How To Conduct a Cookie Audit With a Tool or Manually

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: January 7, 2022

Automatic Cookie Audit
How-To-Conduct-a-Cookie-Audit-With-a-Tool-or-Manually-01

Cookies are useful tools, but they’re often misunderstood. Modern websites rely on cookies to provide their visitors with essential services.

If your organization uses cookies to improve your users’ experience, you may be aware that you need to perform cookie audits to track how they’re being used. But what does that mean, and why do you need to do a cookie audit?

This guide will explain why you need one and how to perform a cookie audit correctly.

Table of Contents
  1. How To Conduct a Cookie Audit Automatically
  2. How To Conduct a Cookie Audit Manually
  3. What To Know About Cookies
  4. Laws Surrounding Cookies
  5. Why You Need To Audit Cookies
  6. Wrapping Up

There are two ways to audit cookies: using a cookie audit tool or manually. Automatic cookie audits are typically the recommended solution since they don’t require you to manage every step of the process. Instead, they find and record your cookies for you.

A good online cookie audit tool will perform tasks such as:

  • Discovering and listing all cookies your website delivers
  • Categorizing cookies into the fundamental categories listed by the GDPR
  • Generating a cookie policy explaining how your cookies are used

These processes hand you all the information you need to keep your cookies under control and avoid falling out of cookie compliance. Termly’s cookie solution automates the process of auditing cookies and much more.

Use Termly to Automatically Audit Cookies

Step 1: Enter your website URL into the form below

Step 2: We’ll scan your site and categorize the majority of your cookies

Step 3: We’ll generate your cookie policy & customizable cookie banner

The alternative to automatic audits is a manual cookie audit, but it’s tedious, and you are better off using the automatic method above.

Here’s how to conduct a manual cookie audit and ensure you don’t miss any critical information.

Step 1: Identify Cookies

The first step of a cookie audit is figuring out what cookies your site actually uses. You can check cookies on each page using the developer tools already built into your web browser. It’s best to do this on multiple pages of your site to make sure you’ve spotted every possible cookie.

You should also try this on various devices and browsers set on “incognito” mode, with any native cookie blockers you have turned off. Otherwise, you may accidentally miss cookies, and your audit will be incomplete.

Here’s how you can identify cookies in Google Chrome and Firefox:

Checking Cookies in Chrome

Step #1: If your computer is operating on Windows, you have to right-click on the window of your website. On an Apple OS, you can either use the two-finger click or the control+click function.

checking cookies in chrome - step 1

Step #2: An option menu will pop up after you right click. The last option on the list will be an “Inspect” option. Selecting it will open the Chrome developer console in another section of the window.

checking cookies in chrome - step 2

Step #3: You’ll see a few different tabs at the top of the developer console. Select the “Application” tab. If the tab isn’t visible, you might have to extend the list by clicking on the “>>” option.

checking cookies in chrome - step 3.1

checking cookies in chrome - step 3.2

Step #4: Once you click the “Application” button, a sidebar will appear on the left. Click the “Cookies” option which will be a sub-option under the “Storage” section.

checking cookies in chrome - step 4

Step #5: After clicking “Cookies,” you will see a few columns of information that will show whether your website’s cookies are secure or if there are any active third-party cookies. In the “Session” tab, you can see where those cookies are being stored and whether they are session cookies or persistent cookies.

checking cookies in chrome - step 5

Checking Cookies in Firefox

Step #1: On a Windows PC, navigate to your website and right-click on the browser window. On an Apple OS, you can either use the two-finger click or the control+click feature.

checking cookies in firefox - step 1

Step #2: An option menu will appear after you right click. Select the “Inspect” option.

checking cookies in firefox - step 2

Step #3: A new section will open in your browser window. Select the “Storage” option from the menu bar. Once you click “Storage,” a list of options will appear. Choose “Cookies” from this menu.

checking cookies in firefox - step 3

Step #4: After clicking “Cookies,” you’ll see a few columns of information that show whether your website’s cookies are secure or if there are any active third-party cookies. In the “Path” column, you can see where those cookies are being stored. You can also see which of them are session cookies or persistent cookies by checking the “Expires/Max-Age” tab.

checking cookies in firefox - step 4

Step 2: Analyze Cookies

Once you’ve identified all the cookies your website uses, you need to analyze them. This is the process of studying the information stored on each cookie and how your website reads that data.

In your web browser’s developer console, click through each cookie to see the details they collect. Look for information such as the source of the cookie, its path, purpose, and duration. 

Analyzing cookies can be time-consuming, so set aside enough time to do it properly.

You can also choose to use a cookie spotting tool like Termly’s free cookie scanner to speed up the process.

Step 3: Categorize Cookies

After you’ve analyzed your cookies, you need to categorize them based on how they’re used.

The categories of cookies include:

  • Essential cookies, like first-party files that track what account a visitor is accessing your site through
  • Performance and functionality cookies that manage non-essential but beneficial tasks like allowing videos to play
  • Analytics and customization cookies that monitor and store user information to provide a personalized experience
  • Advertising cookies that enable third-party marketers to track data about users and display customized ads
  • Social networking cookies that connect your site to social media sites

You must be careful to categorize cookies correctly. Incorrectly classifying your cookies can put you at risk of a lawsuit since your visitors won’t be able to opt in or opt out of the types of cookies they want to avoid.

