Fines up to €20,000,000 or 4% of global turnover
A dark monitoring room with a large screen showing a glowing network graph of connected nodes, representing the trackers a website loads in the background
GDPR Basics

Cookie Audit: What Your Site Sets Before Anyone Clicks Accept

Usantis Jul 6, 2026 4 min read

Short answer

Under the EU ePrivacy rules, non-essential cookies and trackers may only be set after the visitor consents, and the EU Court of Justice has ruled that pre-ticked boxes and silence are not consent. The most common violation is not a missing banner but a banner the site ignores: analytics and marketing tags that fire on first page load, before any choice is made. You can audit this yourself in the browser's developer tools, or scan any site in minutes with a free cookie scanner. Whatever the audit finds must then match your consent banner and your privacy policy.

The gap

Your banner asks. Your website often does not wait for the answer.

Open almost any website with the network panel running and a familiar scene plays out: the page loads, the cookie banner slides in politely asking for permission, and behind it a dozen requests have already gone out, analytics initialised, pixels fired, session recorders warmed up. The question was asked. The answer was never awaited.

That gap between what the banner says and what the site does is the single most common cookie violation on the web, and it is invisible from the outside unless someone looks. The uncomfortable part: looking takes about two minutes, and regulators, competitors and privacy-minded customers all know how to look.

Art. 5(3)
ePrivacy rule: consent before non-essential cookies are set
C-673/17
EU court ruling: pre-ticked boxes are not consent
1st load
when most tracking cookies are actually set

The rules

What the law actually requires, in plain terms

A laptop showing a website with a blurred cookie consent banner at the bottom of the screen, representing the consent question every site asks
The banner is only the question. Compliance is whether your site waits for, and respects, the answer.

Two rules do the work. The ePrivacy rules (Article 5(3) of the ePrivacy Directive, implemented across EU member states) say that storing or reading anything on a visitor's device that is not strictly necessary requires prior consent. Not consent eventually, consent first. And the GDPR defines what consent means: a free, specific, informed and active choice. The EU Court of Justice settled the edges in its Planet49 judgment (C-673/17): pre-ticked boxes, implied consent and continued browsing do not qualify.

Strictly necessary is a narrow club: session cookies that keep a login alive, a shopping cart, security tokens, the cookie that remembers the consent decision itself. Analytics is not in the club. Marketing pixels are not in the club. "We really rely on this data" has never gotten anyone into the club.

The practical consequence is simple to state and rarely implemented: on first page load, before any click, a compliant site sets essential cookies and nothing else. Everything beyond that is a finding.

The audit

How to check what your site really sets

A magnifying glass held over a laptop screen showing rows of glowing data entries, representing a manual inspection of the cookies a website sets
The two-minute audit: a private window, the developer tools, and no clicks on the banner.

You can do the core audit yourself, today, with nothing but a browser:

  1. Open your site in a private window so old cookies and past consent choices do not contaminate the result. Do not click anything on the banner.
  2. Open the developer tools and look at storage. In Chrome: DevTools, Application tab, Cookies. Everything listed there was set before consent. Note the names and domains.
  3. Check the network panel. Reload the page and scan the requests for third-party domains: analytics endpoints, ad networks, social pixels, session-recording tools. Each one fired before anyone agreed to anything.
  4. Categorise what you found. Session, cart, security and consent cookies are fine. Analytics, marketing, personalisation and any third-party tracker in the pre-consent list is a gap to fix.

If you would rather not read raw cookie tables, our free cookie scanner does the same inspection for any URL you give it: it loads the page like a fresh visitor and reports the cookies and third-party trackers set before consent. Free, no signup, and nothing about your scan is stored.

Want the two-minute version of this audit?

Enter your website and see the cookies and trackers it loads before a visitor consents to anything. No email, nothing stored.

Scan your site free

The findings

The four problems every audit keeps surfacing

Run this audit across enough websites and the same four findings come back like a chorus:

  • Analytics before consent. The measurement tag loads with the page instead of waiting for the opt-in. By far the most common finding, and the first thing any inspector sees.
  • Marketing pixels before consent. Ad-platform and social pixels fire on load, sharing visit data with third parties before the visitor has said anything at all.
  • A banner that changes nothing. Accept and reject produce the same network traffic. European regulators have issued major fines where refusing tracking was harder than accepting it, or where the choice made no technical difference.
  • A cookie policy describing a different website. The policy lists cookies the site no longer sets and misses the ones it does. An inaccurate disclosure is its own violation, separate from the cookies themselves.

None of these are exotic. They are default behaviour for a site that installed tools first and thought about consent later, which is to say: most sites.

The fix

Closing the gap the audit found

The repair is less painful than most owners expect, because it is configuration, not reconstruction. Tags that fired before consent get loaded through your consent tool instead, so they wait for the answer. The reject option gets made as easy as accept, one click, same layer. And the paperwork gets synced with reality: the cookie table in your policy should describe what the scan actually found, no more and no less.

That last step ties into the document most sites already have wrong: the privacy policy. If yours needs the cookie section rewritten, or you are not sure whether your website needs a privacy policy at all, our free privacy policy generator builds one around your actual setup in minutes.

And if your audit is part of something bigger, a non-EU company getting its EU house in order, remember that cookies are the visible half. The invisible half is the Article 27 EU representative the GDPR requires non-EU companies to name, which takes about a minute to check with the free compliance checker. Fix what the scan shows, then fix what it cannot see.

Frequently asked questions

Stay off the enforcement tracker.

See whether Article 27 applies to you in about a minute, then set up your EU representative.