How to Run a Cookie Audit: Inventory, Scanning, GPC Testing, and Remediation

Table of Contents

In May 2025, the California Privacy Protection Agency fined menswear retailer Todd Snyder $345,178 for a failure the company did not even know it had. The retailer had a consent management platform deployed on its website. It had a banner. It had, by every surface-level measure, a cookie compliance program. What it did not have was a working one: for 40 days, a misconfigured CMP failed to process a single opt-out request, and third-party trackers kept firing regardless of what visitors selected. The CPPA’s message in the enforcement order was unambiguous — deploying a consent tool does not discharge your obligations, and the business remains liable when the tool silently breaks.

That case is the entire argument for the cookie audit in one paragraph. The gap between what your consent infrastructure is configured to do and what it actually does under real conditions is where nearly all modern cookie enforcement lives. Sephora paid $1.2 million in 2022 because its sites ignored Global Privacy Control signals. American Honda paid $632,500 in 2025 in part because its consent flow made opting out harder than opting in. Healthline paid $1.55 million — the largest CCPA settlement to date — over ad trackers that shared article-level browsing data suggesting readers’ health conditions. Tractor Supply paid $1.35 million in late 2025 for, among other things, an opt-out mechanism that did not work. In every one of these actions, a structured cookie audit run internally would have surfaced the violation before a regulator did.

This guide walks through how to run that audit properly — across every site you own, not just the flagship domain — and how to turn it from a one-time cleanup into a repeatable control inside your privacy program.

Why Regulators Keep Winning Cookie Cases

Cookie enforcement succeeds for a simple reason: violations are externally verifiable. A regulator, a plaintiff’s firm, or a privacy researcher can open a browser, enable a GPC extension, load your site, and watch your tags fire in the network tab. No subpoena required. The evidence is generated fresh on every page load.

That is why the enforcement pattern of the last four years has been so consistent. The French CNIL fined Google €150 million and Facebook €60 million because rejecting cookies required more clicks than accepting them — an asymmetry visible to anyone who visited the sites. The California Attorney General’s Sephora action was built on exactly the kind of GPC test described later in this article. The CPPA’s 2024–2025 enforcement sweeps have specifically targeted consent flows, dark patterns, and opt-out mechanics. And on the litigation side, plaintiff firms have filed thousands of California Invasion of Privacy Act (CIPA) suits built on nothing more than a forensic inspection of which trackers, session-replay scripts, and chat widgets load on a defendant’s site — often before any consent interaction occurs.

The takeaway for compliance teams: your cookie estate is being audited whether you audit it or not. The only question is who finds the problems first.

Step 1: Inventory Every Web Property You Operate

A cookie audit scoped only to your primary domain is an audit of your best-behaved property. The violations live elsewhere — on the regional site nobody has touched since the last rebrand, the seasonal campaign microsite that was supposed to come down in Q1, the careers subdomain run by a third-party ATS, the co-branded landing pages where a partner’s tag container runs alongside yours.

Build a complete inventory before any scanner runs. It should include:

  • Primary domains and all subdomains, including staging environments that are accidentally indexed and collecting real traffic
  • Regional and country-specific sites, which often run different CMP configurations — or none at all
  • Campaign microsites and landing pages, especially those built by agencies on separate infrastructure
  • Third-party hosted properties carrying your brand: checkout flows, booking engines, careers pages, support portals
  • Co-branded and partner-operated pages where your tag management code executes
  • Mobile web experiences, which frequently diverge from desktop in banner rendering and opt-out link behavior

Pull this list from more than one source: DNS records, your tag manager’s container list, certificate transparency logs, marketing’s campaign archive, and your CDN configuration. The gap between “sites we actively manage” and “sites that are live and setting cookies” is almost never zero, and Tractor Supply’s enforcement action is a reminder that regulators do not limit their review to the pages your team looks at daily — the California AG’s findings extended to the company’s handling of job applicant data, well off the marketing team’s radar.

Step 2: Map Your Jurisdictional Obligations Before You Scan

Scan results are meaningless without a legal lens to evaluate them against. The same analytics cookie firing on page load is fine for a Texas visitor, a violation for a visitor from Munich, and a potential “sale” triggering opt-out rights for a visitor from Los Angeles. Before running any tooling, document which regimes apply to which properties and audiences:

  • GDPR and the ePrivacy Directive: prior opt-in consent required before any non-essential cookie fires for EU and UK visitors. Consent must be freely given, specific, informed, and as easy to withdraw as to give.
  • CCPA/CPRA: opt-out model, but with teeth — mandatory honoring of Global Privacy Control signals, the “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link requirement, and dark pattern prohibitions that the CPPA has now enforced repeatedly. California’s updated regulations have sharpened expectations around symmetry of choice.
  • The broader U.S. state patchwork: roughly twenty states now have comprehensive privacy laws in effect, with Indiana, Kentucky, and Rhode Island among the most recent to take effect in 2026. Most include universal opt-out mechanism recognition (GPC or equivalent) and their own definitions of sale, share, and targeted advertising.
  • Sector overlays: healthcare properties face HIPAA pixel-tracking exposure and state laws like Washington’s My Health My Data Act; video content triggers VPPA analysis; sites serving children implicate COPPA and state age-appropriate design requirements.
  • Wiretapping statutes: CIPA and its state analogues have become the dominant private-litigation vector for tracking technologies, targeting session replay, chatbots, and pixel deployments under pen-register and interception theories.

