How to Audit Your Website's Cookie Compliance (Step-by-Step Guide)

A comprehensive cookie compliance audit isn't just about checking a box—it's about understanding exactly what data your website collects and when. This guide walks you through a complete audit process, from initial assessment to ongoing monitoring.

Why Regular Cookie Audits Matter

Your website changes constantly. Developers add features, marketers implement new tools, and third-party services update their scripts. Each change can introduce new cookies or alter existing behavior.

Without regular audits:

• New tracking cookies appear without your knowledge
• CMP configurations drift out of sync with actual cookies
• Third-party updates bypass your consent mechanisms
• Compliance that was valid last month may not be valid today

Before You Begin: What You'll Need

To conduct a thorough audit, gather:

1. Admin access to your website's backend
2. Tag manager access (GTM, Segment, etc.)
3. CMP dashboard access (Cookiebot, OneTrust, etc.)
4. List of third-party services you've integrated
5. Browser with developer tools (Chrome recommended)
6. Compliance scanning tool (like Gretelfy)

Step 1: Document Your Current State

Before making changes, document what exists now. This creates a baseline for comparison.

Create a Cookie Inventory

Build a spreadsheet with these columns:

Cookie Name	Domain	Category	Purpose	Vendor	Expiration	Set Before Consent?

Start by listing every cookie you're aware of. You'll discover more during the technical scan.

Document Third-Party Integrations

List every external service connected to your website:

• Analytics (Google Analytics, Mixpanel, Amplitude)
• Marketing (Facebook Pixel, Google Ads, LinkedIn Insight)
• Customer support (Intercom, Zendesk, Drift)
• Heatmaps (Hotjar, Crazy Egg, FullStory)
• Email marketing (Klaviyo, Mailchimp, HubSpot)
• Social widgets (Share buttons, embedded feeds)
• Video embeds (YouTube, Vimeo, Wistia)
• Payment processors (Stripe, PayPal)

Each of these likely sets cookies. Note which ones you expect to require consent.

Step 2: Perform a Technical Scan

Now it's time to see what actually happens when someone visits your site.

Option A: Manual Browser Inspection

This method is free but time-consuming and easy to miss things.

1. Clear all data: In Chrome, go to Settings > Privacy > Clear browsing data. Select cookies, cache, and site data.

2. Open Developer Tools: Press F12 or right-click and select "Inspect"

3. Navigate to Application tab: Click the "Application" tab, then "Cookies" in the left sidebar

4. Visit your website: In a new tab, navigate to your homepage

5. Document cookies immediately: Before interacting with anything, note every cookie that appears

6. Record network requests: Switch to the "Network" tab and filter by third-party domains

7. Repeat for key pages: Check your homepage, product pages, checkout, and blog

Option B: Automated Scanning (Recommended)

Manual inspection misses cookies that set after delays, on scroll, or from specific interactions. Automated tools provide a more complete picture.

Scan your website with Gretelfy →

An automated scan:

• Visits your site in a completely clean browser session
• Captures cookies and network requests with precise timing
• Identifies the source of each cookie
• Categorizes cookies by type (analytics, marketing, etc.)
• Generates a compliance score you can track over time

Step 3: Identify Pre-Consent Violations

With your scan results in hand, identify every cookie or script that fires before consent:

Critical Violations (High Priority)

These require immediate attention:

• Marketing cookies (Facebook Pixel _fbp, Google Ads _gcl_au, etc.)
• Third-party advertising cookies (DoubleClick IDE, AdSense NID)
• Cross-site tracking (LinkedIn li_fat_id, Twitter analytics)

Medium Priority Violations

Address these after critical violations:

• Analytics cookies (Google Analytics _ga, _gid)
• Heatmap cookies (Hotjar _hjid, Crazy Egg)
• Session replay (FullStory, LogRocket)

Lower Priority (But Still Violations)

• Functional cookies (language preference, theme)
• Chat widget cookies (Intercom, Drift)
• Unknown cookies (require investigation)

Step 4: Review Your CMP Configuration

If you have a Consent Management Platform, verify it's correctly configured:

Check Cookie Categorization

In your CMP dashboard, confirm:

• Every cookie is assigned to a category
• Categories match GDPR definitions (Necessary, Functional, Analytics, Marketing)
• No marketing or analytics cookies are marked as "Necessary"

Verify Blocking Behavior

Your CMP should actually block cookies, not just display a banner:

1. Set your CMP to "reject all by default" mode
2. Visit your site and decline consent
3. Check if non-necessary cookies are still being set
4. If they are, your CMP isn't properly integrated

Test Consent States

Test all consent scenarios:

• Accept all
• Reject all
• Accept only necessary
• Accept necessary + analytics
• Modify preferences after initial choice

Each scenario should result in the correct cookies being allowed or blocked.

