Guide · part of the Google Analytics auditHow to run a cookie compliance audit
Your consent banner declares what cookies you set and why. A cookie audit checks whether that declaration is true: what actually loads before consent, whether rejection is enforced, and whether every cookie is declared in the right category. Eight checks, done by hand or automatically in two minutes.
Tracking Auditor scores cookie classification as one of five audit dimensions. Your first audit is free.
Run a free audit →The eight cookie checks
- 1
Capture a clean baseline before consent
Open the site in a private window with DevTools → Application → Cookies. Before touching the banner, note every cookie already set. Under opt-in rules, anything beyond strictly necessary cookies at this point is a finding. This single check fails on a large share of sites with a banner installed.
- 2
Record what appears after accepting
Accept the banner and browse a few pages, including one with a form and one with embedded media. List the new cookies and which domain set them. This is your 'full consent' inventory, the list your declaration needs to match.
- 3
Record what appears after rejecting
Repeat in a fresh private window, rejecting the banner this time. The cookie list should look almost identical to the pre-consent baseline. Analytics cookies (_ga, _gid) or ad cookies appearing after rejection mean the banner's choice is not being enforced.
- 4
Compare against the banner's declared list
Pull up your CMP's cookie declaration and go name by name. Every cookie observed in the browser should appear in the declaration, in the right category, with an accurate duration. Cookies your banner has never heard of are undeclared processing.
- 5
Check the categories are honest
The classic failure: advertising or analytics cookies filed under 'strictly necessary' so they load regardless of choice. Necessary means the site cannot function without it (session, cart, security). If the site works fine with the cookie blocked, it is not necessary.
- 6
Trace each cookie to the tag that sets it
Cookies do not appear on their own. Match each one to the tag or script that creates it, in GTM or hard-coded. This tells you which tag to gate when a cookie fires without consent, and reveals tags added since the banner was last configured.
- 7
Check durations and third-party ownership
A declared '30 days' cookie that actually persists for 13 months is an inaccurate declaration. First-party versus third-party matters too: third-party cookies carry data off your domain, and some regulators treat them more strictly.
- 8
Re-test after every new tag
Every marketing tag added to the container brings its own cookies, and nobody updates the declaration. If there is no process tying 'new tag' to 'update cookie list', the declaration drifts out of date within months. An audit is how you catch the drift.
What cookie audits find
- !
Analytics cookies set before any consent
The banner renders while _ga is already in the browser. The most common cookie finding on GDPR-market sites.
- !
Ad cookies classified as strictly necessary
Filed under 'necessary' so they always load. A misclassification a regulator reads as intentional.
- !
Undeclared cookies
Tags added over the years set cookies the declaration has never listed. Undeclared processing, in writing.
- !
Rejection changes nothing
Reject and accept produce the same cookie list. The banner is decoration.
- !
Stale durations
Declared as session cookies, observed persisting for a year.
- !
Orphaned cookies
Cookies from tools the business stopped using years ago, still being set by a forgotten tag.
Cookie audit FAQs
What is a cookie audit?
A cookie audit compares the cookies a website actually sets against what its consent banner declares. It checks that nothing loads before consent where opt-in rules apply, that rejecting the banner is enforced, that every cookie is declared in the right category with an accurate duration, and that each cookie can be traced to a known tag.
How do I check what cookies my website sets?
Open the site in a private browsing window and use DevTools → Application → Cookies (or the Storage tab in Firefox). Check three states: before interacting with the banner, after accepting, and after rejecting. Browse several pages in each state, because many cookies only appear on specific templates.
What is the difference between necessary and non-essential cookies?
Strictly necessary cookies are ones the site cannot function without: session identifiers, shopping carts, security tokens. Everything else (analytics, advertising, personalisation, most embedded media) is non-essential and needs consent under opt-in regimes. If the site works with the cookie blocked, it is not strictly necessary.
Do I need a cookie audit if I have a consent banner?
Yes. The banner is a claim about behaviour, and the audit checks the behaviour. The most common failures happen on sites with a banner installed: tags firing before consent, rejection not being enforced, and cookies the declaration never mentions.
Can a cookie audit be automated?
Yes. Tracking Auditor classifies the cookies associated with your GTM and GA4 setup and scores cookie compliance as one of five dimensions in a full tracking audit, alongside consent configuration, container governance, event quality and conversion integrity.
Audit your cookies in two minutes
Connect GA4 and GTM read-only and Tracking Auditor checks cookie classification alongside consent, governance, event quality and conversion integrity, scored A–F with a prioritised fix plan. Your first audit is free, no card required.
Run your free audit