Regular cookie audits are essential for maintaining privacy compliance. Whether you are preparing for GDPR, CCPA, or other privacy regulations, a thorough audit helps you understand exactly what data your website collects and ensures your consent mechanisms are working correctly.
This guide provides a comprehensive checklist and methodology for auditing cookies on your website.
Why Cookie Audits Matter
Websites often accumulate cookies over time from various sources: analytics tools, advertising platforms, social widgets, and third-party integrations. Without regular audits, you may be:
- Collecting data without proper consent
- Displaying inaccurate information in your cookie policy
- Setting cookies before user consent
- Missing cookies from third-party scripts
- Exposing your organization to regulatory fines
A comprehensive audit brings visibility to all tracking technologies on your site and ensures your consent mechanisms accurately reflect reality.
Pre-Audit Preparation
Before beginning your audit, gather the following information:
Documentation to Collect
- Current cookie policy or privacy notice
- List of all third-party integrations and vendors
- Marketing technology stack documentation
- Previous audit reports (if available)
- Consent management platform configuration
Tools to Prepare
- Browser developer tools (Chrome DevTools, Firefox Developer Edition)
- Cookie scanning tool (Kurabiye scanner, Cookiebot scanner, or similar)
- Network analysis tool (Charles Proxy, Fiddler)
- Spreadsheet for documentation
- Test accounts for authenticated sections
Environments to Test
- Production website
- Staging environment (if different)
- Mobile website or app (if applicable)
- All subdomains
- All regional variations
The Complete Cookie Audit Checklist
Phase 1: Discovery
1.1 Scan All Pages
- Homepage and main landing pages
- Product/service pages
- Blog and content pages
- Account/login areas
- Checkout and payment flows
- Contact and support pages
- Legal pages (privacy policy, terms)
- 404 and error pages
1.2 Test All User Journeys
- First-time visitor (no existing cookies)
- Returning visitor (with existing cookies)
- Logged-in user
- Guest checkout flow
- Newsletter signup
- Form submissions
- Social sharing actions
1.3 Check All Entry Points
- Direct URL access
- Search engine referral
- Social media referral
- Email campaign links
- Paid advertising landing pages
- Affiliate links
Phase 2: Cookie Inventory
For each cookie discovered, document:
2.1 Basic Information
- Cookie name
- Domain (first-party vs third-party)
- Path
- Expiration (session vs persistent, duration)
- Secure flag status
- HttpOnly flag status
- SameSite attribute
2.2 Classification
- Category (necessary, functional, analytics, marketing)
- Purpose description
- Data collected
- Third-party vendor (if applicable)
- Legal basis (consent, legitimate interest, contract)
2.3 Documentation
- Is this cookie documented in your cookie policy?
- Is the description accurate and up-to-date?
- Is the vendor identified correctly?
- Is the retention period accurate?
Phase 3: Consent Mechanism Audit
3.1 Banner Functionality
- Banner appears on first visit
- Banner does not appear after consent is given
- All buttons are functional (Accept, Reject, Customize)
- Banner is accessible (keyboard navigation, screen readers)
- Banner displays correctly on mobile devices
- Banner does not use dark patterns
3.2 Consent Collection
- No non-essential cookies set before consent
- Accepting all cookies sets appropriate cookies
- Rejecting all cookies prevents non-essential cookies
- Granular preferences work correctly
- Consent choice is persisted correctly
- Consent can be withdrawn easily
3.3 Consent Record
- Consent timestamp is recorded
- User choices are logged accurately
- Consent version/policy version is tracked
- Records are exportable for audits
- Retention period is appropriate
Phase 4: Technical Compliance
4.1 Cookie Behavior
- Essential cookies do not require consent
- Analytics cookies wait for consent
- Marketing cookies wait for consent
- Functional cookies behave per configuration
- No cookies set in response headers before consent
4.2 Third-Party Scripts
- Scripts are blocked until consent
- Google Analytics respects consent
- Facebook Pixel respects consent
- Advertising scripts respect consent
- Chat widgets respect consent
- Social sharing buttons respect consent
4.3 Tag Management
- GTM triggers are consent-aware
- Tags fire only after appropriate consent
- Consent Mode signals are correct
- No tags bypass consent requirements
Phase 5: Policy and Documentation
5.1 Cookie Policy
- Policy lists all cookies accurately
- Categories match actual cookie behavior
- Expiration times are correct
- Third-party vendors are identified
- Policy is easily accessible from all pages
- Language is clear and understandable
- Last updated date is current
5.2 Privacy Notice
- Cookies are mentioned in privacy notice
- Link to full cookie policy is provided
- Legal basis for each type is explained
- User rights are described
- Contact information for questions is provided
