What a cookie audit is and when you need one
A cookie audit is a systematic review of every cookie and tracking technology your website sets. It goes beyond a simple scan - while a scan tells you what cookies exist, an audit evaluates whether those cookies are properly classified, accurately disclosed in your cookie policy, and only set after valid consent. It also checks the mechanics of your consent implementation: does Reject All actually work? Does your CMP properly signal consent state to your tags?
You need a cookie audit when you launch a new website, add or remove third-party scripts, change your CMP provider, update your GTM container, redesign your site, or at minimum once per quarter. The ePrivacy Directive and GDPR together require that you maintain an accurate picture of your data processing - and cookies are one of the most visible forms of processing that regulators check first.
10-item cookie audit checklist
Work through each item. For every check, we describe what to look for, which tools help, and what a compliant result looks like.
1. Inventory all cookies
What to look for: Open your site in an incognito browser, accept all cookies, and navigate through 5-10 pages including key conversion pages. Open DevTools > Application > Cookies and record every cookie set by your domain and third-party domains.
Tools that help: Browser DevTools for manual checks, or an automated scanner like Cookie Compliance Checker which crawls multiple pages and captures all cookies including those set by JavaScript after page load.
Compliant: You have a complete list of every cookie, including name, domain, expiry, and source script. Non-compliant: You find cookies you cannot identify or attribute to a specific service.
2. Classify each cookie by purpose
What to look for: Every cookie must belong to one of the standard categories: strictly necessary, functional, analytics/performance, or advertising/targeting. The classification determines whether consent is required. Strictly necessary cookies (session IDs, CSRF tokens, load balancer cookies) are exempt from consent. Everything else requires it.
Tools that help: Reference databases like Cookiepedia or your CMP's cookie library. For common cookies (_ga, _fbp, _gcl_au), the classification is well-documented. Unknown cookies require research into the originating script.
Compliant: Every cookie is classified and the classification matches its actual function. Non-compliant: Analytics cookies classified as necessary, or cookies with no classification at all.
3. Check cookie expiry dates
What to look for: Review the expiry of each cookie. GDPR's data minimisation principle applies here - cookies should not persist longer than necessary for their purpose. A session cookie for a shopping cart is fine. A first-party analytics cookie lasting 2 years is common but may face scrutiny. Third-party advertising cookies with long expiries are increasingly blocked by browsers anyway.
Tools that help: DevTools Application tab shows expiry dates. Automated scanners report this as part of the cookie inventory.
Compliant: Cookie lifespans are proportionate to their purpose and disclosed in your cookie policy. Non-compliant: Cookies lasting years for purposes that only need days, or expiry dates not matching what your cookie policy states.
4. Verify pre-consent behaviour
What to look for: Clear all cookies, reload the page, and check what cookies are set BEFORE you interact with the consent banner. No analytics, advertising, or functional cookies should be present. Also check the Network tab for outbound requests to tracking services - even if cookies are blocked, sending data to Google Analytics or Facebook before consent is a violation.
Tools that help: The Pre-Consent Tracking Checker automates this test by loading your page, capturing all cookies and network requests before any consent interaction, and flagging violations.
Compliant: Only strictly necessary cookies before consent, no tracking network requests. Non-compliant: GA4 cookies, Facebook Pixel cookies, or any ad-tech requests appearing before consent is given.
5. Test Accept All behaviour
What to look for: Click Accept All on the consent banner. All expected cookies should now be set. Check that Google Consent Mode signals update from denied to granted (if applicable). Verify that analytics and advertising tags fire correctly by checking the Network tab for measurement requests.
Compliant: Cookies appear after acceptance, consent mode signals update, tags fire normally. Non-compliant: Cookies already present before acceptance (indicating pre-consent violation), or consent mode signals not updating after acceptance.
6. Test Reject All behaviour
What to look for: Clear cookies, reload, and click Reject All. After rejection, no analytics or advertising cookies should be set. Navigate to 3-4 other pages and verify no new tracking cookies appear on subsequent pages. Check the Network tab for outbound tracking requests - these should not fire either.
Compliant: Zero non-essential cookies after rejection, no tracking requests on any page. Non-compliant: Cookies set despite rejection, tracking requests still firing, or site deliberately breaking as a consequence of rejection.
7. Check GPC signal handling
What to look for: Global Privacy Control (GPC) is a browser-level signal that indicates the user does not want their data sold or shared. Under CCPA/CPRA, websites must respect GPC. Some European DPAs have indicated GPC should be treated as a valid objection under GDPR as well. Test by enabling GPC in your browser (Firefox has it built-in, or use a GPC browser extension) and checking whether your site honours it.
Compliant: Site detects GPC signal and either shows a modified consent banner or automatically restricts non-essential cookies. Non-compliant: GPC signal is completely ignored.
