TL;DR — A cookie audit consists of identifying, classifying and documenting all active cookies on a website. It is essential before setting up or updating a CMP, and must be repeated regularly. The complete method includes: a multi-page technical scan, classifying each cookie by GDPR category, verifying behaviour before consent, and producing a report documenting purposes and durations.
GDPR cookie compliance starts with a single question: which cookies does my site actually set? Without a precise answer, it is impossible to configure a banner correctly, write an accurate cookie policy, or prove compliance during an audit. The cookie audit is the mandatory starting point. This guide details the complete method, the tools to use and the mistakes to avoid.
What is a cookie audit?
A cookie audit is the comprehensive inventory of all cookies set by a website on the visitor's browser. It includes first-party cookies (issued by the site's own domain) and third-party cookies (issued by integrated third-party services such as Google Analytics, Meta Pixel, chat tools, etc.).
A complete audit produces: the list of all active cookies (name, domain, duration, value), their GDPR classification (functional/essential, analytical, advertising, personalisation), verification of behaviour before consent (are cookies set before the click?), and sufficient documentation to write the cookie policy and respond to an inspection.
Why conduct a cookie audit?
Legal obligation. GDPR and the ePrivacy Directive require that only consented cookies be set (excluding functional cookies). Without knowing which cookies are active, compliance cannot be guaranteed.
CMP effectiveness. A CMP that does not list all active cookies lets trackers through without consent. The audit enables correct CMP configuration.
Proof during inspection. During an ICO inspection, the first request is often an inventory of active cookies with their purposes. Having this inventory up to date is a sign of good faith.
When to conduct a cookie audit
Situations that trigger a mandatory audit: before setting up or Replacing a CMP, after installing a new plugin, app or third-party script, when changing theme or platform, during a site redesign, and periodically (recommended: every 3 to 6 months for active sites).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
How to conduct a cookie audit: the complete method
Step 1 — Prepare a clean test environment
The audit must be conducted in a cookie-free environment: use a private browsing session (Ctrl+Shift+N on Chrome) or a dedicated browser profile with no prior cookies. This simulates the experience of a first-time visitor.
Step 2 — Scan key pages
Not all pages set the same cookies. Systematically audit: the homepage, 2 to 3 content or category pages, a product or service page, the contact or form page, and the checkout or cart page if applicable. Use the FlowConsent scanner (/en/scan) for automated analysis, or Chrome DevTools (Application > Cookies tab) for manual analysis.
Step 3 — Document each cookie
For each identified cookie, record: the cookie name, the issuing domain (first-party or third-party), the retention period (session, 1 day, 1 year, etc.), the purpose (functional, analytical, advertising, personalisation), the service it belongs to (Google Analytics, Meta Pixel, etc.) and whether its presence is justified.
Step 4 — Classify according to GDPR
Classification determines whether consent is required. Categories: Functional/essential — strictly necessary for operation (session, cart, authentication): exempt from consent. Analytical — audience measurement (GA4, Matomo, Hotjar): consent required. Advertising/marketing — targeting and retargeting (Meta Pixel, Google Ads, TikTok): consent required. Personalisation — content adaptation to preferences: consent required.
Step 5 — Verify behaviour before consent
The most critical step: open the site in private browsing and observe in DevTools (Network tab) whether non-functional cookies are set before any interaction with the banner. If yes, script blocking is not effective. This is a direct non-compliance.
Step 6 — Produce the audit report
The audit report must contain: the date of the audit, the list of pages scanned, the cookie table (name, domain, duration, category, service, consent required), identified non-compliances (cookies loaded before consent, cookies not listed in the policy), and recommended corrective actions.
Common mistakes in cookie audits
Mistake 1: only auditing the homepage. Specific cookies only appear on certain pages (product page, checkout). An audit limited to the home page misses a large proportion of trackers.
Mistake 2: auditing with an already-cookied session. Always use private browsing mode to simulate a new visitor.
Mistake 3: confusing first-party and third-party cookies. A first-party cookie can be set by a third-party script. The cookie domain does not necessarily determine who controls it.
Mistake 4: not re-auditing after updates. A plugin update can add new cookies without notice. Schedule regular audits.
Mistake 5: not testing behaviour after refusal. Also verify that non-essential cookies do not reload after refusal or when navigating to other pages.
Cookie audit checklist
- Prepare a clean environment: private browsing or a dedicated profile with no cookies.
- List pages to audit: homepage, content, product, form, checkout.
- Scan each page with a dedicated tool or DevTools.
- Document each cookie: name, domain, duration, category, service.
- Classify according to GDPR: functional (exempt) or subject to consent.
- Verify in DevTools (Network tab) that no non-essential cookie is set before consent.
- Test behaviour after refusal: non-essential cookies must not reappear.
- Compare with the existing cookie policy: are all active cookies listed?
- Identify non-compliances and produce the audit report.
- Schedule the next audit (3 to 6 months, or after any site modification).
A cookie audit takes 30 minutes to a few hours depending on site size. It is the most useful investment for solid GDPR compliance: it reveals exactly what is happening, before and after consent, and enables correct CMP configuration. Start your site audit at /en/scan.