
Cookie Audit: What Your Site Sets Before Anyone Clicks Accept
Short answer
Under the EU ePrivacy rules, non-essential cookies and trackers may only be set after the visitor consents, and the EU Court of Justice has ruled that pre-ticked boxes and silence are not consent. The most common violation is not a missing banner but a banner the site ignores: analytics and marketing tags that fire on first page load, before any choice is made. You can audit this yourself in the browser's developer tools, or scan any site in minutes with a free cookie scanner. Whatever the audit finds must then match your consent banner and your privacy policy.
The gap
Your banner asks. Your website often does not wait for the answer.
Open almost any website with the network panel running and a familiar scene plays out: the page loads, the cookie banner slides in politely asking for permission, and behind it a dozen requests have already gone out, analytics initialised, pixels fired, session recorders warmed up. The question was asked. The answer was never awaited.
That gap between what the banner says and what the site does is the single most common cookie violation on the web, and it is invisible from the outside unless someone looks. The uncomfortable part: looking takes about two minutes, and regulators, competitors and privacy-minded customers all know how to look.
The rules
What the law actually requires, in plain terms

Two rules do the work. The ePrivacy rules (Article 5(3) of the ePrivacy Directive, implemented across EU member states) say that storing or reading anything on a visitor's device that is not strictly necessary requires prior consent. Not consent eventually, consent first. And the GDPR defines what consent means: a free, specific, informed and active choice. The EU Court of Justice settled the edges in its Planet49 judgment (C-673/17): pre-ticked boxes, implied consent and continued browsing do not qualify.
Strictly necessary is a narrow club: session cookies that keep a login alive, a shopping cart, security tokens, the cookie that remembers the consent decision itself. Analytics is not in the club. Marketing pixels are not in the club. "We really rely on this data" has never gotten anyone into the club.
The practical consequence is simple to state and rarely implemented: on first page load, before any click, a compliant site sets essential cookies and nothing else. Everything beyond that is a finding.
The audit
How to check what your site really sets

You can do the core audit yourself, today, with nothing but a browser:
- Open your site in a private window so old cookies and past consent choices do not contaminate the result. Do not click anything on the banner.
- Open the developer tools and look at storage. In Chrome: DevTools, Application tab, Cookies. Everything listed there was set before consent. Note the names and domains.
- Check the network panel. Reload the page and scan the requests for third-party domains: analytics endpoints, ad networks, social pixels, session-recording tools. Each one fired before anyone agreed to anything.
- Categorise what you found. Session, cart, security and consent cookies are fine. Analytics, marketing, personalisation and any third-party tracker in the pre-consent list is a gap to fix.
If you would rather not read raw cookie tables, our free cookie scanner does the same inspection for any URL you give it: it loads the page like a fresh visitor and reports the cookies and third-party trackers set before consent. Free, no signup, and nothing about your scan is stored.
Want the two-minute version of this audit?
Enter your website and see the cookies and trackers it loads before a visitor consents to anything. No email, nothing stored.
The findings
The four problems every audit keeps surfacing
Run this audit across enough websites and the same four findings come back like a chorus:
- Analytics before consent. The measurement tag loads with the page instead of waiting for the opt-in. By far the most common finding, and the first thing any inspector sees.
- Marketing pixels before consent. Ad-platform and social pixels fire on load, sharing visit data with third parties before the visitor has said anything at all.
- A banner that changes nothing. Accept and reject produce the same network traffic. European regulators have issued major fines where refusing tracking was harder than accepting it, or where the choice made no technical difference.
- A cookie policy describing a different website. The policy lists cookies the site no longer sets and misses the ones it does. An inaccurate disclosure is its own violation, separate from the cookies themselves.
None of these are exotic. They are default behaviour for a site that installed tools first and thought about consent later, which is to say: most sites.
The fix
Closing the gap the audit found
The repair is less painful than most owners expect, because it is configuration, not reconstruction. Tags that fired before consent get loaded through your consent tool instead, so they wait for the answer. The reject option gets made as easy as accept, one click, same layer. And the paperwork gets synced with reality: the cookie table in your policy should describe what the scan actually found, no more and no less.
That last step ties into the document most sites already have wrong: the privacy policy. If yours needs the cookie section rewritten, or you are not sure whether your website needs a privacy policy at all, our free privacy policy generator builds one around your actual setup in minutes.
And if your audit is part of something bigger, a non-EU company getting its EU house in order, remember that cookies are the visible half. The invisible half is the Article 27 EU representative the GDPR requires non-EU companies to name, which takes about a minute to check with the free compliance checker. Fix what the scan shows, then fix what it cannot see.
Frequently asked questions
Written by
Usantis
The Usantis editorial team writes about EU representation and Article 27 GDPR for companies based outside the EU. More articles
Related articles
Does Your Website Need a Privacy Policy? What Must Go in It
It is the least-read page on your website and the first one a regulator opens. Most sites legally need a privacy policy, most policies on the internet are copied from someone else, and both facts are fixable in under an hour.
GDPR BasicsThe UK Has Its Own GDPR Now. Your EU Representative Does Not Cover It.
When the UK left the EU it kept the GDPR and made its own copy. Two regulations, two regulators, and for a lot of companies outside both, two separate representatives. Here is when the EU one you already have is only half the job.
GDPR BasicsWhere Must Your EU Representative Actually Be Located?
Do you need a representative in every EU country, just in Ireland, or somewhere specific? The location question trips up almost everyone, and the real answer is simpler and cheaper than the myths suggest.
Stay off the enforcement tracker.
See whether Article 27 applies to you in about a minute, then set up your EU representative.