Cookie audit
A cookie audit is a systematic inventory of the cookies, local storage, and similar client-side storage a site sets — recording each item's name, party (first or third), purpose, duration, and whether it is strictly necessary. It keeps a cookie banner's categories, a cookie policy, and consent gating accurate as third-party scripts change. This page is educational, not legal advice.
What an audit records
For each cookie or storage item the audit captures: name and pattern, the party that sets it (first-party vs third-party), its purpose category (strictly necessary, functional, analytics, advertising), its lifespan, and the script or vendor responsible. Tools scan pages in different consent states to reveal what fires before and after consent. The output is an inventory you can reconcile against your banner categories and cookie policy.
Why it matters and how often
Cookie banners and policies drift out of date the moment a tag manager adds a new vendor or a script starts setting an extra cookie. Under the ePrivacy rules, non-essential storage generally needs consent before it is set, so a banner that fails to gate a newly added advertising cookie is inaccurate and potentially non-compliant. Re-audit on a schedule and whenever you add scripts. Pay attention to items set before any consent is given — those should be limited to strictly necessary storage.
An audit is maintenance, not a one-time task.
- Inventory name, party, purpose, duration, and source
- Scan in pre- and post-consent states
- Re-audit on a schedule and after adding scripts
How it appears in analytics and logs
If your banner lists cookies that no longer fire — or omits ones that do — your audit is stale; an audit reconciles the declared list with reality.
Diagnostic use case
Inventory every cookie and storage item a site sets so consent categories, the cookie policy, and gating reflect what actually runs, not a stale list.
What WebmasterID can help detect
WebmasterID's cookieless, first-party model means fewer items to audit; a cookie audit still helps confirm no unexpected third-party storage appears.
Common mistakes
- Auditing once and never re-checking after adding tags.
- Missing storage set before consent is given.
- Letting the cookie policy diverge from the actual inventory.
Privacy and accuracy notes
This page is educational, not legal advice. An accurate inventory underpins honest disclosures; the audit itself should avoid storing personal data.
Related pages
- Consent banners and analytics
A consent banner (or CMP) is the interface that asks visitors to accept or refuse non-essential storage and processing. For consent to be valid under EU rules it must be freely given, specific, informed, and unambiguous — which rules out pre-ticked boxes and 'accept-only' dark patterns. Reducing what needs consent in the first place is the cleaner path. This is educational, not legal advice.
- Essential vs non-essential cookies
Under the EU ePrivacy Directive, storing or reading information on a user's device is allowed without consent only when it is strictly necessary to provide a service the user explicitly requested. Everything else — including the vast majority of analytics, advertising, and personalisation cookies — is non-essential and requires prior, informed consent. This page explains the test and where analytics usually lands.
- The ePrivacy Directive and cookie consent
The ePrivacy Directive (2002/58/EC, amended 2009) regulates confidentiality of communications and, critically for analytics, the storing or accessing of information on a user's device. That clause is why setting non-essential cookies in the EU generally requires prior consent, sitting alongside the GDPR rather than being replaced by it. This is an educational overview, not legal advice.
- Privacy-first analytics
Cookieless measurement means fewer items to audit.
Sources and verification notes
- EDPB — Guidelines on the use of cookies and similar technologies (consent before storage)Regulator guidance underpinning accurate cookie inventories. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.