Cookie Audit with PECR Assessment
PECR assessments are carried out to find vulnerabilities associated with personal data processing and many other aspects.
This blog is all about cookies and PECR audit. Both of these elements are linked as PECR covers cookies and carrying out the relevant audit.
Cookies are small directories which contain numbers as well as letters which their websites place on their guest’s computer, even though they are modest in size, they collect information that visitors may not wish to share.
To provide precise information about PECR compliance, the Information Commissioner’s Office (ICO) provides a cookie assessment as the first step.
This information will help you out regarding the assessment of cookies that are used on your organisation’s website.
There are two kinds of cookies: session cookies and persistent cookies. Session cookies are temporarily stored, and once the session is completed, it is deleted or afterwards the browser is closed.
Persistent cookies are also known as permanent cookies which are capable of providing information on the preferences and settings the user selects and provides information for future sessions.
Both kinds of cookies, session cookies and persistent cookies need to be analysed during the cookies assessment.
A cookie assessment is proceeded in two stages: data gathering and analysis of the assessment.
This is an in-house security assessment which will record the date and the time of assessment, who is doing the evaluation and information about any third party reviewed during the evaluation.
The data-gathering stage covers three isolated areas of the website in the assessment, and every assessment’s access is different.
- User-side cookies: The easiest method of assessment is to use the Firefox browser for visiting the site. Click on Tools / Page Info / Security / View Cookies. A window will pop on your computer and list all the cookies installed by the website. Visitor ID cookies and session ID will add these cookies.
- Server-side cookies: The only way to assess cookies is to ask your external website developer or internal website developer, to execute a code analysis from the server’s side and list all the cookies that may be applied. These cookies mostly deal with campaign tracking or tracking products which are transferred to baskets.
- Third-party tags: These are placed by third parties that have access to browsers on your site. The tags they set in place can only be identified by approaching each third-party directly and requiring full information about their tags.
For each cookie, your audit must carry the information mentioned below:
- Host website – The specific URL that is placing the cookie on the browser.
- Site coverage – Whether the cookie is used by the whole website or by identified particular areas only.
- cookies – In Firefox, this will be the Cookie Name.
- Cookie Common Name – A plain English name you create that identifies the cookie in your audit report.
- Responsible party – First party or the third party that is setting the cookie.
- Description – A simple description of the cookie’s purpose and action.
- Expiration date – This will either be a specific date (for persistent cookies) or the legend at the end of the session (for session cookies).
- Data – The data each cookie contains.
- User information – The user information the cookie links to, such as username
The analysis phase
You must give an answer to each cookie.
Is this cookie really necessary?
Do ensure if the information is crucial. If it really is, you cannot seek the explicit permission of the browser before setting the cookie.
How intrusive is the cookie?
Intrusiveness within a cookie reduces the user’s privacy. Such cookies will ask you to provide more information to the user while obtaining consent.
What additional information disclosure is required?
Analyse the outcome, if your analysis reveals that cookie tracking is not strictly required or it is more extensive than permitted by the PECR regulations, then you must take corrective action.
For the completion of the analysis, you must record the actions you are planning to take to ensure that the cookie consent banner complies with PECR.
Frequently Asked Questions (FAQs)
1) Does PECR apply to B2B?
PECR is a piece of legislation, and this law will remain in place. It applies only to electronic channels such as telephone, email and SMS. PECR not only applies to B2B marketing but also B2C marketing like sole traders, partnerships, unincorporated trusts, partnerships and foundations and their staff members.
2) Is the PECR superseded by the GDPR?
PECR and GDPR are both legislations and quite the same in many ways. Currently, the EU is replacing the e-Privacy Directive with updated e-Privacy regulation. Although the new law is not yet finalised. As of now, the PECR will continue with GDPR side by side.
3) What is the difference between PECR and GDPR?
The primary difference between these two legislations is mainly related to personal data processing. However, the PECR is related to electronic marketing and contains specific rules on
- Marketing calls, emails, texts and faxes
- Keeping communication services secure
- Customer privacy regarding traffic and location data, itemised billing, line identification and directory listings.
4) Do the PECR assessment apply to me?
The legislation only applies to you if you:
- Market by phone, email, text or fax
- Compile a telephone directory or the same public directory.