![GDPR Cookie Audit Checklist [Free PDF Download]](/blog/jon-tyson-8e4g1LIPK8A-unsplash.jpg)
GDPR Cookie Audit Checklist [Free PDF Download]
Cookie compliance is not a one-time task. Every new plugin, marketing integration, A/B test or CMS update can reintroduce GDPR violations. That is why you need a repeatable process. We have built a practical GDPR cookie audit checklist based on thousands of real-world scans. Use it before every launch, quarterly review or client handover.
Who this checklist is for
- Developers who want to catch violations before code hits production.
- Agencies auditing client websites for compliance reports.
- Data Protection Officers building internal governance workflows.
- QA teams adding privacy checks to regression suites.
Pre-audit setup
Before you start clicking around, prepare your environment. Inconsistent setups lead to false positives and missed violations.
- Use a clean browser profile: Guest mode or a fresh Chrome user. No extensions except your audit tools.
- Clear all storage: Cookies, localStorage, sessionStorage, IndexedDB and cache.
- Disable caching: In DevTools > Network, check "Disable cache".
- Document your baseline: Note the URL, date, browser version and CMP version.
- Prepare a screenshot folder: You will need evidence for every finding.
The checklist
| # | Check | Priority | How to verify |
|---|---|---|---|
| 1 | Consent banner loads on first visit | Critical | Open site in Guest mode. Banner must appear within 2 seconds. |
| 2 | No non-essential cookies before consent | Critical | DevTools > Application > Cookies. Only necessary cookies allowed before interaction. |
| 3 | No third-party scripts before consent | Critical | Network tab. Block requests to analytics, ads, social pixels before t2. |
| 4 | Banner has Reject / Customize option | Critical | GDPR requires a genuine choice. "Accept All" alone is not valid. |
| 5 | Consent choice is recorded | High | Check CMP admin logs or dataLayer events after every interaction. |
| 6 | Cookie policy link is visible and accurate | High | Click the policy link. It must list all observed cookies with correct categories. |
| 7 | Storage (localStorage, sessionStorage) is clean | High | Application > Local Storage / Session Storage. Non-essential entries must wait for consent. |
| 8 | Tag Manager respects consent state | High | GTM/Tealium preview mode. Tags fire only after consent event. |
| 9 | Geolocation shows correct banner variant | Medium | Test from EU, UK and US VPN endpoints. Banner behavior must match local law. |
| 10 | Mobile version behaves identically | Medium | Repeat entire audit on mobile viewport or real device. |
| 11 | Subdomains share consent state | Medium | Consent on www.example.com must carry over to blog.example.com if desired. |
| 12 | Cookies expire reasonably | Low | Check Max-Age / Expires. Marketing cookies over 13 months are suspicious. |
How to score your audit
Give yourself 1 point for every "Pass", 0.5 for "Partial" and 0 for "Fail". A score of 12 means full compliance. Anything below 9 needs immediate attention. Critical items (rows 1-4) are non-negotiable. If any of them fails, the site is technically in breach.
Common shortcuts that backfire
- "We use a CMP, so we are fine." A CMP is only as good as its configuration. Default settings often allow analytics by default.
- "Our lawyer approved the banner text." Legal text does not control script execution. Technical implementation matters more.
- "We only use Google Analytics, that is harmless." Analytics cookies still require consent under the ePrivacy Directive.
- "Server-side tagging fixes everything." It helps with data flow, but if the client-side container loads early, the violation remains.
Download the PDF version
We have formatted this checklist as a printable PDF you can hand to clients, attach to Jira tickets or keep in your compliance folder. It includes extra columns for notes, screenshots and sign-off.
Get the free PDF checklist
Enter your email and we will send you the printable GDPR Cookie Audit Checklist plus a quick-start guide for ConsentScope.
Download Free PDFFAQ
How long does a full audit take?
A single page takes 5-10 minutes manually. A full site with 10+ templates takes 1-2 hours. With ConsentScope, you can reduce that to 15 minutes total.
Can I automate this checklist?
Items 1-4 can be fully automated with a tool like ConsentScope. Items 5-12 still require human judgment (policy accuracy, geolocation logic, subdomain behavior).
Do I need to audit after every deployment?
Ideally, yes. Even a minor CSS change can shift script loading order. At minimum, audit after any change to the head section, tag manager, CMP settings or marketing stack.
ConsentScope Team
Verified authorPrivacy Engineers & Chrome Extension Developers
We build tools that help developers, agencies and privacy advocates detect GDPR cookie violations automatically. Our team analyzes consent banners, cookie behavior and third-party scripts across thousands of websites every month.
Related articles
How to Check If Cookies Are Set Before Consent (Complete GDPR Audit Guide)
Learn how to check if cookies are set before user consent. Step-by-step GDPR audit guide for developers, agencies and privacy professionals.
Cookiebot Not Blocking Cookies? Here's How to Debug and Fix It
Cookiebot still firing cookies before consent? Learn the most common causes, step-by-step debugging and fixes that actually work.
How to Audit Website Cookies for GDPR Compliance (Step-by-Step)
Step-by-step guide to auditing website cookies for GDPR compliance. Built for developers, agencies and privacy professionals who need a repeatable process.