List, categorise and control all cookies

[LaurenFBaily]

Originally called "Allowing all essential cookies", this ticket now takes a step back in order to get a higher level view of all cookies in order to ensure we know which ones are essential.

Done when

• [x] We have a final list of cookies (spreadsheet)
• [x] Code is in place to control each of them based on consent given
• [x] Preference management popup has been updated if necessary

[rcantin-w]

I've done part of it in #10715, but this ticket will still need to be done with more focus so we're sure we've got them all.

[rcantin-w]

Working on a spreadsheet from manual investigation. I'm not 100% clear on what we have to declare, there are a ton of cookies set on the .segment domain, and I can't find exactly if we're required to declare them or not?

Also, will we be declaring the toggle_ cookies since they are only intended for internal usage?

[rcantin-w]

Civic UK offers a single page audit which gave us; cc_site_audit_20240415.pdf

[LaurenFBaily]

Have you used CookieBot?

[rcantin-w]

I've looked at it to start with but I thought I need to pay, but I now see I could use the free account.

[LaurenFBaily]

Yes, I think it's limited but should be helpful (also categorises?)

[rcantin-w]

As discussed, CookieBot's finding were not very credible (not finding many, but also listing providers that didn't make sense, doubling findings...)

I've worked on the manual list further and we agreed we'd group them as much as we could/link to the third party's policy (especially when there were too many to count).

Part of this work will be to determine the categories of each of these and this will allow us to ensure we allow all necessary/essential cookies.

[rcantin-w]

Ready for review by Lauren, Robert and I https://wellcome.slack.com/archives/CUA669WHH/p1713346900943569 (could be considered in progress 🤷‍♀ )

[rcantin-w]

Added a description and changed purpose of ticket for clarity.

[rcantin-w]

Blocked as we're waiting on people external to our team to get back to us.

[rcantin-w]

Added what I could find for the expiry of our cookies, moving back to Blocked.

[LaurenFBaily]

List being reviewed by Data Protection Lead:

https://wellcomecloud.sharepoint.com/:x:/r/sites/wc2/DE/Platform/Shared%20Documents/Cookie%20list%20wellcome%20collection%20300424.xlsx?d=w0986b9bcd2f34793894ed8fa0d04746c&csf=1&web=1&e=rdzqxX

[LaurenFBaily]

Final list: https://wellcomecloud.sharepoint.com/:x:/r/sites/Grp_Digital/Shared%20Documents/Wellcome.org%20external%20audits/Cookies/Cookie-list-wellcome-30524.xlsx?d=w84e843780a114ac5a5d6c441f8d25d72&csf=1&web=1&e=8QR8fA (Wellcome Collection tab)

[rcantin-w]

As discussed we'll be reviewing the list and possibly group it more to reflect what was done Trust-side.

[LaurenFBaily]

For the cookie policy page, this is where I'm at in terms of layout and copy: https://www.notion.so/wellcometrust/Consolidated-cookie-list-3dff7cdd3da946f086005003536532f3

Need to get some copy checked (pixel-related) and confirm we do not need to list the essential cookies.

[rcantin-w]

@LaurenFBaily confirmed the final list (shared here) was good to go.

There might be changes required regarding marketing cookies/pixel, but as we haven't integrated that yet (to be done in #10894), we're happy to change the copy down the line.

[rcantin-w]

Deployed to production (behind toggle) but will keep this ticket as In Progress since we'd like to confirm whether or not we should list all first-party cookies.