By Colin O'Malley, Chief Strategy Officer, Evidon
Cookie Audits have become a hot topic in the UK market in the last few months as companies begin to prepare for ePrivacy Directive enforcement, which begins on May 26th of this year.
Unfortunately, amidst all the confusion that surrounds the Directive, we now have a bumper crop of new audit solutions that have been dumped on the market, leaving companies with the chore of sifting through them. For many, this has only made compliance more challenging. So what is this audit meant to accomplish in the first place, and what are the minimum requirements that allow you to tick the box? Why the Audit
We've explored the practical steps that companies should take in a past post
, and while the audit does not produce compliance alone, it should be your first step.
The law will require you to gather specific and informed consent for all non-essential tracking activity on your site. The vast majority of companies with code executing on your site will not be considered essential by the ICO. Most of your own tracking will need consent as well. It's therefore clear that you need a comprehensive and up to date list of the tracking activity on your site before you finalise your consent interface.
Most site owners have a baseline understanding of the types of tracking activities on their site, but shockingly few understand which companies will appear over the course of a month and what those companies are doing with consumer data. Evidon has presented audit results to hundreds of companies, and not once has a site with advertising activity failed to be surprised by the results.
The other reason you want to start with the audit is that the regulators have asked you to. The ICO and CNIL (the French DPA) have both listed a comprehensive tracking audit as your first step, even before you worry about consent. The reality is that the audit is the easiest step, so take advantage of their offer and use your audit to buy some additional time. If the ICO comes calling early, you can tell them that you were following their directions. Minimum requirements for the Audit
Let's first dispense with the term 'cookie audit.' This is a misnomer that serves to confuse companies and consumers alike. Cookies are just one of several tracking technologies and the ICO wants you to obtain consent for all of them. Your tracking audit must include an inventory of:
- 3rd party tags
- text cookies (1st and 3rd party)
- flash cookies (1st and 3rd party)
At the same time, no consumer wants to see the details revealed in a report of this kind. You may well have 800 tags and other tracking elements on your site and a complete list of these will only serve to confuse and overwhelm.
Which is why you need context. Your audit should organise the tracking elements by the company that is using them, and further organise those companies by business model, data collected, data sharing policies, and compliance state. You'll need this information to understand the privacy implications of the audit and to present these companies to the consumer in meaningful groups. A good audit makes this process easier. A bad audit feels like a gigantic data dump.
Do not take for granted that any audit provider can detect all tracking activity on your site. Solutions that rely exclusively on automated scanning technology often have limitations:
- They can't access many pages, including checkout confirmations, social networking pages, login pages, etc.
- They often don't know how to identify tags, the single most important tracking technology
- They often hit pages one time only, missing variations on the same page based on dynamic content or geographic customisation
Beyond the minimum compliance requirements, bear in mind that audits like this will reveal information that prompt loaded internal discussions. Most typically:
- Why are these companies appearing on my site?
- How are they getting there?
- How are they impacting site performance?
- Who should be allowed to stay?
- How can I manage this over time?
A full service compliance provider should be able to resolve all of this for you, and will also be able to feed your audit results into a compliant consent experience.
Done properly, an audit prepares you for the next phase while serving as an interim defence.
Evidon helps businesses and customers understand and control data online, and operates the Ghostery browser extension, as well as serving ‘ad choices’ notices on online ads across the US and across Europe.
Evidon will be speaking at our EU Directive Event on 18 April - More on the event here
Read more from Evidon - Preparing for the EU Privacy Directive
Join the AOP group on LinkedIn
- open for all Members
to AOP's e-newsletter.