Your CMP should already be serving different consent experiences by region. The audit’s job is to verify that geo-targeting actually works — not to assume it does. Load your EU experience through a European VPN endpoint and confirm the opt-in wall holds. A surprising number of “GDPR-configured” sites serve the U.S. opt-out experience to European visitors because a geolocation rule was never tested.

Step 3: Scan Every Property — and Understand What Scanners Miss

Automated scanning is the backbone of the audit. A crawler loads your pages in a clean browser profile and records every cookie set, every third-party request made, and every tracker observed, along with durations, hosts, and categorizations where the tool’s database recognizes them.

A competent scan should surface:

  • First-party cookies set by your own platforms
  • Third-party cookies and network requests from vendors, analytics tools, advertising pixels, and embedded content
  • Cookies firing before any consent interaction — the single most consequential finding category
  • Uncategorized or unrecognized cookies
  • Trackers that re-fire after a user has opted out

But treat any scan report as a floor, not a ceiling. Automated crawls systematically miss several things:

Authenticated and transactional flows. A passive crawler never logs in, never adds an item to a cart, never completes a checkout. Cookies tied to those journeys — frequently the ones handling the most sensitive data — will not appear. Manual walkthroughs of your top five user journeys with browser DevTools open are a mandatory supplement.

Server-side tagging. As more organizations move tags from the browser into server-side containers, client-side scanners see less of the picture. A server-side setup can forward user data to advertising platforms with almost no browser-visible footprint. If you run server-side tagging, your audit must include a review of the container’s configuration and whether consent state is actually passed to and enforced within it. Server-side architecture does not exempt data sharing from consent requirements — it just hides non-compliance from cheap detection.

CNAME-cloaked trackers. Third-party trackers disguised behind first-party subdomains evade tools that classify by domain ownership. Cross-reference your DNS records against your scan output.

Conditional and delayed tags. Tags that fire on scroll depth, exit intent, or time-on-page thresholds may not trigger during a fast automated crawl.

Scans also frequently reveal an organizational problem dressed up as a technical one: cookies set by tags that an agency or vendor added to a shared tag management container without any approval process. For many organizations, the first scan is the first time anyone has seen a complete picture of what actually runs on their sites.

Step 4: Categorize Every Cookie — and Kill the Unknowns

Every observed cookie needs an owner, a purpose, a legal basis, and a category. The standard four-category taxonomy comes from European practice but has become the de facto framework everywhere:

  • Strictly necessary: essential to site operation (session management, security, load balancing). No consent required, but this category is routinely abused — regulators and plaintiffs both scrutinize what businesses self-servingly label “necessary.”
  • Functional: preferences, language settings, enhanced features. Consent required under GDPR; generally lower-risk in the U.S.
  • Performance/analytics: usage measurement. Consent required in the EU; in the U.S., the question is whether the analytics vendor’s data use constitutes a sale or share.
  • Targeting/advertising: behavioral advertising and cross-site tracking. Opt-in territory under GDPR, presumptive sale/share territory under CCPA and most state laws, and the primary fuel for CIPA and VPPA litigation.

For U.S. purposes, layer a second determination onto each entry: does this cookie’s data flow constitute a sale or share under applicable state definitions? That answer — not the GDPR category label — drives your opt-out obligations, your privacy policy disclosures, and your contract requirements with the vendor behind the cookie.

Unknown cookies get one of two dispositions: attributed or removed. An investigation should identify who set it, under what tag, pursuant to what vendor agreement, and for what purpose. If nobody can answer those questions, the cookie has no business on your site. “Unknown” is not a category; it is a finding awaiting remediation.

Step 5: Test What Your Consent Infrastructure Actually Does

This is the step that would have saved Todd Snyder $345,000 and Sephora $1.2 million. Configuration review tells you what the CMP is supposed to do. Only live testing tells you what happens in a real browser.

Global Privacy Control

Install a GPC-enabled browser or extension, load each property in your inventory, and verify three things: non-essential cookies do not fire, no sale/share network requests go out, and the opt-out is recorded in your CMP’s consent log. Run the test on every domain and subdomain separately — GPC handling is configured per-property, and Sephora-style failures on secondary sites will not be caught by testing the flagship. Then repeat the test logged in, because several state laws require the GPC signal to be associated with the known consumer’s account, not just the browser session.

