Cookie Inventory report

Why it matters

Session cookies expire after a visitor exits the website, or shortly after, and are not generally considered to be a privacy or security concern. Persistent cookies can exist on a computer hard disk drive for a specified period of time, and are of concern because they can be used to track visitor browsing and track the pages they view.

Cookies are digital identifiers placed by a web server that provide for advanced personalization of websites. Tracking the navigation patterns of Internet users and the websites they visit by using cookies has been at the center of many highly publicized online privacy breaches. Obtaining this behavioral information is viewed as especially sensitive if it can be connected to an individual's identity.

The challenge for the privacy professional is to identify all mechanisms used to track visitors online to determine if these are appropriate and are adequately described in published privacy policies. This challenge is complicated by the fact that these mechanisms are often not apparent to the user and buried in the source code of web pages.

Excessive or unexplained use of cookies, particularly those served by third parties, might be considered deceptive data collection techniques and might even cause users to leave your site. Most web browsers can be set to detect and alert when cookies are encountered when browsing a website. Generally accepted industry standards suggest that companies disclose their cookie use and, in particular, the practice of online profiling by third-party ad servers and provide users with the ability to opt out of receiving third-party cookies. Online consumers might be more willing to interact with a website if they are made aware of their choices, and the company's practices as they pertain to the use of cookies.

The need for controls over cookies for multinationals has increased recently given the implementation of the Electronic Communications Directive in the European member states where it is now required to provide adequate notice of when and how cookies are used and provide information of a visitor's ability to control the collection of information using cookies.

Remediation and best practices for cookies

• Only use cookies where user experience benefits and business value can be derived.
• Only use third party cookies where the third party has been vetted and the appropriate contractual protections have been made and user disclosure is provided.
• Do not collect any personal information in cookies, as they are most often passed in clear text between web browsers and web servers.
• Ensure that the privacy policy accurately describes the cookie practices of the website and is available on all pages which set cookies.
• Have higher security protections in place for the collection of sensitive personal information such as name, age, salary, credit card number, SSN or health information (intranet sites).
• Make it clear what is optional when collecting personal information.
• Use session cookies rather than persistent cookies.
• If you must use persistent cookies, ensure they contain only essential information and minimize the risk of any misuse.
• Check and assess any third-party cookies that might be on your website.

Information you should know about this report

• When you try to open a page from this report from its URL, you might receive a message that the page requires cookies. If you want to continue opening the page, click OK.
• If your site uses frames, HCL® Software Services or your Product Administrator can make the PageComponent data sets available so you can use them to group your report results:
• • PageComponent: Useful for identifying the files that make up a web page, such as gif, js, html or frames.
  • PageComponent ID: A unique ID assigned to identify this particular component of the page. Open the About this PageComponent report to see more details about this particular PageComponent.