Finding reference

Long-lived cookie retention review

Retained runtime cookie evidence showed persistent tracking, advertising, analytics, identity, or unclassified cookies whose observed expiry or computed duration met CertScore retention review thresholds: 365 days or longer for main review, or 180-364 days for source-attributed or multiple tracking-cookie review context. Review the evidence context, methodology, common causes, and reviewer questions for this CertScore finding.

Selected finding

Long-lived cookie retention review

HighStrong evidenceDirect observationCookiesFormal top-finding density pending calibration

Benchmark frequency is directional market context only. It is not a compliance benchmark, legal conclusion, or severity score. Rare findings may be top-ranked only when retained evidence is strong; common findings may remain medium when evidence is automated or context-dependent. Rarity is not severity, and prevalence is not compliance risk.

Observed

Why this matters

This observation can help reviewers decide whether the site behavior deserves deeper privacy, accessibility, consent, or consumer-protection review in context.

Detection methodology

CertScore consumes retained runtime cookie evidence from the canonical scan pipeline, including cookie name, domain or host, page URL, classification, expiry timestamp, Max-Age, or computed duration, and a threshold basis. This finding is surfaced when concrete runtime evidence shows tracking, advertising, marketing, analytics, identity, or unknown/unclassified cookies meeting CertScore retention review thresholds: 365 days or longer for main review, or 180-364 days for source-attributed or multiple tracking-cookie review context. These are CertScore product review thresholds, not statutory thresholds, and GDPR does not set a universal numeric cookie-lifetime limit. CertScore treats this as a retention, minimization, consent, opt-out, and disclosure review signal, not legal advice, certification, or a compliance determination. Reviewers should confirm purpose, vendor, necessity, consent phase, retention disclosures, opt-out behavior, and whether unknown cookies should be classified.

Confidence semantics: Strong when retained runtime cookie evidence includes name, domain or host, page URL, known tracking/advertising/marketing/identity classification, duration at or above the 365-day CertScore review threshold, and vendor or source URL context; good when concrete runtime evidence is complete but classification or vendor context is less specific. Unknown or unclassified cookies can surface at moderate confidence when duration and page attribution are retained. Manual review is still needed for purpose, necessity, consent state, opt-out behavior, disclosure alignment, and remediation quality.

Top-finding calibrationWhat must be retained to surface, top-rank, demote, or suppress this finding.

Minimum to surface

Concrete runtime cookie evidence with name, domain or host, page URL, classification, expiry or duration, and threshold basis.

High confidence requires

Known tracking, advertising, marketing, or identity classification.
Duration at or above the 365-day CertScore review threshold.
Vendor or source URL context.

Top ranking requires

Long-lived advertising, marketing, tracking, or identity cookie evidence, repeated long-lived adtech cookies, or a 730-day severe review threshold.

Demote or suppress when

Policy text only.
Cookie count only.
Missing duration or page attribution.
Essential/session cookies only.
Same cookie evidence already supports a stronger consent-timing finding.

These rules describe ranking calibration for already-projected findings. They do not create findings from raw signals.

Example evidence

Long-lived runtime cookie evidence

artifact=cookie_retention_001
role=finding_supporting_artifact
url=https://example.com/
cookie_name=_fbp
cookie_domain=.example.com
value_retained=false
classification=advertising_marketing
vendor=Meta
source_request_url=https://connect.example/fbevents.js [query_redacted=true]
duration_days=540
threshold_basis=duration_days >= 365 CertScore product review threshold
review_caveat=manual review should confirm purpose, vendor ownership, consent state, opt-out behavior, retention disclosure, and minimization

Unclassified cookie review context

artifact=cookie_retention_002
role=finding_supporting_artifact
url=https://example.com/
cookie_name=xbc
cookie_domain=.example.com
value_retained=false
classification=unknown_unclassified
duration_days=399
threshold_basis=duration_days >= 365 CertScore product review threshold
classification_review_needed=true
review_caveat=365 days is a CertScore review threshold, not a universal statutory threshold

What should not count by itself

policy_mentions_analytics_cookies=true [insufficient_without_runtime_cookie_evidence]
cookie_count=75 [audit_only_without_expiry_and_classification]
cookie_name=session_id [suppressed_when_session_or_essential_only]
cookie_domain=.example.com [insufficient_without_duration_and_page_url]
model_suspicion=true [not_external_without_concrete_runtime_evidence]

