What is a Cookie Audit with PECR assessment?

PECR assessment is carried out to find vulnerabilities associated with personal data processing and many other aspects. 

This blog is all about cookies and PECR audit. Both of these elements are linked as PECR covers cookies and carrying out the relevant audit.

PECR stands for Privacy and Electronic Communications Regulations, has been governing the use of cookies since its implementation in 2003, with updates made in 2011.

Cookies are small directories which contain numbers as well as letters which their websites place on their guest’s computer, even though they are modest in size, they collect information that visitors may not wish to share. PECR assessment makes sure to find vulnerabilities.

To provide precise information about PECR compliance, the Information Commissioner’s Office (ICO) provides a cookie assessment as the first step.

This information will help you out regarding the assessment of cookies that are used on your organisation’s website. 

There are two kinds of cookies: session cookies and persistent cookies. Session cookies are temporary, and once the session completes, it deletes or afterwards the browser is close.

pecr audit

Persistent cookies are also known as permanent cookies which are capable of providing information on the preferences and settings the user selects and provides information for future sessions. 

Both kinds of cookies, session cookies and persistent cookies need to analyze during the cookies assessment.


A cookie assessment proceeds in two stages: data gathering and analysis of the assessment. 

This is an in-house security assessment which will record the date and the time of assessment, who is doing the evaluation and information about any third party reviewed during the evaluation.

The data-gathering stage covers three isolated areas of the website in the assessment, and every assessment’s access is different.

  • User-side cookies: The easiest method of assessment is to use the Firefox browser for visiting the site. Click on Tools / Page Info / Security / View Cookies. A window will pop on your computer and list all the cookies installed by the website. Visitor ID cookies and session ID will add these cookies.
  • Server-side cookies: The only way to assess cookies is to ask your external website developer or internal website developer, to execute a code analysis from the server’s side and list all the cookies that may be apply. These cookies mostly deal with campaign tracking or tracking products which transfer to baskets.
  • Third-party tags: These are of third parties that have access to browsers on your site. The tags they set in place can only identify by approaching each third-party directly and requiring full information about their tags. 

For each cookie, your audit must carry the information mentioned below:

  • Host website – The specific URL that is placing the cookie on the browser.
  • Site coverage – Whether the cookie is in use by the whole website or by identified particular areas only.
  • cookies – In Firefox, this will be the Cookie Name.
  • Cookie Common Name – A plain English name you create that identifies the cookie in your audit report.
  • Responsible party – First party or the third party that is setting the cookie.
  • Description – A simple description of the cookie’s purpose and action.
  • Expiration date – This will either be a specific date (for persistent cookies) or the legend at the end of the session (for session cookies).
  • Data – The data each cookie contains.
  • User information – The user information the cookie links to, such as username

The analysis phase

You must give an answer to each cookie.

Is this cookie really necessary?

Do ensure if the information is crucial. If it really is, you cannot seek the explicit permission of the browser before setting the cookie.

How intrusive is the cookie?  

Intrusiveness within a cookie reduces the user’s privacy. Such cookies will ask you to provide more information to the user while obtaining consent. 

What additional information disclosure is required?

Does your privacy policy provide complete information on every type of cookie? You must consider what sort of information your user requires because it is necessary for compliance. 

Analyze the outcome, if your analysis reveals that cookie tracking is not strict requirement or it is more extensive than permitted by the PECR regulations, then you must take corrective action. 
For the completion of the analysis, you must record the actions you are planning to take to ensure that the cookie consent banner complies with PECR.

pecr audit

Frequently Asked Questions (FAQs)(PECR assessment)

1) Does PECR apply to B2B?

PECR  is a piece of legislation, and this law will remain in place. It applies only to electronic channels such as telephone, email and SMS. PECR not only applies to B2B marketing but also B2C marketing like sole traders, partnerships, unincorporated trusts, partnerships and foundations and their staff members.

2) Is the PECR superseded by the GDPR?

PECR and GDPR are both legislations and quite the same in many ways. Currently, the EU is replacing the e-Privacy Directive with updated e-Privacy regulation. Although the new law is not yet final. As of now, the PECR will continue with GDPR side by side. 

3) What is the difference between PECR and GDPR?

The primary difference between these two legislations is mainly related to personal data processing. However, the PECR is related to electronic marketing and contains specific rules on

  • Marketing calls, emails, texts and faxes
  • Cookies
  • Keeping communication services secure
  • Customer privacy regarding traffic and location data, itemised billing, line identification and directory listings.

4) Do the PECR assessment apply to me?

The legislation only applies to you if you:

  • Market by phone, email, text or fax
  • Use cookies or similar technology on your website
  • Compile a telephone directory or the same public directory.