Website Privacy Validation (5/6): Where are new and/or unapproved cookies and technologies showing up on my website?￼
Essentially, you want to see changes as they occur over time, detect new technologies if and when they appear on your website, and decide whether to add them to your approved list or take steps to remove them from your site.
Once again, we used ObservePoint to run an Audit of OneTrust.com, our example website for this series. We ran a standard 1000-page discovery audit and created a consent category to denote all cookies and tags detected as “approved.”
We then waited a month and ran the Audit again, applying that consent category to see if anything beyond the original approved list surfaced since the previous run. In the reports, you can see that the Audit found 8 new cookies and 4 new tags that were not on the original standards list.
As you drill into “unapproved” cookies, you might find some that are unfamiliar to you. These should be reviewed further to determine purpose and ownership, and may need to be removed from the website.
Others might be immediately recognizable, like those from newly-published subdomains or a MarTech tool that was recently implemented. In this example Audit, the “utm_key” cookie from the “trustweek.onetrust.com” domain could be related to an event OneTrust hosts that simply wasn’t live during the previous run. In this instance, they could add that to the approved list.
Once that cookie is added, then any time it shows up in the future it will no longer be flagged as new or unapproved. ObservePoint enables you to continuously curate your cookie categorization and “approved” lists, so you only get flagged when items are truly out-of-standard, allowing you to focus solely on the critical issues that ensure your website stays in compliance.
If you’d like to see how you could audit your own website to continuously monitor for new or unapproved cookies and tags, reach out to get a pre-recorded demo.
Read the next post in our Website Privacy Validation series: Are requests coming from unauthorized countries, regions, or domains?