Cookie Audit Checklist

Frequently Asked Questions

How do I find all cookies my website sets?

Open your site in Chrome with a clean profile (no extensions). Open DevTools, go to Application > Cookies, and browse several pages. Each domain listed is setting cookies. For a thorough audit, also check localStorage and sessionStorage. Automated scanning tools like Cookiebot can crawl your entire site and produce a full cookie inventory, but a manual check catches cookies that only appear after specific user interactions.

Which cookies require consent under GDPR?

Strictly necessary cookies (session management, security, load balancing) do not require consent. Everything else does: analytics cookies, advertising cookies, social media embeds, A/B testing cookies, and personalization cookies. The test is whether the cookie is essential for the service the user explicitly requested. If you can remove it and the core functionality still works, it likely needs consent.

What happens if I have cookies without consent?

Under GDPR, setting non-essential cookies without consent is a violation. Enforcement varies by country, but fines can reach 4% of annual global turnover. More commonly, data protection authorities issue warnings, require remediation plans, or impose fines in the tens of thousands of euros. The French CNIL and Italian Garante have been particularly active in cookie enforcement.

How often should I audit my cookies?

Run a cookie audit quarterly, or whenever you add new third-party scripts, change analytics tools, or update your CMP. Third-party scripts frequently update and may introduce new cookies without notice. Automated scanning (via your CMP or a dedicated tool) can catch new cookies between manual audits.