Why a cookie compliance audit matters (the fines are real)

GDPR and the ePrivacy Directive require that non-essential cookies can only be set after a user has actively consented. That means analytics cookies, advertising pixels, retargeting trackers, and session recording tools — all blocked by default until the visitor opts in.

Most websites fail this requirement in at least one significant way. The gap between "we have a cookie banner" and "we're actually compliant" is where enforcement actions happen.

đŸšĢ
Recent GDPR fines for cookie violations

Google was fined â‚Ŧ150M by the French CNIL for making cookie rejection harder than acceptance. Cosmetics retailer Sephora was fined $1.2M under California's CPRA for undisclosed cookie-based data sales. In 2025, dozens of mid-size e-commerce sites received â‚Ŧ5,000–â‚Ŧ80,000 fines for loading Google Analytics before consent. Size does not protect you.

A cookie compliance audit is not a one-time legal exercise. It's the ongoing practice of knowing what your site sets, why it sets it, and whether you have a valid legal basis for each cookie. This guide gives you the process to do that audit — manually in your browser, or automatically with a scanner that does it in seconds.

What a cookie compliance audit covers

A complete audit answers four questions:

  1. Discovery: What cookies does your site actually set? (Including third-party cookies from scripts you load)
  2. Classification: Which are essential (no consent needed), which are analytics, which are marketing?
  3. Consent verification: Are non-essential cookies blocked until the user opts in, or are they firing on page load?
  4. Documentation: Does your cookie policy accurately list all cookies your site sets?

Most sites fail on step 3 — they have a cookie banner, but tracking scripts fire before the user interacts with it. This is the most common violation and the one regulators focus on.

ℹī¸
The "we have a banner" myth

Having a cookie consent banner does not make you compliant. The banner must actually block non-essential cookies until consent is given. Many sites load GA4, Meta Pixel, and TikTok Pixel immediately on page load — the banner is cosmetic decoration. This is a GDPR violation regardless of how good the banner looks.

Step-by-step: manual cookie compliance audit

You can audit your site's cookies with nothing but Chrome DevTools. It takes 5–15 minutes depending on how many pages you check. Here's the exact process.

1
Open your site in an incognito window

Incognito removes existing cookies and stored consent state, giving you a clean first-visit perspective. This is what a new visitor from the EU sees. Open Chrome, press Ctrl+Shift+N (Windows) or Cmd+Shift+N (Mac), then navigate to your homepage.

Do not click your cookie banner yet — you want to see what fires before any consent is given.

2
Open DevTools and go to Application → Cookies

Press F12 to open Chrome DevTools. Navigate to Application → Storage → Cookies in the left panel, then click your domain. You'll see every cookie currently set on your site.

Note: Some cookies only appear after page load completes. Wait for the page to fully load before reading the list. Watch for cookies that appear before you've interacted with any consent banner — those are your immediate violations.

3
Check the Network tab for third-party tracking requests

Switch to the Network tab and reload the page. Filter by "3rd-party" requests or search for known tracker domains: google-analytics.com, googletagmanager.com, connect.facebook.net, analytics.tiktok.com, hotjar.com, clarity.ms.

If any of these domains appear in the Network tab before you've accepted cookies, those scripts are firing without consent. Each one is a potential GDPR violation.

4
Categorise each cookie you found

Sort your discovered cookies into four categories:

  • Essential / Strictly necessary: Session IDs, security tokens, shopping cart, login state. These don't need consent.
  • Analytics: _ga, _gid, _hjid, _clid (Clarity), _fbp in analytics mode. Require consent.
  • Marketing / Advertising: _fbp, _fbc, _ttp, _gcl_au, retargeting pixels. Require consent.
  • Functional / Preferences: Language settings, UI preferences, A/B test assignments. Usually require consent.

Anything in the Analytics, Marketing, or Functional categories must not fire until the user consents.

5
Repeat on your highest-traffic pages

Different pages load different scripts. A blog post might load a comment widget that sets cookies. A product page might load a review platform. An email capture form might load a marketing automation tool. Check at minimum: homepage, a content page (blog post, about), a product or service page, and any conversion-focused landing pages.

⚠ī¸
Manual audits have significant blind spots

Some cookies only appear after specific user actions (adding to cart, reaching checkout, triggering a chatbot). Some scripts load asynchronously and may not appear in a quick check. Tag Manager containers can inject dozens of tags that aren't visible until they fire. Manual audits give you a starting point, not a complete picture.

Common violations found in cookie audits

These are the issues that show up in the majority of cookie audits we run. If you find any of these, they're your highest-priority fixes.

