cookie-lifetime-audit
Installation
SKILL.md
Auditing Cookie Lifetimes
Overview
Cookie lifetime is a critical compliance factor often overlooked in consent implementations. The CNIL recommends a maximum cookie lifetime of 13 months from the point of collection, after which consent must be renewed. The CJEU in Planet49 (Case C-673/17) established that cookie duration must be disclosed to users before consent is obtained. Additionally, browser-enforced restrictions — Safari's Intelligent Tracking Prevention (ITP), Firefox's Enhanced Tracking Protection (ETP), and Chrome's third-party cookie deprecation — impose technical limits on cookie lifetimes that may conflict with server-set durations. A cookie lifetime audit identifies cookies exceeding regulatory or technical limits and ensures accurate duration disclosure.
Cookie Duration Classification
Session vs. Persistent Cookies
| Type | Duration | Behavior | Consent Implications |
|---|---|---|---|
| Session cookie | No Expires or Max-Age attribute |
Deleted when browser closes | Still requires consent if non-essential under ePrivacy Art. 5(3) |
| Persistent cookie | Has Expires or Max-Age |
Survives browser restart | Requires consent; duration must be disclosed (Planet49) |
| Server-refreshed | Reset on each visit via Set-Cookie | Effectively indefinite if user visits regularly | Duration is from last visit, not first set — must disclose rolling nature |