View redacted sample JSON

Redacted sample JSON

{
  "findingId": "long_lived_cookie_retention_review",
  "label": "Long-lived cookie retention review",
  "category": "Cookies",
  "criticality": "high",
  "evidenceConfidence": "strong",
  "directVsInferred": "direct_observation",
  "evidence": {
    "summary": "Retained runtime cookie evidence showed persistent tracking, advertising, analytics, identity, or unclassified cookies whose observed expiry or computed duration met CertScore retention review thresholds: 365 days or longer for main review, or 180-364 days for source-attributed or multiple tracking-cookie review context.",
    "examples": [
      {
        "title": "Long-lived runtime cookie evidence",
        "lines": [
          "artifact=cookie_retention_001",
          "role=finding_supporting_artifact",
          "url=https://example.com/",
          "cookie_name=_fbp",
          "cookie_domain=.example.com",
          "value_retained=false",
          "classification=advertising_marketing",
          "vendor=Meta",
          "source_request_url=https://connect.example/fbevents.js [query_redacted=true]",
          "duration_days=540",
          "threshold_basis=duration_days >= 365 CertScore product review threshold",
          "review_caveat=manual review should confirm purpose, vendor ownership, consent state, opt-out behavior, retention disclosure, and minimization"
        ]
      },
      {
        "title": "Unclassified cookie review context",
        "lines": [
          "artifact=cookie_retention_002",
          "role=finding_supporting_artifact",
          "url=https://example.com/",
          "cookie_name=xbc",
          "cookie_domain=.example.com",
          "value_retained=false",
          "classification=unknown_unclassified",
          "duration_days=399",
          "threshold_basis=duration_days >= 365 CertScore product review threshold",
          "classification_review_needed=true",
          "review_caveat=365 days is a CertScore review threshold, not a universal statutory threshold"
        ]
      },
      {
        "title": "What should not count by itself",
        "lines": [
          "policy_mentions_analytics_cookies=true [insufficient_without_runtime_cookie_evidence]",
          "cookie_count=75 [audit_only_without_expiry_and_classification]",
          "cookie_name=session_id [suppressed_when_session_or_essential_only]",
          "cookie_domain=.example.com [insufficient_without_duration_and_page_url]",
          "model_suspicion=true [not_external_without_concrete_runtime_evidence]"
        ]
      }
    ]
  }
}

Regulatory review context

Cookie retention and minimization review

Retained runtime cookie evidence showed persistent tracking, advertising, analytics, identity, or unclassified cookies with expiry or duration evidence meeting CertScore retention review thresholds: 365 days or longer for main review, or 180-364 days for source-attributed or multiple tracking-cookie review context. This may be relevant to retention, minimization, consent, opt-out, and disclosure review depending on purpose, configuration, user region, and manual review.

GDPR storage limitation and minimization reviewePrivacy cookie storage/access reviewCCPA/CPRA retention and purpose reviewEU GDPR/ePrivacy cookie-retention reviewUK PECR / ICO cookie-retention reviewCCPA/CPRA persistent identifier and retention review

View applicability notes

Legal and regulatory frameworks

GDPR storage limitation and minimization reviewPersistent cookies or identifiers may involve personal data, online identifiers, profiling, or retention practices depending on purpose and linkage.
ePrivacy cookie storage/access reviewCookies or similar technologies store information on, or access information from, terminal equipment.
CCPA/CPRA retention and purpose reviewPersistent identifiers, advertising cookies, or cross-context behavioral advertising context may be relevant for retention disclosure, purpose limitation, deletion, sale/share, or opt-out review.

Jurisdictional contexts

EU GDPR/ePrivacy cookie-retention reviewEU/EEA users and persistent non-essential cookies or online identifiers may be in scope depending on purpose, consent state, retention disclosure, and manual review.
UK PECR / ICO cookie-retention reviewUK users and persistent cookies or similar technologies may be in scope depending on purpose, consent state, and manual review.
CCPA/CPRA persistent identifier and retention reviewCalifornia users and persistent identifiers may be relevant to retention disclosure, deletion, sale/share, opt-out, or cross-context behavioral advertising review depending on purpose and manual review.

This finding does not determine legal status, consent validity, sale/share status, GDPR compliance, or cookie-law compliance. The 365-day threshold is a CertScore product review threshold, not a statutory threshold, and GDPR does not set a universal numeric cookie-lifetime threshold. Review retained cookie name, domain, page attribution, classification, duration, threshold basis, vendor/source context, consent state, opt-out behavior, retention disclosure, and minimization.

