tool available for your browser of choice
- Cookiebot’s free compliance test will scan 5 pages of your website and then email you a very handy list of all of the cookies it detected, with some useful information about each. As it is limited to 5 pages, it may very well be missing some cookies, but for many small, simple websites, all of the cookies that are going to be set, will be on the first page.
- I also use my browser’s in-built tools. To find out how to view and manage cookies in your browser, try a search for “view and manage cookies in Firefox”, for example. Here is a great tutorial for Google Chrome. The audit tool simplifies the process, but the principle is always the same:
- Delete all cookies from your browser (I would also suggest deleting browser cache first as cached files can set cookies)
- Browse your website as any visitor would, making sure to use all available functionality
- Check to see what cookies have been set during your browsing session. As you deleted all cookies before you started, any cookies that now exist will have been placed by your own website
So what to do with that information?
- Various Google Analytics cookies (no surprise, not essential but inoffensive)
- Google ReCAPTCHA – here’s some information on that
- Google Fonts and Google Maps – anything that ends in .googleapis.com is probably just serving content, such as fonts and maps. Google state that the data they gather from these cookies is used purely in order to provide the service, and is handled separately from any other data they hold on individual users.
- Various functional and essential cookies, used by Woocommerce shopping cart
- Various functional and essential cookies, used by Shopify shopping cart
- wordfence_verifiedHuman and wfvt_xxxxx, set by Wordfence, inoffensive but easily disabled in Wordfence settings
- PHPSESSID – various uses, nearly always essential to function
- __cfduid – essential cookie, set by Cloudflare for security purposes (on websites that use Cloudflare directly, or perhaps use resources that use Cloudflare)
- DYNSRV – essential cookie, set by the web hosts of some cloud hosted websites, used to manage server load
- Cookie set by whatever script is used for the cookie popup banner to remember preferences
And here are a few that will require a bit more explanation to your visitors, and possibly prior consent:
Anything that includes Addthis, Sharethis, Addtoany, etc
These caught me by surprise and I’m certain they’ll catch a lot of others out too. If you have social sharing buttons on your website, of the sort that link straight to the social networks to allow visitors to share your content on their accounts, they are probably spying on your visitors. There are some alternatives available that do not set cookies (such as Jetpack for WordPress), but, not being satisfied with any of them, I have ended up creating my own plugin that won’t slow down the website and does not use any cookies. The one that really had me scratching my head was a Google Analytics plugin for WordPress that was installed on 3 of the sites I have checked so far. The plugin was created by Sharethis, but even deleting the plug-in did not remove the cookie. The plugin had to be first set to “disable all functionality” and then deleted. Naughty!
Have you installed a Facebook pixel on your website to track your visitors and retarget them with Facebook ads? If so, it should come as no surprise that Facebook are planting cookies on your visitors’ devices. The question is how to disclose this to your visitors in a way that is fair to them, compliant with the law, and without depriving you of a marketing channel. You could:
- Go the whole hog and use a sophisticated cookie popup banner (like Cookiebot as mentioned above for example, or perhaps Cookie Notice plug-in for WordPress) that will allow you to apply the pixel script only after the visitor has given their explicit consent. You’re likely to find a lot of people will not give consent – why would they?
Google AdWords, AdSense, any sort of Google advertising
If you are using Google AdWords or AdSense rather than straightforward Analytics, you will find yourself in very similar territory to users of the Facebook Pixel and can expect to see a lot of cookies. Google use many different domains for this, including some that sound nothing like “Google”. Look out for “doubleclick” for example.
YouTube & Vimeo
I am a web designer, I handle web technology all day, every day, and it has taken me hours and hours of research to gather this information. What that tells me is that the average small business owner is not going to come close to this level of understanding and compliance on their own. Part of the problem is that as things currently stand (5th April 2018), the introduction of the GDPR is quite imminent, and the updated e-Privacy law is lagging probably at least a year behind. By the time that new e-Privacy law does come in to effect, it is widely anticipated that very many of the current cookie related obligations faced by individual website owners, will be passed to the browser vendors (Firefox, Chrome, Edge, et al).
This is to say that, if you can demonstrate that you have made a reasonable effort to understand and to comply with both the GDPR and existing electronic data laws (PECR in the UK), it’s probably quite safe to sit tight and wait for the e-Privacy law to come in to effect before worrying a great deal about complying to the letter of the law. On the other hand, if compliance is very important to your business, and you would like assistance to identify the cookies used by your website, as well as any other potential areas of concern: contact me for a quote.