Cookie audit: how to scan and inventory your website trackers

TL;DR

A cookie audit consists of scanning all pages of your website to identify every tracker set on visitors' devices. This inventory is the first step of any GDPR compliance effort: without knowing which cookies your site actually sets, it is impossible to write a reliable cookie policy, correctly configure your consent banner or demonstrate compliance during an inspection.

What is a cookie audit?

A cookie audit is a technical analysis that identifies all cookies and trackers set by your website during a visitor's browsing session. It catalogues first-party and third-party cookies, their purposes, their lifespan and the scripts that trigger them.

The goal is not just to list cookie names. The audit must answer three questions: which trackers are present, who sets them (your site or a third party), and are they correctly blocked before consent is given.

Data protection authorities expect website operators to know precisely which trackers are present on their domain. A regular audit is the only reliable way to achieve this visibility.

Why audit your website's cookies?

The cookies on a website change constantly. Each time you add a third-party script (analytics tool, advertising pixel, chat widget, embedded video player), new trackers may be introduced without your knowledge.

Without an audit, you cannot guarantee that your cookie policy reflects reality. A discrepancy between documented cookies and cookies actually set constitutes a breach of the GDPR's information obligation.

An audit also detects cookies that fire before user consent. This is one of the most common compliance failures: analytics or advertising scripts that execute on page load, before the visitor has interacted with the consent banner.

How does a cookie scanner work?

A cookie scanner is a tool that automatically crawls your website's pages, simulates a visitor's browsing session and records every cookie set in the browser.

The scanning process

The scanner loads each page of your site in an automated browser (headless browser). It records cookies set at each stage: on initial load, after script execution, and optionally after simulating consent. The result is a detailed inventory of each cookie with its name, domain, likely purpose, lifespan and the script that triggered it.

What the scan detects

A good scanner identifies first-party cookies (set by your domain), third-party cookies (set by external domains such as google-analytics.com, facebook.com, doubleclick.net), session cookies (deleted when the browser closes) and persistent cookies (which remain until they expire). It also flags cookies that fire before consent.

Limitations of automated scanning

An automated scan does not always cover 100% of cases. Some cookies only fire on specific user journeys (checkout, member area, conversion funnel). Others depend on visitor geolocation. A thorough audit may require multiple scans with different configurations.

Which tools to use for a cookie audit?

Several categories of tools can be used for a cookie audit, from simple to advanced.

Built-in browser tools (Chrome DevTools, Firefox Developer Tools) let you view cookies set on a page via the Application > Cookies tab. This is useful for quick diagnostics but not a complete audit: you would need to check each page manually.

Browser extensions (Cookie Editor, EditThisCookie) make it easier to visualise and export cookies on a given page. They remain limited to page-by-page analysis.

Online cookie scanners automatically analyse your entire site in a few minutes. FlowConsent offers a free scanner that crawls your pages, identifies trackers and classifies cookies by category (necessary, analytics, advertising, social media). This type of tool is the most efficient for regular auditing.

CMPs (consent management platforms) often include a cookie scanner as part of their functionality. They can detect new cookies with each update and alert you to discrepancies with the existing configuration.

How to interpret audit results?

The raw inventory produced by a scanner must be analysed and classified to be actionable.

Classify each cookie into one of the four standard categories: strictly necessary (authentication, cart, consent choice), analytics (audience measurement), advertising (targeting, retargeting, conversion) and social media (share buttons, widgets). This classification determines which cookies require prior consent and which are exempt.

Then check the lifespan of each cookie. The CNIL recommends a maximum of 13 months. Cookies exceeding this limit should be flagged and reconfigured if possible.

Identify undocumented cookies: those that do not correspond to any service you have intentionally installed. They often come from third-party scripts loaded in a chain (a chat widget loading an advertising pixel, for example).

Common mistakes during a cookie audit

Only scanning the homepage. Cookies can vary from page to page. A scanner must cover a representative sample of all site sections (blog, product pages, forms, member area).

Ignoring cookies set by subdomains. If your site uses subdomains (app.mysite.com, blog.mysite.com), each may set its own cookies. The audit must cover the entire domain.

Not testing pre-consent behaviour. The scan must verify which cookies fire before the user has interacted with the banner. This is the most important compliance test.

Running a one-off audit and never repeating it. Cookies change with every site modification. An audit should be scheduled at least quarterly, and after each third-party script addition.

Not documenting results. An audit is only valuable if it is recorded. Keep a dated history of scans to demonstrate your compliance efforts.

From audit to compliance: next steps

The audit produces an inventory. The next step is to put it to practical use.

Update your cookie policy with the inventory from the scan. Each cookie should appear with its name, provider, purpose and lifespan.

Configure your CMP to block non-essential scripts before consent. Verify that the cookie categories in your CMP match those identified by the audit.

If your site uses Google Consent Mode v2, make sure the consent signals sent to Google tags correctly reflect the categories from your audit.

Remove or replace non-essential cookies that you cannot justify. If a third-party script sets cookies you do not need, remove it or replace it with a compliant alternative.

Checklist: auditing your website's cookies

1. Run a full scan of your site covering all main sections.
2. Check which cookies fire before consent.
3. Classify each cookie by category: necessary, analytics, advertising, social media.
4. Identify undocumented third-party cookies.
5. Check the lifespan of each cookie (13-month maximum recommended).
6. Update the cookie policy with the complete inventory.
7. Reconfigure the CMP to block non-consented scripts.
8. Remove or replace unjustified cookies.
9. Document scan results with the date.
10. Schedule the next audit (at least quarterly).

Conclusion

A cookie audit is the starting point for any cookie compliance effort. Without a reliable inventory, your cookie policy, consent banner and CMP configuration are based on assumptions. Regular scanning detects undocumented trackers, cookies that fire before consent and gaps between your documentation and reality.

Run a free scan of your site to get a complete inventory of your cookies in minutes.