How to Audit Website Cookies for GDPR Compliance (Step-by-Step)
If you are a developer, agency owner or privacy consultant, you have probably been asked this question: "Is our website GDPR-compliant when it comes to cookies?" The honest answer is usually: "I need to check." Cookie compliance is not visible in the UI. It happens in headers, scripts and storage events that most stakeholders never see. This guide gives you a professional, repeatable process for auditing website cookies under GDPR.
What GDPR actually requires for cookies
Before we open DevTools, let us clarify the legal baseline. The GDPR itself does not mention cookies directly. The relevant rules come from the ePrivacy Directive (2002/58/EC) and the draft ePrivacy Regulation. Here is what matters in practice:
- Consent is required for storing or accessing information on a user's device, unless it is strictly necessary.
- Consent must be freely given, specific, informed and unambiguous. Pre-ticked boxes, implied consent or "by using this site" disclaimers do not count.
- The user must be able to withdraw consent as easily as they gave it. If it takes one click to accept, it should take one click to reject.
- You must document consent. Who consented, when, and what they agreed to.
That means your audit must answer three questions: Are non-essential cookies blocked before consent? Is the consent mechanism valid? And is the consent recorded properly?
Phase 1: Discovery and inventory
You cannot audit what you do not know exists. The discovery phase maps every cookie, storage entry and tracking script across the site.
Step 1: Crawl every major page template
A cookie set on the homepage might not appear on the product page, and vice versa. You need to test every unique template: homepage, category pages, product detail, blog post, checkout funnel, account pages, password reset, error pages and any microsites.
Step 2: Record every cookie and its context
For each page, record: cookie name, value (truncated), domain, path, expiration, Secure flag, HttpOnly flag, SameSite attribute and the exact moment it appears (before or after consent). We use a simple spreadsheet with these columns.
| Column | Why it matters |
|---|---|
| Cookie name | Identifies the vendor or purpose (e.g. _ga = Google Analytics) |
| Domain | First-party vs third-party scope |
| Path | Whether the cookie is restricted to a subsection |
| Expires / Max-Age | Long-lived cookies are higher risk |
| Secure + HttpOnly | Security best practices |
| SameSite | Cross-site request behavior |
| Category | Necessary, functional, analytics, marketing |
| Timing | Before consent = potential violation |
| Source script | Which tag, plugin or inline script created it |
Step 3: Check localStorage and sessionStorage
GDPR applies to all storage mechanisms, not just cookies. Many modern trackers use localStorage to bypass cookie blockers. In DevTools, go to Application > Local Storage and look for entries set by analytics, A/B testing or personalization scripts.
Phase 2: Timing analysis
This is where most violations hide. A cookie that appears at t0 (page load) when consent happens at t2 (user click) is a clear breach. You need to establish the exact timeline.
- Open a clean browser session. Guest mode, all storage cleared.
- Open DevTools > Application > Cookies before loading the page.
- Load the page and watch. Screenshot any cookie that appears before you touch the banner.
- Interact with the banner. Accept, reject or customize. Record the time.
- Check again. Only now should non-essential cookies appear.
- Repeat for "Reject All". If you reject, no non-essential cookies should ever fire.
Phase 3: Consent mechanism validation
Even perfect cookie timing is worthless if the consent itself is invalid. Your audit must verify the banner design and behavior.
| Requirement | Pass criteria | Common fail |
|---|---|---|
| Equal prominence | Accept and Reject buttons are same size, color intensity and position | Reject is a tiny grey link below a green Accept button |
| Granular choice | User can pick categories individually | Only "Accept All" or "Reject All", no middle ground |
| No nudging | No pre-ticked boxes, no dark patterns | Analytics pre-ticked as "essential" |
| Withdrawal path | Cookie settings accessible from every page footer | No way to change mind after closing banner |
| Policy link | Links to cookie policy and privacy policy are visible | Links hidden behind secondary tabs |
Phase 4: Third-party scripts and tag managers
Cookies are often set by scripts loaded from external domains. Your audit must trace each cookie back to its source.
Google Tag Manager audit
GTM is the most common source of accidental violations. Open GTM Preview mode and verify that every non-essential tag has a consent-based trigger. Tags that fire on "All Pages" or "DOM Ready" without checking consent state are red flags.
Hardcoded scripts
Look for scripts directly in the HTML source. Marketing teams often paste pixels into CMS widgets, footer injection plugins or theme files. These bypass tag managers entirely and are invisible to CMP auto-blocking unless manually tagged.
Phase 5: Reporting and remediation
An audit without a report is just browsing. Your deliverable should be a clear document that technical and non-technical stakeholders can understand.
- Executive summary: Number of violations, risk level and recommended priority.
- Detailed findings: Each violation with cookie name, page URL, timestamp, source script and screenshot.
- Remediation steps: Specific code changes, tag manager updates or CMP configuration fixes.
- Retest instructions: How to verify the fix after implementation.
- Ongoing monitoring: Schedule for re-audits after every release.
Generate audit reports in one click
ConsentScope Pro creates professional PDF audit reports with all findings, screenshots and compliance scores. Perfect for client deliverables.
Upgrade to ProFAQ
How often should I run a cookie audit?
For active sites, every major release. For stable sites, quarterly. If you use continuous deployment, integrate automated cookie scanning into your CI pipeline.
Can I use free tools for GDPR cookie audits?
Yes. Chrome DevTools is free and sufficient for manual checks. However, scaling to multiple pages, repeated audits and client reporting requires automation. That is where tools like ConsentScope come in.
What is the difference between a cookie audit and a full GDPR audit?
A cookie audit covers the technical aspects of storage and consent. A full GDPR audit also includes data processing agreements, lawful basis documentation, data subject rights procedures and security measures.
ConsentScope Team
Verified authorPrivacy Engineers & Chrome Extension Developers
We build tools that help developers, agencies and privacy advocates detect GDPR cookie violations automatically. Our team analyzes consent banners, cookie behavior and third-party scripts across thousands of websites every month.
Related articles
How to Check If Cookies Are Set Before Consent (Complete GDPR Audit Guide)
Learn how to check if cookies are set before user consent. Step-by-step GDPR audit guide for developers, agencies and privacy professionals.
Cookiebot Not Blocking Cookies? Here's How to Debug and Fix It
Cookiebot still firing cookies before consent? Learn the most common causes, step-by-step debugging and fixes that actually work.
GDPR Cookie Audit Checklist [Free PDF Download]
Download our free GDPR cookie audit checklist. Step-by-step checklist for developers, agencies and DPOs to verify cookie compliance before the next release.