Picture this. A mid-sized retailer selling products across three branded websites while also offering a loyalty program. Their marketing team uses a tag management platform shared with two agency partners, and they have deployed a cookie banner on each site, which leads the retailer to believe they are compliant. When a similar sized competitor made headlines for infringing consumers’ rights to opt out of web tracking, the retailer decided to run a cookie audit. 

(It is worth noting that cookies are not always the only tracking technology in play. Pixels and other digital trackers are part of the picture too, but cookies remain the most widely used and most widely understood term, so that is what we will throughout this article.)

During the cookie audit, the retailer finds uncategorized cookies dropping before consent, a GPC signal that fires on two of the three sites but not on the third, and opt-out links in the footer that 404 on mobile. The banner is there, the intention is there, but unfortunately, the compliance is not.

This story is not unusual; in fact, it’s a pretty common one, and it is exactly what a structured cookie audit is designed to surface before someone else does. And while a cookie audit looks and feels like a one-time thing, it shouldn’t be treated as a checkbox, but as a repeatable process within your privacy program that builds a resilient foundation for ongoing compliance. Let’s take a look at some of the steps that will help you build a scalable cookie audit process. 

Start With A Full Inventory of Your Web Properties

Before you can audit your cookies, you need to know exactly where you have a web presence. For many organizations, this is less obvious than it sounds. A brand may operate a primary .com as well as regional sites across Europe, promotional microsites that never got taken down, or even a careers page on a subdomain. Each of those properties may behave differently, and each requires its own audit.

Start by building a complete list of every URL your organization owns or operates. Include:

  • Primary domains and subdomains
  • Campaign or seasonal microsites
  • Third-party hosted pages (checkout, booking, careers)
  • Any co-branded or partner-operated properties where your tag management code runs

A complete web property inventory almost always surprises people because the gap between ‘the sites we actively manage’ and ‘the sites that are live and collecting data’ is rarely zero. The risk is that properties fall off the internal radar while data collection continues in the background. So, getting the full picture here helps with the rest of your audit by making information visible that may otherwise might not have surfaced. 

Know Your Regulatory Requirements Before You Scan

Regulatory requirements regarding cookies and other tracking technologies are not always uniform between jurisdictions. The experience a visitor receives, and the obligations your organization carries, depend on where that visitor is located.

Under the GDPR, EU visitors must be presented with an opt-in before non-essential cookies fire. Under the California Consumer Privacy Act (CCPA), the default is opt-out, with requirements around honoring the Global Privacy Control (GPC) signal and displaying the “Do Not Sell or Share” link. Across the 21 US states with comprehensive privacy laws, most, if not all, have their own frameworks with varying definitions of what constitutes a sale.

Mapping your requirements is not an optional background task, it acts as the lens through which every audit finding gets evaluated. A cookie that poses no issue for a US-only audience may represent a material breach for visitors arriving from the EU.

That’s why it is crucial to map your audience geography against applicable laws before your scanner runs a single crawl. Your cookie consent management platform should be configured to serve different consent experiences by region, and that configuration needs to be verified, not assumed.

Scan Your Sites: What the Technology Surfaces (and What It Misses)

Automated scanning is the backbone of a cookie audit. Privacy tech tools like Boltive Observepoint, OneTrust, Osano, and Ketch crawl your site and return a list of cookies observed in a session, along with their names, durations, and categorizations where available.

A good scan will surface:

  • First-party cookies set by your own platform
  • Third-party cookies placed by vendors, analytics tools, advertising pixels, and tag management containers
  • Cookies with no recognized categorization (often flagged as ‘unknown’)
  • Cookies firing before any consent interaction has occurred

The results of an automated tracking technology scan can differ depending on which tool you use and how it is set up. Some technologies will carry out continuous real-time monitoring, while others may simply observe a session without replicating the user journey. Cookies tied to cart actions or form completions may not appear in a passive crawl, for instance, and human testing of key user flows therefore becomes a necessary addition to the automated scanning workflow.

One finding that frequently emerges at this stage is cookies tied to agency or vendor activity that bypassed any type of formal approval. Tag management containers with open access are a common source of unintended cookie placement, and the scan is often the first time an organization becomes aware of what is actually running on their web properties.

 Cookie categorization is the part of the audit where process discipline matters most. The four categories are defined by the GDPR, but many US organizations adopt them as best practice rather than as a requirement. In a US context, the more critical distinction is whether a cookie constitutes a sale of personal information or not, and these categories below can help make that determination.

  • Strictly Necessary: Cookies that are essential to the operation of the site. These do not require consent.
  • Functional: Cookies that enhance usability but are not essential. Consent is required under most frameworks.
  • Performance / Analytics: Cookies that collect data on how visitors use the site. Consent is required.
  • Targeting / Advertising: Cookies used for behavioral advertising or cross-site tracking. These face the highest scrutiny. Not only is consent required, but they may constitute a ‘sale’ under applicable laws.

Unknown cookies should never be left as unknown. Each one requires an investigation into who set it, why, under what agreement, and whether it should be present at all. If a cookie cannot be attributed to an approved vendor or internal system, the appropriate default action is to remove it.

