Checking the Privacy Cookie

One of the most basic provisions of GDPR for web analytics has to do with allowing cookies that collect information about the user, the browsing habits, or the visit. On the first visit, the user is asked for permission to collect data using cookies. This is commonly done with a banner that requires the users active consent. If consent is not given, the website is legally obligated not to collect data about the user or the visit.

ObservePoint can help web analysts identify risks that the cookie policy is not being followed. For example, a cookie is always set to indicate if the user consented or not to the collection and should be set the same on every page of the visit.

You must have a cookie that can be set to indicate acceptance or rejection of data collection. For this example, we'll assume the cookie name is acceptCookies with a value of 1 for True when the user has given consent and either a value of 0 (False) or missing altogether when the user has not given consent.

Follow these steps to create an audit to verify that all pages recognize that consent has not been provided. The audit will look for either the absence of the  acceptCookies cookie or look for acceptCookies set to 0 on each page.

  1. Create a rule in ObservePoint that looks like this:
    GDPR Rule-Do Not Accept Cookies
  2. Create a Discovery Audit for your site that includes the rule.
  3. In the Actions setup, paste in this script as an execute action:
    function opReqGetAsync(e,o,c){var t="https://opreq.observepoint.com/?acct="+o,n=new XMLHttpRequest;n.onreadystatechange=function(){4==n.readyState&&200==n.status&&c(n.responseText)},n.open("POST",t,!0),n.send(JSON.stringify(e))}var cookiesAcceptedFound=!1;document.cookie.indexOf("cookiesAccepted")>-1&&(cookiesAcceptedFound=!0);var obj={cookiesAccepted:cookiesAcceptedFound};opReqGetAsync(obj,"cookiesAccepted");
    	
  4. Modify the code "document.cookie.indexOf("cookiesAccepted")" to check for your site's specific cookie name.
  5. Set the action to execute on every page
  6. Run the audit and review the results of the rule in the User-defined Rules report.

Because this rule is not configured to give consent to accept cookies, all the pages should not allow data collection cookies. Any page where the rule fails means that the page is at risk of collecting data without consent.

If you need additional information about this report and how it may help you expose risk for cookie compliance, please contact your ObservePoint data governance consultant.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.