Evidence standard

Strong

Retained runtime cookie evidence includes cookie name, domain or host, page URL, classification, expiry timestamp, Max-Age, or computed duration, and threshold basis.
The cookie is classified as advertising, tracking, marketing, identity, retargeting, or similar, with duration at or above the 365-day CertScore review threshold.
Evidence includes vendor or source request URL context, values redacted or omitted, and enough page attribution for reviewer inspection.
Repeated long-lived adtech or marketing cookies, or a 730-day severe review threshold, may strengthen top-ranking relevance.
The evidence frames 365 days as a CertScore product review threshold, not a statutory threshold or legal conclusion.

Good

Retained runtime cookie evidence includes complete cookie identity, page attribution, classification, duration or expiry, and threshold basis.
The retained example is enough for a reviewer to inspect purpose, vendor, retention, consent, opt-out, and disclosure alignment manually.
Unknown or unclassified cookies at or above the 365-day threshold are eligible for review when concrete runtime duration evidence is retained.

Audit-only

Unknown first-party cookie evidence is between 180 and 364 days without vendor, adtech, or stronger purpose context.
Cookie volume is high, but expiry, duration, classification, or page attribution is incomplete.
Policy or cookie-table retention text exists, but runtime cookie duration evidence is absent.

Insufficient

Policy text alone.
Cookie count alone.
Cookie name or domain without expiry, Max-Age, computed duration, or page attribution.
Session cookies only.
Essential cookies only.
Fallback suspicion, model-only inference, static source reference, or missing threshold basis.
Claims that a cookie lifetime violates GDPR or decides compliance status.

Evidence levels explain how CertScore treats retained review artifacts. They are not legal conclusions.

Common causes

Advertising, marketing, analytics, identity, or retargeting tags set default cookie expirations longer than the site team expects.
Tag-manager templates preserve vendor defaults even after retention or minimization practices change.
First-party analytics or identity cookies are not classified in the cookie inventory, making retention review harder.
Cookie disclosures are updated separately from runtime vendor configuration, causing retention periods or criteria to drift.
Legacy cookies remain configured with multi-year expirations after a vendor migration, consent-mode rollout, or CMP update.

Limitations and cautions

This finding is an automated cookie-retention review signal, not a legal conclusion, certification, compliance determination, or determination of consent validity.
The 365-day threshold is a CertScore product review threshold, not a statutory threshold, and GDPR does not set a universal numeric cookie-lifetime threshold.
Automated runtime evidence can identify cookie names, domains, page attribution, classifications, and retained expiry or duration evidence, but it may not determine purpose, necessity, legal basis, vendor role, or downstream use.
Some persistent cookies may support session continuity, fraud prevention, security, preferences, or other context-dependent purposes, while others may support advertising, analytics, identity, or retargeting.
Manual review is needed to confirm purpose, vendor ownership, classification, consent state, opt-out behavior, minimization, retention disclosures, and remediation quality.
CertScore redacts or avoids retaining cookie values, full query strings, identifiers, and sensitive payloads while preserving stable anchors needed for review.
Automated findings may contain errors and should be reviewed with the retained evidence.
Not detected means not observed in the scan scope; it is not proof of absence.
Findings are runtime evidence and public-surface observations for review, not legal conclusions.

Reference notes

CertScore uses findings, evidence, signals, and observations consistently: signals are raw runtime or page-surface events, evidence is retained support, observations are interpreted evidence context, and findings are promoted review items.
Findings are runtime evidence and public-surface observations for review. Observed signals may surface possible concerns, but review is recommended before operational or legal reliance.
Finding reference content is reviewed periodically and updated when material guidance changes. CertScore monitors guidance families such as EDPB consent and ePrivacy materials, ICO cookie guidance, CNIL tracker recommendations, FTC privacy and dark-pattern materials, and relevant accessibility guidance where applicable.
EDPB consent guidance is relevant to consent quality and affirmative indication where consent is relied upon.
EU ePrivacy cookie/tracker principles are relevant to storing information or gaining access to information on user terminal equipment.
ICO cookie and similar technologies guidance is relevant to active consent, clear explanation, and essential-cookie exceptions.
CNIL cookie/tracker and analytics guidance is relevant to tracker consent and limited analytics exemptions.
FTC dark-pattern and commercial-surveillance materials may be relevant to hidden tracking or unclear user-choice review, but this finding does not determine deception, unfairness, or legal status.
Prevalence labels use the Tranco top 1-2500 calibration set, an approximately 2,505-scan directional calibration set.

Long-lived cookie retention review