Cookie Inventory report

Why it matters

Session cookies expire after a visitor exits the website, or shortly after, and are not generally considered to be a privacy or security concern. Persistent cookies can exist on a computer hard disk drive for a specified period of time, and are of concern because they can be used to track visitor browsing and track the pages they view.

Cookies are digital identifiers placed by a web server that provide for advanced personalization of websites. Tracking the navigation patterns of Internet users and the websites they visit by using cookies has been at the center of many highly publicized online privacy breaches. Obtaining this behavioral information is viewed as especially sensitive if it can be connected to an individual's identity.

The challenge for the privacy professional is to identify all mechanisms used to track visitors online to determine if these are appropriate and are adequately described in published privacy policies. This challenge is complicated by the fact that these mechanisms are often not apparent to the user and buried in the source code of web pages.

Excessive or unexplained use of cookies, particularly those served by third parties, might be considered deceptive data collection techniques and might even cause users to leave your site. Most web browsers can be set to detect and alert when cookies are encountered when browsing a website. Generally accepted industry standards suggest that companies disclose their cookie use and, in particular, the practice of online profiling by third-party ad servers and provide users with the ability to opt out of receiving third-party cookies. Online consumers might be more willing to interact with a website if they are made aware of their choices, and the company's practices as they pertain to the use of cookies.

The need for controls over cookies for multinationals has increased recently given the implementation of the Electronic Communications Directive in the European member states where it is now required to provide adequate notice of when and how cookies are used and provide information of a visitor's ability to control the collection of information using cookies.

Remediation and best practices for cookies

• Only use cookies where user experience benefits and business value can be derived.
• Only use third party cookies where the third party has been vetted and the appropriate contractual protections have been made and user disclosure is provided.
• Do not collect any personal information in cookies, as they are most often passed in clear text between web browsers and web servers.
• Ensure that the privacy policy accurately describes the cookie practices of the website and is available on all pages which set cookies.
• Have higher security protections in place for the collection of sensitive personal information such as name, age, salary, credit card number, SSN or health information (intranet sites).
• Make it clear what is optional when collecting personal information.
• Use session cookies rather than persistent cookies.
• If you must use persistent cookies, ensure they contain only essential information and minimize the risk of any misuse.
• Create a P3P compact policy that discloses how you use cookies to collect visitor information.
• Check and assess any third-party cookies that might be on your website.

Remediation and best practices for P3P compact policies

Before deciding whether to implement P3P:

• Form the right team. Legal, technical and business interests must be adequately represented.
• Consider external perceptions. It is likely that over half of the users of your website are already using IE 6.0. As they become more familiar with the new privacy features and encounter websites who have implemented P3P, will they consider it as a low commitment to privacy if your website has not yet implemented P3P?
• Perform an impact analysis. website operators must proactively assess the impact of IE 6.0 on their website properties to determine if the lack of P3P policies is causing any adverse affects, including non-functioning shopping carts, log-ins and misreported web metrics. In some cases, it is this impact alone that compels an organization to implement P3P.

When a decision has been made to develop and deploy P3P:

• Conduct a thorough website review. An accurate P3P policy needs to represent all data collection and use including active data collection through the use of web forms and more passive collection through cookies and log files.
• Produce and deploy the P3P files. This policy creation can be simplified through the use of one of the P3P Policy Generator tools. However, it is important to ensure that the tool is designed for the latest version of the P3P specification and that it creates both Full and Compact policies. Many organizations prefer to code directly in XML.
• Ensure policy alignment. It is important to view P3P as a translation of your privacy policy and all versions should essentially communicate the same message and not contradict each other in any way.

Information you should know about this report

• When you try to open a page from this report from its URL, you might receive a message that the page requires cookies. If you want to continue opening the page, click OK.
• If your site uses frames, HCL® Software Services or your Product Administrator can make the PageComponent data sets available so you can use them to group your report results:
• • PageComponent: Useful for identifying the files that make up a web page, such as gif, js, html or frames.
  • PageComponent ID: A unique ID assigned to identify this particular component of the page. Open the About this PageComponent report to see more details about this particular PageComponent.