Step 4: Look for Compliance Issues

You’ve explored your cookies and categorized them based on how they’re used. Now it’s time to analyze your usage more closely to ensure you’re fully in compliance with the CCPA, GDPR and the EU cookie law.

For instance, if your cookies are unencrypted, they pose a privacy threat to your users even if they do exactly what you say. This is because hackers can use unencrypted cookies to steal information from your visitors. You can address this vulnerability by adding encryption to your cookies.

Other compliance issues to look for:

  • Cookies that aren’t related to a legitimate business purpose
  • Cookies that store information for no reason
  • Healthcare and financial industry placing cookies that aren’t following specific industry regulations

Step 5: Create a Cookie Policy and Consent Solution

Once you understand how you’re using your cookies and have removed any compliance issues, it’s time to generate a cookie policy and implement a consent solution.

A cookie policy explains to users how you’ll use their information, and the consent solution tracks their opt-in and opt-out choices and blocks cookies they don’t agree to.

There are two main ways to create a cookie policy and consent solution. You can either work with a managed solution that provides a cookie consent manager or write your own cookie policy and create your own cookie notification for your users.

Both approaches have their benefits, so let’s look at them individually.

Working With a Managed Solution (Recommended)

Your best option is to work with a managed cookie solution service like Termly. With managed solutions, everything from your cookie policy to your consent management is handled for you.

Use Termly’s Cookie Consent Manager

termly-consent-banner-settings-screenshot

  • Scans your site for cookies and categorize the majority of them
  • Provides users with cookie opt-in and opt-out options for each category
  • Blocks cookies that users haven’t opted in to receive
  • Generates a customizable cookie consent banner
  • Generates a cookie policy and keeps consent logs

Termly’s all-in-one cookie solution handles everything from generating a cookie banner informing users of your policy and their opt-in options to tracking consent settings over time.

You can let Termly manage the entire process and ensure that your users’ preferences for cookies are honored on every visit.

Writing Your Own Cookie Policy

If you choose to write your own cookie policy and consent solution, you need to do your research. Your cookie policy is a legal document, so it must be written carefully to stay in compliance. The best way to write a comprehensive cookie policy is to work with a pre-built template and customize it to fit your needs.

You can use the template to develop a policy compliant with privacy laws and clearly explain how you’re using your cookies. This saves you the time and effort of writing a new policy from the ground up.

Step 6: Conduct Periodic Audits

The final step is to repeat the entire audit process regularly.

As your website evolves, it’s likely that your development team will update the cookies you offer and how they’re used. Privacy laws will also continue to evolve, even if your website doesn’t. So, just because your website is in compliance today, there is no guarantee that this will still be true next quarter.

By conducting periodic audits, you can stop worrying about your cookie usage. Instead, you’ll be able to track the cookies you’re using, update your policy, and address compliance issues right away. Schedule multiple audits a year to stay on top of the process.

What To Know About Cookies

A cookie is a tiny file that websites store on visitors’ computers to track their visits and personalize their experience. These files help websites remember who has visited them before and differentiate between individual users. Some cookies are temporary, only lasting as long as the user is on a website, while others are permanent and stay on a computer until they get deleted.

There are different types of internet cookies and two main ways they can be labeled: essential and non-essential.

To understand the purpose of a cookie audit, you need to understand what these labels mean.

Essential and Non-Essential Cookies

An essential cookie is something necessary for a website to work as intended. They help the site provide the services it promises and that users specifically request.

On the other hand, a non-essential cookie is not directly related to the core services of the site but may provide additional features or functionality. Therefore, disabling non-essential cookies won’t break the site, but it may reduce a more personalized experience.

Laws Surrounding Cookies

Many governments consider internet privacy a fundamental right of their citizens. As a result, internet privacy laws regulate how businesses can store and track cookies on users’ computers.

Currently, two major laws will guide you as you conduct a cookie audit:

  • General Data Protection Regulation (GDPR): The GDPR is a regulation put in place by the European Union (EU), UK, Norway, Island, Lichtenstein and Switzerland that controls how sites track and store data about EU citizens. Under the GDPR, businesses need to give users information about what the cookies they want to use will do and offer the option to opt in to non-essential cookies.
  • California Consumer Privacy Act (CCPA): The CCPAis California’s equivalent of the GDPR. The law requires organizations to tell users what information they’re collecting about them and give them the ability to opt out of having their data sold. This means that organizations must tell users about the cookies they store and allow them to opt out from cookies that will be sold to others, and non essential cookies.

Other privacy laws that cover cookies include:

Why You Need To Audit Cookies

The laws about internet privacy and tracking mean that it’s vital to understand how your website uses cookies. A cookie audit is an in-depth check of all the cookies your site uses and their purposes and types.

Cookie audits also give you valuable information about improving your cookie usage. For example, you can learn what cookies you’re using, refine the ones you save, and write a better cookie policy for your site.

Wrapping Up

Cookie audits are a fundamental requirement for complying with modern privacy laws. Performing effective cookie audits helps you keep your cookie use under control and prevents you from accidentally breaking the law.

You can begin performing effective audits by working with Termly’s cookie tracking solutions. Whether you want to simply perform automatic audits or manually audit and use a consent manager and policy templates, Termly.io has the tools to make it happen. So start your compliance journey today by exploring everything Termly has to offer.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources

Enter Your Website URL

In order to help you create a cookie solution that is GDPR and Cookie Law compliant, we must first scan your website for cookies.