Violation What it looks like Severity
Analytics firing before consent GA4 / Plausible / Matomo loads on page load without waiting for consent Critical
Meta / TikTok Pixel on page load _fbp or _ttp cookie set immediately, pixel fires pageview event before consent Critical
GTM loading unchecked tags Google Tag Manager container fires all tags on load; no consent-based trigger logic Critical
Cookie banner doesn't block cookies Banner shows, but cookies already set before user interacts — banner is decorative Critical
Pre-ticked consent checkboxes Analytics / marketing options are checked by default in the consent banner High
No "Reject All" option Banner has "Accept" but requires navigating submenus to reject; deliberate friction High
Session recording tools (Hotjar, FullStory) Screen recording / heatmap scripts fire without consent, capturing keystrokes and mouse movements High
Outdated cookie policy Cookie policy lists 5 cookies; site actually sets 23; policy hasn't been updated in 18 months Medium
Third-party chat widgets Intercom, Drift, Zendesk chat setting persistent tracking cookies before consent Medium
A/B testing tools without consent Optimizely, VWO, or similar tools assigning visitors to experiments via cookies before consent Medium

The faster approach: automated cookie scanning

Manual audits give you a snapshot. Automated scanning gives you the complete picture — including cookies that only appear on specific pages, after specific interactions, or loaded by GTM containers that manual inspection can't easily enumerate.

CookieGuard's free scanner crawls your website, discovers every cookie set across all pages and states, classifies them by category, checks whether they're firing before consent, and generates a prioritised compliance report. The entire process takes under 30 seconds.

Run a free cookie compliance audit

Scans your entire site, classifies every cookie, and tells you exactly what to fix. No account required — results in 30 seconds.

Audit my site →

Where manual audits require you to check each page individually, an automated scan covers your entire site in a single pass. Where manual audits miss cookies that only appear after user interactions, automated scanning simulates those interactions. Where your memory of what plugins and tags you've added fades over time, automated scanning runs on a schedule and alerts you when something new appears.

What automated scanning catches that manual audits miss

What to fix first: a prioritised action list

After your audit, you'll have a list of cookies and issues. Not everything is equally urgent. Here's the order in which to fix things:

Cookie Compliance Fix Priority Order

1
Block all analytics and marketing scripts until consent is given
If GA4, Meta Pixel, or any advertising script fires on page load before consent — fix this first. It's the most common violation, the most documented by regulators, and carries the highest fine risk. Use Consent Mode v2 (for Google tags) or conditional loading for others.
Critical
2
Add a "Reject All" button that's as easy to find as "Accept All"
Both GDPR and multiple DPA enforcement actions require that rejecting consent is no harder than accepting it. If your banner has "Accept" as a prominent button and "Reject" buried in settings, you're exposed.
Critical
3
Remove pre-ticked checkboxes from your consent UI
GDPR explicitly requires that consent for non-essential cookies is actively given — pre-ticking boxes does not constitute consent. If your banner pre-selects analytics or marketing categories, uncheck them by default.
Critical
4
Audit and consent-gate session recording tools
Hotjar, FullStory, Microsoft Clarity, and similar tools record mouse movements and keystrokes. This is highly sensitive data. These must not load until explicit consent is given for "analytics" or "functional" cookies, depending on how they're categorised in your policy.
High
5
Update your cookie policy to match actual cookies
Your cookie policy must accurately list every non-essential cookie your site sets, its purpose, its provider, and its duration. If your audit found cookies not listed in your policy, update the policy. Regulators cross-reference cookie policies against actual site behaviour.
Medium
6
Consent-gate chat and CRM tools
Intercom, Drift, HubSpot chat, and similar tools set persistent cookies for visitor identification. Configure them to only initialise after consent for functional or marketing cookies is granted. Most have documented consent-mode APIs for this.
Medium
7
Schedule regular re-audits
Every time you install a new plugin, add a marketing tool, or change your tag setup, new cookies may appear. A cookie audit is not a one-time task — compliance state drifts. Set a monthly automated scan, or use continuous monitoring so you're alerted immediately when something new appears.
Ongoing

Using CookieGuard's free /check tool

CookieGuard's /check tool runs an automated cookie compliance audit against any URL you enter. It's the fastest way to get from "I need to audit my cookies" to "I know exactly what's wrong and what to fix."

Here's what it does:

Check your site's compliance score

Free, instant, no signup required. Enter your URL and get a complete cookie audit report in under 30 seconds.

Check my site →

After the audit: keeping compliance over time

A one-time audit is a good start. But cookies change. You install a new analytics tool, your developer adds a widget, your marketing team connects a new CRM integration. Every one of these can introduce new cookies that bypass your consent setup.

The only way to maintain compliance over time is continuous monitoring — automated scans that run on a schedule and alert you when new cookies appear or when existing cookies start firing outside of consent boundaries.

CookieGuard's Pro plan adds scheduled scanning, email alerts on new cookie detection, and team access so your compliance team can review reports without needing developer access. It's the difference between auditing once and knowing your compliance state is current.

✅
The 5-minute audit, summarised

Open an incognito tab. Load your site without accepting cookies. Open DevTools → Application → Cookies. See what's already set. Then check the Network tab for third-party requests to analytics and advertising domains. Anything that fires before consent is your fix list — start with the critical violations above. Or run the automated scan and skip the manual work entirely.