Technical cookie compliance is more than what your platform is configured to do. More critically, it is what your platform actually does when tested under real conditions. Three areas warrant dedicated testing within your audit:

Global Privacy Control (GPC)

The Global Privacy Control is a browser-based signal that communicates a visitor’s opt-out preference automatically. Under CCPA and several other state laws, organizations are required to honor it. Testing means activating a GPC-enabled browser extension and confirming that non-essential cookies do not fire, and that the opt-out is recorded correctly in your consent management platform. This test needs to run on every site in your inventory. A configuration error on one subdomain will not be caught by testing only your primary domain.

Every site that falls within CCPA or similar state law requirements needs a functioning opt-out link in the footer. Under the CCPA, this means the California Attorney General’s official opt-out icon ( California Consumer Privacy Act (CCPA) Opt-Out Icon ) displayed alongside the specific text ‘Do Not Sell or Share My Personal Information’ or ‘Your Privacy Choices’. The icon alone or the text alone does not satisfy the requirement. Both, together, are required.

It is also worth noting that this link is not limited to cookies. If your organization sells or shares other categories of personal information, those are covered by this requirement too. And for organizations operating across devices, several California enforcement actions have specifically addressed cross-device tracking requirements, meaning the opt-out needs to function consistently whether a user is on desktop, mobile, or moving between the two. 

To ensure individuals can actually exercise their rights, test the link end-to-end and ask: Does it load on every domain? Does it allow a preference to be set? And, is that preference honored across sessions and devices? Broken links and misdirected destinations are among the most common findings at this stage. A link that points to a generic privacy notice rather than a functional preference center does not meet the requirement, nor does one that works on desktop but fails on mobile.

Although optional under most US state privacy laws, if you have a consent banner, it must be reviewed against the criteria for dark patterns. Accept and reject options should be visually symmetrical, the same size, and the same prominence. If a user selects ‘reject,’ non-essential cookies must not fire, and if a user dismisses the banner without making a selection, your platform should not treat that as consent. This is an area that is usually best approached with the help of your legal counsel, particularly in light of recent regulatory updates in California. We’ve covered Dark Patterns in greater depth in our 2026 Privacy Checklist.

Privacy tech tools can support ongoing monitoring of banner behavior and detect unauthorized cookies in real time, which is particularly useful for organizations where third-party tags are actively managed by external partners.

Further to this, many organizations take a notice-only approach, which informs visitors that cookies are in use without collecting an active opt-in or opt-out preference. Whether that is appropriate for your organization depends on your audience geography, the categories of cookies you deploy, and your organization’s risk tolerance. If you deploy a banner of any kind, be it a consent banner or a notice-only approach, it is ultimately a decision made on the balance of compliance risk and business impact. There is no universal right answer.

A cookie audit that stops at the technical layer is incomplete. The two operational steps that are frequently missed include an update to your privacy notice and ongoing cookie governance.

Update Your Privacy Notice

Your privacy notice should accurately describe the categories of cookies in use, the vendors involved, and the choices available to users. When the audit changes your cookie state, whether cookies are removed, recategorized, or new vendors are added, the privacy notice needs to reflect that. An accurate notice is a compliance requirement under CCPA, GDPR, and most state privacy laws, not just good practice. 

A cookie audit that finds unauthorized third-party cookies is also a sign that your broader cookie governance framework needs attention. Training the marketing team, agency partners, and web development team on the rules of engagement for adding new tags and pixels is part of that, but full cookie governance goes further. It means defined ownership across legal, IT, marketing, and data teams, clear approval processes for new technology placements, and documentation that demonstrates accountability over time. If you want to go deeper on what a full cookie governance program looks like, check out our Comprehensive Guide to Cookie Governance.

Downloadable Resource

A Comprehensive Guide to Cookie Governance

A Comprehensive Guide to Cookie Governance graphic

 

Get your copy of our Comprehensive Guide to Cookie Governance and learn how to build a compliant, future-proof program that goes beyond the banner.

Learn More

Make It Repeatable: The Audit Is Not a One-Time Event

Cookie estates change constantly, and most commonly when new features ship, agencies add tags, or laws change. A quarterly review cadence is a reasonable starting point, while organizations in high-change environments or with significant EU audience exposure may opt to scan monthly.

The goal is not a perfect audit completed once. It is a repeatable, scalable process that keeps pace with the rate at which your digital properties and the regulatory landscape evolve. Therefore, you should define the processes to document your findings, the remediation actions, and the review date. That documentation becomes evidence of a compliance program, which matters when regulators ask questions. 

It is also worth considering triggers for an unscheduled review. These typically look like new state privacy laws taking effect, a material change to your tag management setup, a new co-branded digital campaign, or a platform migration. All of which should prompt a fresh cookie audit to ensure the accuracy of your compliance program. 

A cookie audit is a clear look at how your organization collects, manages, and respects user consent across every digital property you operate. Getting this right helps companies avoid fines and also build the kind of trust that is increasingly hard to earn and easy to lose.

If you want to know where your cookie program stand, or if you are ready to operationalize a repeatable audit process, our Cookie Consent Management service is a good place to start. We work with organizations from early-stage to enterprise to build cookie programs that are accurate, defensible, and sustainable.