A cookie audit is the foundation of GDPR compliance. You cannot ask users for informed consent if you do not know what cookies your website sets, who sets them, and what they do. Yet most websites have cookies they do not know about, set by third-party scripts that were added months or years ago.
This guide walks through how to audit your website’s cookies, classify them into the correct consent categories, and maintain an accurate inventory over time.
Why you need a cookie audit
Under GDPR and the ePrivacy Directive, your consent banner must accurately describe the cookies your site uses. If your banner says you only use analytics cookies but your site also loads marketing pixels, your consent mechanism is incomplete and potentially non-compliant.
Cookie audits also reveal:
- Third-party scripts you forgot about. That Facebook Pixel someone added two years ago. The abandoned A/B testing tool. The chat widget that sets 12 cookies.
- Cookies with excessive lifetimes. Some tracking cookies persist for years. DPAs have questioned whether retention periods beyond 13 months are proportionate.
- First-party cookies that are actually third-party. Some services set cookies on your domain (first-party context) but send data to third-party servers. These still require consent.
Step 1: Discover all cookies
Manual browser inspection
The simplest method is to visit your website in an incognito browser window and check what cookies appear:
- Open Chrome DevTools (F12) and go to the Application tab
- Under Storage, expand Cookies and click your domain
- Browse several pages, interact with forms, and trigger any dynamic elements
- Note every cookie: name, domain, path, expiration, and whether it is HttpOnly or Secure
This method is useful for spot checks but misses cookies that are only set after specific interactions (e.g., submitting a form, watching a video, or visiting a particular page).
Automated scanning
For a thorough audit, use an automated scanner that crawls your entire site:
- The scanner visits every page and records all cookies set during the crawl
- It detects cookies from embedded iframes, lazy-loaded scripts, and dynamic content
- It captures the HTTP response headers and JavaScript calls that create each cookie
CookieBoss includes a built-in cookie scanner that crawls your site and automatically classifies discovered cookies against a database of known cookie signatures.
Check your tag manager
If you use Google Tag Manager, Adobe Launch, or another tag management system, audit the tags configured there. Each tag can introduce cookies that may not be obvious from the website HTML alone. Export your tag list and cross-reference it with the cookies found in the browser scan.
Step 2: Classify each cookie
Every cookie must be assigned to a consent category. The standard categories are:
Necessary (no consent required)
Cookies that are strictly necessary for the website to function as requested by the user. Examples:
| Cookie | Purpose |
|---|---|
session_id | Maintains authenticated session |
csrf_token | Prevents cross-site request forgery |
cart_items | Stores shopping cart contents |
cookie_consent | Records the user’s consent choice |
__cf_bm | Cloudflare bot management (security) |
The bar for “necessary” is high. A cookie is only necessary if removing it would break core functionality that the user explicitly requested.
Functional (consent required)
Cookies that enhance the user experience but are not essential. Examples:
| Cookie | Purpose |
|---|---|
language_pref | Remembers selected language |
theme | Stores dark/light mode preference |
recently_viewed | Tracks recently viewed products |
chat_session | Maintains live chat state |
Analytics (consent required)
Cookies used to measure website traffic and user behavior. Examples:
| Cookie | Purpose |
|---|---|
_ga | Google Analytics client ID |
_gid | Google Analytics session ID |
_hjSessionUser | Hotjar user identification |
_clck | Microsoft Clarity user ID |
Even first-party analytics cookies require consent under the ePrivacy Directive. Using Google Analytics without consent, even with IP anonymization, does not satisfy GDPR requirements in most EU jurisdictions.
Marketing (consent required)
Cookies used for advertising, retargeting, and social media tracking. Examples:
| Cookie | Purpose |
|---|---|
_fbp | Facebook Pixel tracking |
_gcl_au | Google Ads conversion linker |
_uetsid | Microsoft Advertising UET |
li_sugr | LinkedIn ad targeting |
IDE | Google DoubleClick ad serving |
Marketing cookies typically have the highest privacy impact and the longest retention periods.
Step 3: Document your inventory
For each cookie, record:
- Name: The exact cookie name (e.g.,
_ga) - Domain: Which domain sets it (your domain or a third party)
- Provider: The service that creates the cookie (e.g., Google Analytics)
- Category: Necessary, Functional, Analytics, or Marketing
- Purpose: A plain-language description of what the cookie does
- Duration: How long the cookie persists (session, 30 days, 2 years, etc.)
- Type: HTTP cookie, localStorage, sessionStorage, or IndexedDB
This inventory becomes the source of truth for your consent banner. When a user opens the cookie preferences panel, the descriptions and categories shown should match this documentation.
Step 4: Configure your consent banner
With a complete inventory, configure your CMP to:
-
Map each script to its category. When a user consents to “Analytics,” the CMP should unblock Google Analytics, Hotjar, and any other analytics scripts. When they do not consent, those scripts must remain blocked.
-
Block scripts before consent. Use a CMP that operates in “full blocking” mode, not “signal only.” In full blocking mode, non-essential scripts are prevented from executing until consent is given. In signal-only mode, scripts still fire but receive a consent signal, which does not satisfy the ePrivacy Directive’s prior consent requirement.
-
Match cookie descriptions to your inventory. The text shown to users in the preferences panel should accurately reflect the cookies discovered in your audit.
Step 5: Schedule regular re-audits
Websites change. Developers add new scripts. Marketing teams install new pixels. A cookie audit is not a one-time task.
Recommended re-audit frequency:
- Monthly for websites that frequently add new features or marketing tools
- Quarterly for stable websites with infrequent changes
- After every deployment for sites with active development (integrate scanning into your CI/CD pipeline)
CookieBoss supports automated recurring scans that detect new cookies and flag unclassified ones for review. This ensures your consent banner stays accurate as your site evolves.
Common audit findings
After auditing hundreds of websites, these are the most frequent issues we see:
Unknown third-party cookies. Most sites have 5 to 15 cookies they did not know about, typically from embedded content (YouTube iframes, social share buttons, chat widgets).
Analytics classified as necessary. Some sites classify Google Analytics as “necessary” to avoid consent requirements. This is incorrect under both GDPR and ePrivacy guidance.
Missing localStorage entries. Many audits only check HTTP cookies and miss data stored in localStorage or sessionStorage. Some analytics and advertising tools use these storage mechanisms instead of traditional cookies.
Outdated descriptions. Cookie purposes change when services update. The description you wrote two years ago may no longer match what the cookie actually does.
Start your audit
Run a free cookie scan on your website using the CookieBoss scanner to see what cookies your site currently sets. The scan takes under a minute and shows you every cookie, its category, and its provider, giving you a clear starting point for your compliance audit.