Opt-Out Links

Every property subject to CCPA or a similar state law needs a conspicuous, functioning “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link. Test it end to end: it loads on every domain, on desktop and mobile; it opens a functional preference mechanism rather than dumping the user into a generic privacy policy; the preference persists across sessions; and the preference actually stops the tags. Broken footer links, links that 404 on mobile, and links that route to a page where nothing can be exercised are among the most common audit findings — and were among the specific failures cited in the Tractor Supply action.

Consent Gating — the Test Almost Everyone Skips

Reject all cookies, then watch the network tab. This is the decisive test. A CMP that displays a beautiful banner but is not actually wired to block tag execution is worse than no CMP at all, because it generates documented evidence that the user said no while the tracking continued. Verify that a “reject” selection prevents non-essential tags from firing on the current page and on subsequent navigation, that dismissing the banner without a choice is not treated as consent, and that opting out mid-session stops trackers that already loaded from continuing to transmit.

Dark Pattern Review

Compare your accept and reject paths side by side. Equal visual prominence, equal click depth, no confirm-shaming language, no pre-ticked boxes, no “cookie walls” conditioning access on consent where prohibited. The CNIL’s nine-figure fines against Google and Meta, and the CPPA’s Honda action, all turned on asymmetry between the accept path and the decline path. California’s regulations treat consent obtained through dark patterns as no consent at all.

Consent Records

Finally, verify that your CMP is producing and retaining consent receipts: timestamp, consent string or preference state, policy version, and mechanism. When a regulator or plaintiff alleges tracking without consent, these records are your defense — if they exist and if they match observed site behavior.

Step 6: Reconcile Your Privacy Notice and Cookie Policy With Reality

Every audit changes the ground truth: cookies removed, vendors added, categories corrected. Your privacy notice and cookie policy must be updated to match, because a disclosure that describes a cookie estate you no longer run is an inaccurate disclosure — independently actionable under CCPA, GDPR, and FTC Section 5 deception principles. Check that the notice accurately lists cookie categories and purposes, identifies vendor relationships and sale/share activity, and describes the actual opt-out mechanisms available. Then confirm the “last updated” date and policy versioning in your CMP so consent records tie to the correct disclosure version.

Step 7: Fix the Governance Gap That Caused the Findings

If your audit surfaced unauthorized tags, the root cause is almost never technical. It is that too many people can publish to your tag management container and nobody owns the approval process. Durable remediation means:

  • Access control: audit who has publish rights in your tag manager — including agency and vendor accounts — and cut the list down. Require two-person review for container publishes.
  • A vendor and tag approval workflow: no new pixel, script, or SDK ships without privacy review, a contract addressing data use, and a categorization entry in the cookie inventory.
  • Defined ownership: a named owner for cookie compliance spanning legal, marketing, and engineering, so findings do not die in the seam between departments.
  • Documentation: findings, remediation actions, retest results, and dates. This paper trail is what converts “we try to comply” into demonstrable accountability when a regulator asks.

Step 8: Make It Continuous

Cookie estates drift constantly — every feature release, agency campaign, and vendor SDK update changes what fires on your pages. A point-in-time audit starts decaying the day it is finished. A defensible program pairs a scheduled deep audit (quarterly for most organizations; monthly for high-change environments or significant EU exposure) with continuous automated monitoring that alerts on new or uncategorized cookies, consent-gating regressions, and trackers firing pre-consent between audit cycles.

Define unscheduled audit triggers as well: a new state law taking effect, a tag manager migration, a replatform, a new co-branded campaign, an acquisition, or a vendor’s own change in data practices. Any of these should prompt a fresh review rather than waiting for the calendar.

The Cookie Audit Checklist

  1. Build a complete inventory of every domain, subdomain, microsite, and partner property
  2. Map applicable regimes (GDPR/ePrivacy, CCPA, state laws, sector overlays, wiretapping statutes) per property and audience
  3. Run automated scans on every property — then manually test authenticated flows, server-side tagging, and delayed tags
  4. Categorize every cookie; investigate or remove every unknown
  5. Live-test GPC honoring, opt-out links, consent gating on rejection, and dark pattern symmetry — per property, per device
  6. Verify consent records are captured, versioned, and retained
  7. Update the privacy notice and cookie policy to match the post-audit estate
  8. Lock down tag manager access and stand up a tag approval workflow
  9. Set a recurring cadence plus continuous monitoring and defined re-audit triggers
  10. Document everything: findings, fixes, retests, dates

Run Your Cookie Audit With Captain Compliance

The enforcement record is clear: banners do not protect you, and neither do good intentions. What protects you is verified behavior — consent infrastructure that demonstrably blocks what it should block, honors every GPC signal on every property, and produces the records to prove it.

Captain Compliance operationalizes the entire process described in this guide. Our platform continuously scans and monitors every website you own, flags unauthorized and uncategorized trackers in real time, enforces consent gating across client-side and server-side tags, honors Global Privacy Control automatically across all U.S. state frameworks, and maintains audit-ready consent records tied to versioned policies. Instead of a quarterly scramble, you get a cookie compliance program that is always in an audited state.

Book a demo below with Captain Compliance and see what is actually firing on your websites — before someone else does.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.