How to audit your website for cookie compliance in 15 minutes
A step-by-step guide to finding every cookie and tracker on your site — no paid tools, no account required. Just a browser and a notepad.
You don’t need a $50/month scanning tool to find out what cookies your site sets. You need a browser, 15 minutes, and a systematic approach. Here’s the playbook.
Step 1: Open an incognito window
Cookies from previous sessions will pollute your results. Incognito/private mode starts with a clean slate.
Checklist:
- Close all regular browser windows
- Open a fresh incognito/private window
- Open DevTools (F12 or Cmd+Opt+I)
Step 2: Clear everything, then load your site
In DevTools:
- Go to the Application tab (Chrome/Edge) or Storage tab (Firefox)
- Expand “Cookies” in the left sidebar
- Note any domains already listed (should be none in incognito)
- Navigate to your site
Step 3: First-party cookies (before consent)
As soon as your page loads, look at the cookies list. Any cookies set before the consent banner was accepted are first-party cookies. Anything outside strictly necessary cookies that lands here is a compliance problem. Write them down:
| Cookie name | Domain | Purpose | Consent needed? |
|---|---|---|---|
session_id | yoursite.com | Session management | Only if it persists |
_ga | yoursite.com | Google Analytics | Yes |
csrf_token | yoursite.com | Security | No |
Step 4: Third-party cookies
Expand each third-party domain in the cookies list. These are set by scripts, pixels, or iframes from other companies. Common ones:
google.com/doubleclick.net: ads and analyticsfacebook.com: Meta Pixelhotjar.com: session recordingcdn.jsdelivr.net: usually no cookies, but check- Any ad network domain
Step 5: Check the Network tab
Switch to the Network tab in DevTools. Filter by “Img” to find tracking pixels. Look for 1×1 GIFs or PNGs from third-party domains.
Filter by “Script” to find third-party scripts. Click each one and check the “Cookies” tab in the request details.
Step 6: Check localStorage and sessionStorage
In the Application tab, expand “Local Storage” and “Session Storage.” These are not cookies, but they store data similarly and are subject to the same consent requirements under ePrivacy.
Step 7: Test the consent flow
- Accept all cookies → verify tracking cookies appear
- Reject all → verify no tracking cookies appear
- Customize → verify only selected categories appear
- Close and reopen → consent should persist
- Clear site data → banner should reappear
Step 8: Document everything
Create a cookie declaration table for your privacy policy:
| Category | Cookie | Provider | Purpose | Duration |
|---|---|---|---|---|
| Necessary | session_id | First-party | Session | Session |
| Analytics | _ga | Analytics | 2 years | |
| Marketing | _fbp | Meta | Ads | 3 months |
Common findings
Most sites discover:
- Google Analytics running before consent (needs blocking)
- A Facebook pixel they forgot about
- A Hotjar or similar session recorder
- Several “mystery cookies” from old plugins or embed codes
Each one needs to be either blocked before consent or removed. There’s no middle ground. Pair this audit with a banner that gives users real choice, and your opt-in design starts from consent banner design that holds up. If the offenders are Google tags, Google Consent Mode is how you wire the blocking back to ad platforms.
How Zest handles it
Zest’s category config is your audit map: every cookie you declare maps to a category (necessary, analytics, marketing), and Zest auto-blocks scripts in non-necessary categories until consent is granted. After the audit, re-test the banner’s network calls with everything denied. If a marketing or analytics request still fires, either the script isn’t routed through Zest’s blocking or the category assignment is wrong. Fix one, re-run, done.