8. Validate consent storage
What to look for: Your CMP should store a record of each consent decision with a timestamp, the specific categories consented to, and the version of the consent notice shown. GDPR Article 7(1) says the controller must be able to demonstrate that consent was given. Check your CMP dashboard for consent logs.
Compliant: Server-side consent records with timestamps, consent choices, and policy version. Non-compliant: Consent only stored in a browser cookie (which the user can delete), no server-side records, or records missing key details.
9. Verify third-party cookie behaviour
What to look for: Third-party cookies (set by domains other than yours) deserve special attention. Check what third-party cookies your site sets, which services they belong to, and whether they are covered by your consent mechanism. Some third-party scripts set cookies from additional domains that your CMP may not know about.
Tools that help: DevTools Application tab, filtered to show only third-party cookies. The Supported CMPs page lists which CMPs the Cookie Compliance Checker can validate for third-party cookie management.
Compliant: All third-party cookies are identified, classified, and covered by consent. Non-compliant: Unknown third-party cookies, or third-party cookies set before consent.
10. Document your findings
What to look for: A cookie audit is only valuable if documented. Record every cookie found, its classification, whether consent is required and properly obtained, any violations discovered, and the remediation plan. This document serves as evidence of your accountability obligation under GDPR Article 5(2).
Compliant: Written audit report with date, scope, findings, and actions taken. Non-compliant: No documentation of the audit, or audit findings that were never acted upon.
Manual audit vs automated cookie scanner
A manual cookie audit gives you complete control and deep understanding of your cookie landscape. You can investigate each cookie, trace it to its source script, and make nuanced judgments about classification. But it is slow - a thorough manual audit of a 20-page site takes 4-8 hours, and it only captures the state at the moment you check.
An automated cookie scanner handles the inventory and pre-consent testing much faster. It can crawl multiple pages, test both Accept and Reject flows, check consent mode signals, validate IAB TCF strings, and test GPC handling in minutes rather than hours. The tradeoff is that automated tools may miss context that a human would catch - like a cookie that is technically classified correctly but is being used in a way that stretches its stated purpose.
The best approach combines both. Use an automated scanner like Cookie Compliance Checker for the technical checks (items 1, 4, 5, 6, 7, 8, 9 from the checklist above), then apply human review for classification accuracy (item 2), expiry reasonableness (item 3), and documentation (item 10). The IAB TCF Validator is particularly useful for sites using programmatic advertising.
How often should you run a cookie audit?
Quarterly at minimum. Cookie implementations drift over time. Developers add tracking scripts without updating the CMP configuration. CMP providers push updates that change default behaviour. Third-party scripts evolve and set new cookies. A site that was compliant in January may have new violations by April without any deliberate changes being made.
Beyond the quarterly cadence, trigger an audit after any of these events:
Frequently asked questions
What is a cookie audit?
A cookie audit is a systematic review of all cookies and tracking technologies that a website sets. It involves identifying every cookie, classifying it by purpose (necessary, analytics, advertising, functional), checking whether consent is obtained before non-essential cookies are set, and verifying that your cookie policy accurately reflects what your site actually does.
How often should I audit cookies?
At minimum, run a cookie audit quarterly. Additionally, audit after every CMP configuration change, GTM container update, new third-party script addition, website redesign or migration, and CMP provider switch. Automated cookie scanners can run continuous audits, catching changes as they happen.
What tools do I need for a cookie audit?
At minimum you need a browser with DevTools for cookie inspection, an incognito window for testing clean states, and a spreadsheet for documenting findings. For a thorough audit, use an automated cookie scanner that can test pre-consent behaviour, check consent mode signals, validate CMP integration, and test reject functionality across multiple pages.
Is a cookie audit required by GDPR?
The GDPR does not specifically require a cookie audit, but it requires accountability - you must be able to demonstrate compliance. A cookie audit is the only reliable way to verify that you know exactly what cookies your site sets and whether consent is properly obtained. Data Protection Authorities expect you to maintain an accurate cookie inventory.
What is the difference between a cookie scan and a cookie audit?
A cookie scan is an automated crawl that identifies what cookies a website sets. A cookie audit is broader - it includes the scan but also evaluates consent mechanisms, checks pre-consent behaviour, validates cookie classifications, and reviews the cookie policy for accuracy. A scan is one input to an audit, not the entire audit.
How many cookies does a typical website set?
A typical marketing website sets between 15 and 50 cookies across all categories. Sites with Google Analytics, Google Ads, Facebook Pixel, and a CMP commonly set 25-35 cookies. E-commerce sites with additional tracking and A/B testing tools can set 50-100+. The number itself is not a compliance issue - what matters is that each cookie is properly classified, disclosed, and consented to.
Related articles and resources
Automate your cookie audits
Cookie Compliance Checker runs your cookie audit automatically - inventory, classification, pre-consent testing, reject validation, Consent Mode check, and GPC signal handling. One scan, nine compliance scenarios.