Step 5: Audit Your Tag Manager

Most pre-consent violations originate in tag managers. Here's how to audit them:

Google Tag Manager Audit

1. Open GTM and list all tags: Export or screenshot your tag list

2. Check each tag's trigger: Click each tag and note its trigger condition

3. Identify problematic triggers:

   • "All Pages" without consent condition = violation
   • "DOM Ready" without consent condition = violation
   • "Page View" without consent condition = violation

4. Look for consent integration: Proper setup uses triggers like:

   • "Consent - Analytics Accepted"
   • "Consent - Marketing Accepted"
   • Custom events from your CMP

Fix: Add Consent Conditions

For each non-necessary tag:

1. Create a trigger that fires only on consent
2. Link your CMP's consent event to GTM
3. Update each tag to require the consent trigger
4. Test in Preview mode before publishing

Step 6: Address Third-Party Scripts

Some scripts aren't in your tag manager but are hardcoded or loaded by plugins.

Find Hardcoded Scripts

Search your codebase for:

• <script> tags with external sources
• Inline JavaScript that initializes tracking
• WordPress plugins that add tracking
• Theme files with analytics snippets

Common Culprits

• Chat widgets (often in theme footer)
• Social sharing buttons
• Embedded videos with tracking
• Payment provider scripts
• Customer review widgets

Solutions

1. Move to tag manager: Transfer scripts to GTM where you can add consent conditions
2. Use CMP script blocking: Most CMPs can block scripts by URL pattern
3. Configure plugins: Many plugins now have consent mode settings
4. Replace with consent-aware versions: Some vendors offer GDPR-compliant embeds

Step 7: Update Your Cookie Policy

Your cookie policy must accurately reflect your actual cookie usage:

Required Information

• Complete list of cookies used
• Purpose of each cookie
• Cookie category (necessary, functional, analytics, marketing)
• First-party vs. third-party
• Duration/expiration
• How to manage or delete cookies

Keep It Updated

Every time you add or remove cookies, update your policy. Consider linking your cookie policy to your compliance scanning results for automatic updates.

Step 8: Implement Ongoing Monitoring

A single audit isn't enough. Implement continuous monitoring:

Weekly Scans

Schedule automated compliance scans to run weekly. This catches:

• New cookies from updated third-party services
• Changes from deployments
• Drift in CMP configuration

Change Detection Alerts

Set up alerts for:

• New cookies detected
• Score drops
• New scripts firing pre-consent

Deployment Checks

Add compliance scanning to your deployment process:

• Scan staging before pushing to production
• Block deployments that introduce violations
• Track compliance score over time

Set up automated monitoring with Gretelfy →

Step 9: Document Everything

Maintain records that demonstrate your compliance efforts:

Documentation to Keep

• Historical scan results
• Remediation actions taken
• CMP configuration changes
• Team training records
• Vendor assessments

Why Documentation Matters

If regulators investigate, documentation shows:

• You take compliance seriously
• You've made good-faith efforts
• You have processes to maintain compliance
• You respond appropriately to issues

Your Audit Checklist

Use this checklist for every audit:

• Run automated compliance scan
• Review all pre-consent cookies
• Check all pre-consent network requests
• Verify CMP is blocking correctly
• Audit tag manager triggers
• Search for hardcoded scripts
• Test all consent scenarios
• Update cookie inventory
• Update cookie policy
• Document findings and fixes
• Schedule next audit

Get Started Today

The best time to audit your cookie compliance was yesterday. The second best time is now.

Start your free compliance scan →

Get your Gretel Score in 30 seconds and see exactly what needs fixing. No signup required for your first scan.

---

The Crumb Trail is Gretelfy's blog about cookie compliance, privacy regulations, and building trust with your website visitors. Subscribe for weekly insights.