Phase 6: Regional Compliance
6.1 GDPR (EU/UK)
- Prior consent required for non-essential cookies
- Granular consent options available
- Easy withdrawal mechanism
- Consent recorded with timestamp
- Clear identification of data controller
- TCF v2.2 implemented (if using advertising)
6.2 CCPA/CPRA (California)
- “Do Not Sell or Share” link visible
- Opt-out mechanism functional
- Global Privacy Control (GPC) respected
- No financial incentive discrimination
- Sensitive data handling appropriate
6.3 Other Regulations
- LGPD (Brazil) requirements met
- PIPEDA (Canada) requirements met
- Local regulations for other markets
Audit Tools and Methods
Automated Scanning
Use automated tools for initial discovery:
// Kurabiye provides built-in scanning
kurabiye.audit({
url: 'https://yoursite.com',
maxPages: 50,
includeSubdomains: true,
callback: (results) => {
console.log('Cookies found:', results.cookies);
console.log('Scripts detected:', results.scripts);
},
});Manual Verification
Automated tools may miss dynamic cookies. Verify manually:
- Clear all browser data
- Open developer tools (F12)
- Navigate to Application > Cookies
- Visit each page type
- Document new cookies
- Test user interactions
Network Analysis
Check for tracking pixels and beacons:
- Open Network tab in developer tools
- Filter by type (images, fetch, XHR)
- Look for tracking domains
- Check request parameters for PII
Common Issues Found in Audits
Pre-Consent Cookie Setting
Many websites set cookies before consent:
// Problem: Analytics loads immediately
<script src="https://analytics.com/script.js"></script>;
// Solution: Wait for consent
kurabiye.onConsent('analytics', () => {
loadScript('https://analytics.com/script.js');
});Undocumented Cookies
Third-party widgets often set undocumented cookies:
- Live chat widgets (Intercom, Drift, Zendesk)
- Video embeds (YouTube, Vimeo)
- Social plugins (Facebook Like, Twitter Share)
- Payment processors (Stripe, PayPal)
Incorrect Classifications
Cookies are often miscategorized:
- Analytics cookies marked as “necessary”
- Marketing cookies marked as “functional”
- Advertising cookies not disclosed at all
Stale Cookie Policy
Policies often lag behind reality:
- Removed tools still listed
- New tools not added
- Incorrect expiration times
- Wrong vendor names
Post-Audit Actions
Immediate Fixes
- Remove unnecessary cookies - Delete tracking you do not use
- Block pre-consent cookies - Implement proper consent checks
- Update cookie policy - Reflect current reality
- Fix consent mechanism - Ensure it works correctly
Documentation Updates
- Update cookie inventory spreadsheet
- Revise privacy policy
- Update consent banner text
- Document vendor relationships
Process Improvements
- Establish change control for new tracking
- Schedule regular re-audits (quarterly recommended)
- Train team on cookie compliance
- Create approval workflow for new tools
Audit Frequency Recommendations
| Change Type | Recommended Action |
|---|---|
| New marketing tool added | Immediate mini-audit |
| Website redesign | Full audit before launch |
| New regulatory requirement | Full audit within 30 days |
| Quarterly | Automated scan + spot check |
| Annually | Comprehensive manual audit |
FAQ
How often should I audit cookies?
Conduct automated scans quarterly and comprehensive manual audits annually. Additionally, audit whenever you add new marketing tools or make significant website changes.
What tools can scan for cookies?
Tools include Kurabiye’s built-in scanner, Cookiebot, OneTrust scanner, browser developer tools, and network analysis tools like Charles Proxy.
What is considered a “necessary” cookie?
Necessary cookies are essential for basic website functionality: session management, security tokens, shopping cart persistence, and user preferences that affect core functionality.
How do I handle third-party cookies I cannot control?
Document them in your policy, block the scripts until consent is given, or consider removing the integration if it cannot be made compliant.
What should I do if I find compliance issues?
Prioritize fixes based on risk: address pre-consent tracking immediately, update documentation within days, and plan larger technical changes for the next sprint.
How do I maintain compliance after the audit?
Implement change control processes, train your team, schedule regular re-audits, and use a CMP that provides ongoing monitoring.
Should I audit staging environments?
Yes, audit staging to catch issues before production. Ensure staging accurately reflects production configuration.
What documentation should I keep from audits?
Keep the cookie inventory, screenshots of consent flows, scan results, remediation notes, and sign-off records for regulatory purposes.
How long should audit records be retained?
Retain audit documentation for at least 3 years, or longer if required by your industry regulations or data retention policy.
Can I automate the entire audit process?
Automated scanning provides a foundation, but manual verification is necessary for dynamic content, authenticated sections, and consent flow testing.
