Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

5 Tips for EU Cookie Law Compliance

‎03-28-2012 07:08 AM - edited ‎09-29-2015 09:45 AM

There’s been a lot of confusion about the EU cookie law, and what exactly organizations need to do to comply with all its requirements. In essence, the EU Cookie Law requires all members of the EU Member States to clearly disclose how websites store, track or otherwise access user data through HTTP Cookies, Flash Local Storage Objects (LSOs), and other web tracking techniques such as web bugs and HTML5 local storage.  


As the May 26th, 2012 deadline for penalty enforcement approaches, HP has received several inquiries about how WebInspect can help their organization comply. While WebInspect doesn't help with the implementation of how your site complies with this regulation, it can easily help you identify various aspects of your site and how it uses the aforementioned technologies. 


Tip 1: Identify Cookies on Your Site: Perform an Authenticated Crawl


If your application provides a method for user authentication, be sure to configure a login macro to enable access to the authenticated portions of your site in order to capture session-related cookies.



Once the crawl completes, click on the top level node on the site tree and click on the Cookies section under Host Info.  This will list all of the cookies WebInspect encountered during your authenticated crawl.




Tip 2: Identify Adobe Flash Local Storage Objects (LSOs)


If your site incorporates Adobe Flash Local Storage Objects (LSOs) and/or Cookies, an entry will be present within the vulnerability section of your completed crawl entitled Shared Flash Storage Object.  




Tip 3: Review your website's usage of HTML5 


HTML5 incorporates a concept similar to Adobe Flash LSO's called local storage.  Under the interpretation of the EU Cookie Law, these objects also fall into the category of items that must be disclosed in the site-wide privacy policy.


To find HTML5 local storage objects within your site, open the Search tab beneath Sequence and Step Mode in the bottom left side of the WebInspect user interface.  Select Raw Response from the drop down, and supply the following regular expression as the search criteria:




Next, select any relevant search results that appear.  If you have trouble finding the relevant snippet, you can select the scripts section under session info and search the HTTP Response using the same regular expression as above.


Tip 4: Identify any areas of your website that track user activity


Many organizations include a common technique to track user activity when they visit their site and many free and commercial solutions are available for web analytics.  Typically referred to as “web bugs” or, more generically, as the facility to harvest data for web analytics, these techniques also fall under the umbrella of the EU Cookie Law and should be clearly stated in your website’s privacy policy.


Several different techniques are employed for incorporating web bugs into your site, most commonly via remote JavaScript script include requests.  Other solutions require a small 1x1 pixel image that’s included in each response that’s important for user navigation tracking.  Our best advice is to check your site for any type of analytics or user tracking and clearly state the intent of the solution to your visitors using the identical process to document it’s usage within your site.


Tip 5: Review your website's privacy policy


For each item discovered in the preceding steps, be sure to analyze their specific usage and clearly state the intent of each item and how it impacts your visitors in your site-wide privacy policy.  As shown below, ICO also includes a prompt to each visitor to guide them to the central privacy policy notice ask for explicit permission to accept cookies.  Additionally, a table lists each of the cookies, their name, purpose and a link to more information.






We list the most common client storage methods that fall under the EU Cookie Law in this post; however, every implementation is different and may pose a unique challenge for automated detection.  The key is knowing your site composition and how you solicit and track information from your visitors.


What are you doing to prepare for the EU Cookie Law?  Leave a comment; we’d like to hear from you.




  1. Cookie Regulations and the new EU Cookie Law
  2. How to comply with the EU Cookie Law in the UK
  3. EU cookie laws could cause unwary firms to get their fingers burnt
  4. Web Buggery: Analyzing Tracking Images
  5. Web Bugs (Wikipedia)
  6. Web Analytics Comparison




0 Kudos
About the Author



First Thrill: Joe Sechman, back in ASC


Second Thrill: Seeing the Flash decompiling code that Prajakta, Matt, Steve Millar and I wrote is still in the product :-)


Take care guys,


on ‎04-05-2012 08:22 AM

Hey Billy - good to hear from you and good to be back.  Don't be a stranger!



Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all