How to Check If Cookies Are Set Before Consent (Complete GDPR Audit Guide)
One of the most common GDPR violations we see in the wild is deceptively simple: a website drops cookies, localStorage entries or third-party scripts before the user ever clicks "Accept". Under GDPR and the ePrivacy Directive, non-essential cookies require valid consent. If they fire early, you are technically in breach. This guide shows you exactly how to check if cookies are set before consent, using both manual browser methods and automated tools.
Why cookie timing matters under GDPR
Article 7 of the GDPR states that consent must be freely given, specific, informed and unambiguous. Recital 32 adds that consent requires a clear affirmative action. The European Data Protection Board (EDPB) has repeatedly clarified that scrolling or continued browsing does not constitute valid consent.
The ePrivacy Directive (soon to become the ePrivacy Regulation) goes further: storing or accessing information on a user's device requires consent unless strictly necessary. That means analytics, marketing, personalization and third-party cookies must wait for the user's explicit "yes". If your site fires a Facebook Pixel, Google Analytics or a Hotjar session before that click, you have a problem.
The three timestamps you need to track
At ConsentScope, we model every page load as a simple timeline:
- t0 - Page load: The moment the HTML starts parsing.
- t1 - Cookie or script detected: When a non-essential cookie, storage entry or script is first observed.
- t2 - Consent given: When the user clicks "Accept", "Agree" or customizes preferences.
If t1 happens before t2, you have a pre-consent violation. It does not matter whether the cookie is "just analytics" or "only for personalization". If it is not strictly necessary, it must wait.
Method 1: Manual check with Chrome DevTools
You can detect pre-consent cookies manually. It is tedious, but it works for one-off checks.
Step 1: Open a fresh browser session
Use an incognito or guest window. Close all other tabs. You want a completely clean cookie jar. If you have previously visited the site, clear all storage (Application tab > Clear storage > Clear site data).
Step 2: Open DevTools before loading the page
Press F12, go to the Application tab and select Cookies in the left sidebar. Keep this panel visible. Do not click anything on the page yet.
Step 3: Load the page and watch the cookie list
Hit Enter in the address bar. Watch the cookie table like a hawk. If new rows appear before you interact with the consent banner, those are potential violations. Take a screenshot with a timestamp.
Step 4: Check the Network tab for third-party scripts
Switch to the Network tab, reload the page and filter by "Img", "Script" and "XHR". Look for requests to known marketing or analytics domains: google-analytics.com, facebook.com, doubleclick.net, hotjar.com, etc. If they fire before consent, flag them.
Step 5: Repeat for every major page type
Homepage, product page, blog post, checkout and thank-you page can all behave differently. Your CMP might block scripts on the homepage but miss them on the checkout. You need to test every template.
Method 2: Automated audit with ConsentScope
Manual checks break down quickly when you scale. A mid-size e-commerce site can have 40+ cookie variations across locales, A/B tests and user states. That is why we built ConsentScope.
Install the extension from the Chrome Web Store, open any website and let it run. ConsentScope monitors cookies, localStorage, sessionStorage and third-party scripts in real time. It classifies each cookie as necessary, analytics or marketing and flags any non-essential cookie that appears before the consent banner is dismissed.
| Criteria | Manual DevTools | ConsentScope |
|---|---|---|
| Time per page | 5-10 minutes | 10 seconds |
| Cookie classification | Manual research | Automatic |
| Storage monitoring | Cookies only | Cookies + localStorage + sessionStorage |
| Third-party scripts | Network tab only | Detected + categorized |
| Repeatability | Error-prone | Consistent across scans |
| Evidence export | Screenshots | JSON, CSV, PDF report |
| CMP support | N/A | Cookiebot, OneTrust, Didomi, 12+ more |
Stop guessing. Start detecting.
Install ConsentScope and see exactly which cookies fire before consent on any website you visit.
Get ConsentScope FreeCommon culprits: cookies that slip through
After analyzing thousands of sites, we see the same offenders again and again. Here are the categories most likely to fire early:
- Analytics overrides: Google Analytics 4 or Matomo loaded through Google Tag Manager before the consent trigger fires.
- Marketing pixels: Meta Pixel, TikTok Pixel, LinkedIn Insight Tag hardcoded in the template.
- Session replay tools: Hotjar, Clarity or FullStory initialized on DOM ready.
- A/B testing frameworks: Optimizely or VWO setting cookies to bucket users before consent.
- CDNs and performance tools: Some edge-side personalization services drop classification cookies.
What to do when you find a violation
- Document it: Record the cookie name, value, domain, path, category and exact timestamp. Screenshots help.
- Map the trigger: Find which script or tag manager rule is responsible. Look for inline scripts, GTM triggers or plugin settings.
- Fix the firing order: Move the script behind your CMP's consent trigger. Most platforms (Cookiebot, OneTrust, Didomi) provide data-layer events you can use.
- Retest: Clear storage, reload and verify the cookie no longer appears before consent.
- Monitor continuously: Website updates, new plugins and marketing campaigns can reintroduce violations.
FAQ
Do strictly necessary cookies need consent?
No. Cookies essential for the service explicitly requested by the user (shopping cart, authentication, security, load balancing) do not require consent. However, "analytics" and "preferences" are generally not considered strictly necessary.
Can I use legitimate interest for analytics cookies?
The EDPB and most EU data protection authorities reject legitimate interest as a legal basis for storage and access under the ePrivacy Directive. Consent remains the required basis for non-essential cookies.
How often should I audit cookies?
At minimum, after every major release, template change, new marketing integration or CMP update. For high-traffic sites, quarterly audits are a good baseline.
Does server-side tagging solve pre-consent violations?
Server-side tagging can help with data minimization, but if the client-side container still loads before consent, you have not solved the timing problem. You must delay the container initialization until after the user agrees.
ConsentScope Team
Verified authorPrivacy Engineers & Chrome Extension Developers
We build tools that help developers, agencies and privacy advocates detect GDPR cookie violations automatically. Our team analyzes consent banners, cookie behavior and third-party scripts across thousands of websites every month.
Related articles
Cookiebot Not Blocking Cookies? Here's How to Debug and Fix It
Cookiebot still firing cookies before consent? Learn the most common causes, step-by-step debugging and fixes that actually work.
GDPR Cookie Audit Checklist [Free PDF Download]
Download our free GDPR cookie audit checklist. Step-by-step checklist for developers, agencies and DPOs to verify cookie compliance before the next release.
How to Audit Website Cookies for GDPR Compliance (Step-by-Step)
Step-by-step guide to auditing website cookies for GDPR compliance. Built for developers, agencies and privacy professionals who need a repeatable process.