A cookie audit is the foundational step for any website’s GDPR and ePrivacy compliance. Without a complete, documented inventory of every cookie and tracking technology deployed on your site, your cookie consent banner is operating blind – asking users to consent to technologies you cannot fully describe. According to a 2025 study by Cookiebot, the average European business website sets 42 cookies, and 38% of those are undocumented by the site operator. E-commerce sites average 67 cookies, with nearly half originating from third-party scripts the operator did not explicitly install.
The CNIL imposed over EUR 150 million in cookie-related fines in 2024-2025 alone. The majority of sanctioned organizations shared a common failure: they could not provide a complete, accurate inventory of the cookies on their websites.
What Is a Cookie Audit?
A cookie audit is a systematic inventory of all cookies, local storage objects, pixel trackers, fingerprinting scripts, and other tracking technologies present on a website. It identifies what data each technology collects, who controls it, how long it persists, and what purpose it serves.
The ePrivacy Directive (2002/58/EC), as interpreted by the CJEU in the Planet49 case (C-673/17), requires informed, specific consent for all non-essential cookies. Supervisory authorities across Europe – including the ICO, CNIL, and EDPB – have issued guidance explicitly requiring a documented cookie inventory. Industry best practice recommends a full audit at minimum every six months. A 2025 analysis by CookiePro found that 29% of cookies present on a website at any given time were not present six months earlier.
How Do You Discover All Cookies on Your Website?
Discovery is the most technically demanding phase. Cookies are set through multiple mechanisms, and no single method captures all of them.
Manual browser inspection
Open your website in Chrome or Firefox with developer tools active. Clear all cookies, load the homepage without consenting, record which cookies appear, then accept all cookies and navigate through all major page templates and functional flows. Check the Application tab (Chrome) or Storage tab (Firefox) for cookies, local storage, session storage, and IndexedDB entries. For a 50-page website, expect 3-6 hours of manual discovery work.
Automated scanning and network analysis
Dedicated cookie scanning tools crawl your site, execute JavaScript, and record all cookies across every page. Leading options include Cookiebot Scanner (free for up to 100 pages), CookiePro by OneTrust, CookieYes Scanner, and Siteimprove. Automated scanners typically identify 15-30% more cookies than manual inspection because they execute delayed scripts, scroll-triggered tracking, and exit-intent technologies.
For the most thorough audit, supplement with network traffic analysis using Fiddler or Charles Proxy to catch server-side cookies that JavaScript-only scanners miss.
Cookie Classification and Documentation
Each cookie must be assigned to one of four standard categories used by supervisory authorities and consent management platforms.
Strictly necessary cookies are essential for the website to function – session identifiers, authentication tokens, load balancer cookies. These do not require consent under Article 5(3) of the ePrivacy Directive. Functional cookies enhance user experience without being essential (language preferences, font size settings) and require consent. Analytics cookies collect visitor behavior data (Google Analytics _ga, _gid; Matomo; Hotjar) and always require consent, even when configured for aggregated data. Marketing cookies serve targeted advertising, retargeting, and social media integration (Facebook Pixel, Google Ads, LinkedIn Insight Tag) and always require prior consent.
Required documentation fields
For each cookie, document: the exact name, provider/domain, category, purpose description, duration, type (HTTP cookie, local storage, pixel), data collected, third-party access, and cross-site tracking status. This documentation feeds directly into your cookie consent mechanism and must match the information presented to users. Any discrepancy between your documented inventory and your cookie banner constitutes a consent validity issue.
Conducting a Gap Analysis
The gap analysis compares discovered cookies against your current cookie policy and consent banner. A 2025 ICO enforcement sweep found that 71% of UK websites had at least one undocumented third-party cookie. Common findings include marketing tags deployed by agency partners without the site operator’s knowledge, development and testing cookies left active in production environments, browser fingerprinting scripts that do not use traditional cookies but serve identical tracking purposes, and third-party embeds (YouTube videos, social media widgets) that silently deploy their own tracking cookies on your domain.
For each cookie requiring consent, verify that it is not set before consent is obtained, is correctly categorized in your CMP, matches the documented purpose, and that refusing consent actually prevents it from being set. The hidden productivity drain of cookie banner management compounds when the banner configuration does not match actual cookies on the site.
Third-party cookie risk assessment
For each third-party cookie, assess whether a data processing agreement exists, whether data transfers outside the EEA are documented, and whether the provider has updated their cookie behavior since your last audit. According to a 2025 Piwik PRO analysis, 44% of third-party cookies on European websites transmit data to US servers. Legiscope can streamline the process of documenting and assessing these third-party relationships against GDPR requirements.
Ongoing Cookie Monitoring Tools
A one-time cookie audit is necessary but insufficient. Most consent management platforms include periodic scanning capabilities ranging from monthly automated scans to real-time monitoring. If you use Google Tag Manager or similar, implement governance controls: require approval for new tag deployments, configure consent mode, and audit the container quarterly.
Automated compliance testing tools visit your site, decline all cookies, and verify no non-essential cookies are set. Running this test after every deployment catches consent mechanism failures before supervisory authorities or privacy activists do.
Consequences of an Incomplete Audit
The CNIL imposed EUR 150 million on Google and EUR 60 million on Facebook for cookie consent failures. The Spanish AEPD and Italian Garante have followed with their own enforcement waves, with average SME fines ranging from EUR 10,000 to EUR 100,000. Privacy advocacy organizations like noyb filed over 800 cookie consent complaints in 2025, with a 74% success rate in achieving enforcement action.
Cookie compliance connects directly to your broader GDPR compliance checklist. If consent is invalid, the processing is unlawful, the privacy policy is inaccurate, and the transparency obligation under Articles 13 and 14 is breached. Organizations that have never conducted a formal cookie audit should treat it as an urgent compliance gap – the risk of enforcement increases with every month of inaction.
Frequently Asked Questions
How many cookies does a typical website have?
The average European business website sets 42 cookies according to 2025 Cookiebot data. E-commerce sites average 67, and media sites can exceed 100.
Can I use Google Analytics without a cookie audit?
No. Google Analytics sets cookies that require informed consent under the ePrivacy Directive. A cookie audit documents these cookies and their data flows, which is prerequisite information for valid consent.
Do strictly necessary cookies need to be in the audit?
Yes. All cookies must be audited and documented. While strictly necessary cookies do not require consent, they must still be disclosed in your cookie policy under GDPR transparency obligations.
How long does a cookie audit take?
A manual audit of a 30-50 page website takes 8-16 hours. Automated scanning reduces discovery to 1-2 hours, but classification and documentation still require human judgment. A large site (500+ pages) typically requires 3-5 business days.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
