5 Tips for EU Cookie Law Compliance

There’s been a lot of confusion about the EU cookie law, and what exactly organizations need to do to comply with all its requirements. In essence, the EU Cookie Law requires all members of the EU Member States to clearly disclose how websites store, track or otherwise access user data through HTTP Cookies, Flash Local Storage Objects (LSOs), and other web tracking techniques such as web bugs and HTML5 local storage.  

 

As the May 26th, 2012 deadline for penalty enforcement approaches, HP has received several inquiries about how WebInspect can help their organization comply. While WebInspect doesn't help with the implementation of how your site complies with this regulation, it can easily help you identify various aspects of your site and how it uses the aforementioned technologies. 

 

Tip 1: Identify Cookies on Your Site: Perform an Authenticated Crawl

 

If your application provides a method for user authentication, be sure to configure a login macro to enable access to the authenticated portions of your site in order to capture session-related cookies.

 

Authentication and Connectivity

 

Once the crawl completes, click on the top level node on the site tree and click on the Cookies section under Host Info.  This will list all of the cookies WebInspect encountered during your authenticated crawl.

 

Identify Cookies on Your Site 

 

Tip 2: Identify Adobe Flash Local Storage Objects (LSOs)

 

If your site incorporates Adobe Flash Local Storage Objects (LSOs) and/or Cookies, an entry will be present within the vulnerability section of your completed crawl entitled Shared Flash Storage Object.  

 

 

 

Tip 3: Review your website's usage of HTML5 

 

HTML5 incorporates a concept similar to Adobe Flash LSO's called local storage.  Under the interpretation of the EU Cookie Law, these objects also fall into the category of items that must be disclosed in the site-wide privacy policy.

 

To find HTML5 local storage objects within your site, open the Search tab beneath Sequence and Step Mode in the bottom left side of the WebInspect user interface.  Select Raw Response from the drop down, and supply the following regular expression as the search criteria:

 

openDatabase\(|(localStorage|sessionStorage)\.(setItem|getItem)

 

Next, select any relevant search results that appear.  If you have trouble finding the relevant snippet, you can select the scripts section under session info and search the HTTP Response using the same regular expression as above.

 

Tip 4: Identify any areas of your website that track user activity

 

Many organizations include a common technique to track user activity when they visit their site and many free and commercial solutions are available for web analytics.  Typically referred to as “web bugs” or, more generically, as the facility to harvest data for web analytics, these techniques also fall under the umbrella of the EU Cookie Law and should be clearly stated in your website’s privacy policy.

 

Several different techniques are employed for incorporating web bugs into your site, most commonly via remote JavaScript script include requests.  Other solutions require a small 1x1 pixel image that’s included in each response that’s important for user navigation tracking.  Our best advice is to check your site for any type of analytics or user tracking and clearly state the intent of the solution to your visitors using the identical process to document it’s usage within your site.

 

Tip 5: Review your website's privacy policy

 

For each item discovered in the preceding steps, be sure to analyze their specific usage and clearly state the intent of each item and how it impacts your visitors in your site-wide privacy policy.  As shown below, ICO also includes a prompt to each visitor to guide them to the central privacy policy notice ask for explicit permission to accept cookies.  Additionally, a table lists each of the cookies, their name, purpose and a link to more information.

 

ICO. Privacy Notice 

 

Conclusion

 

We list the most common client storage methods that fall under the EU Cookie Law in this post; however, every implementation is different and may pose a unique challenge for automated detection.  The key is knowing your site composition and how you solicit and track information from your visitors.

 

What are you doing to prepare for the EU Cookie Law?  Leave a comment; we’d like to hear from you.

 

References 

 

  1. Cookie Regulations and the new EU Cookie Law
  2. How to comply with the EU Cookie Law in the UK
  3. EU cookie laws could cause unwary firms to get their fingers burnt
  4. Web Buggery: Analyzing Tracking Images
  5. Web Bugs (Wikipedia)
  6. Web Analytics Comparison

 

 

 

Comments

First Thrill: Joe Sechman, back in ASC

 

Second Thrill: Seeing the Flash decompiling code that Prajakta, Matt, Steve Millar and I wrote is still in the product :-)

 

Take care guys,

Billy

joe_sechman | ‎04-05-2012 08:22 AM

Hey Billy - good to hear from you and good to be back.  Don't be a stranger!

 

Joe

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.