How do I know which cookies my website places?

Open your website in an incognito window, open the browser developer tools (F12), go to the Application > Cookies tab. You'll see all cookies being placed. Additionally, use a scanner (like GDPRWise) to detect hidden trackers and third-party cookies.

Do I need to document first-party cookies too?

Yes. All cookies must be documented in your cookie policy, both first-party (your own cookies) and third-party (cookies from external services).

How often should I do a cookie audit?

At least once a year, and after every significant change to your website (new tools, plugins, tracking scripts). Websites change continuously and cookies can be added unnoticed.

What if I find cookies I don't recognise?

Look up the cookie name in a cookie database (such as cookiedatabase.org) or contact your website developer. Unknown cookies often come from plugins, ad networks, or analytics tools installed at some point.

Cookie Audit Template - Map Your Website Cookies

The GDPR requires you to know which cookies your website places and why. Use this template to map your cookies and get your cookie policy in order.

Your cookie banner asks visitors for consent to cookies. But if you don’t know exactly which cookies your website places, that consent doesn’t match reality. And a cookie banner that doesn’t match reality is worse than no cookie banner.

Supervisory authorities actively check cookie compliance. The French CNIL imposed fines up to 150 million euros on large tech companies for cookie violations in 2022. For SMEs, fines are smaller, but the risk is real.

Step 1: Inventory your cookies

Use the template below to document each cookie.

Cookie name	Type	Party	Purpose	Duration	Consent?
`_ga`	Analytics	Third-party (Google)	Visitor statistics	2 years	Yes
`_gid`	Analytics	Third-party (Google)	Session identification	24 hours	Yes
`_fbp`	Marketing	Third-party (Facebook)	Facebook Pixel tracking	3 months	Yes
`PHPSESSID`	Functional	First-party	Session ID cart/login	Session	No
`cookie_consent`	Functional	First-party	Remembers cookie choice	1 year	No
[name]	[type]	[party]	[purpose]	[duration]	[yes/no]

Step 2: Categorise your cookies

The GDPR and ePrivacy Directive distinguish four categories:

Strictly necessary (no consent required) Cookies essential for the website to function. Examples: session cookies, shopping cart cookies, cookie preferences.

Functional (consent recommended) Cookies that provide extra functionality but are not strictly necessary. Examples: language preference, chat widget status.

Analytics (consent required) Cookies that measure visitor behaviour. Examples: Google Analytics, Hotjar, Matomo (unless configured without cookies).

Marketing (consent required) Cookies for advertising purposes and tracking. Examples: Facebook Pixel, Google Ads remarketing, LinkedIn Insight Tag.

After the audit, check that your cookie banner:

Lists all cookies in the correct category
Offers a real choice: “Accept” and “Refuse” equally prominent, no dark patterns
Only places cookies after consent: non-essential cookies may only be activated after the visitor gives consent
Remembers the choice: a visitor who refuses must not be asked again on every visit
Contains a link to your full cookie policy

Step 4: Repeat regularly

Websites change continuously. A new WordPress plugin, a chat widget, a social media share button - they can all place cookies without you knowing.

Schedule your cookie audit:

Annually as a minimum
After every major website change (new tools, redesign, new marketing campaign)
After a report or complaint from a visitor

auto_awesome Automatic cookie scan?

GDPRWise scans your website and automatically detects all cookies, trackers, and third parties. You get a complete overview without having to search manually.

Start your free scan

Template: Cookie Audit for Your Website

Why a cookie audit?

Step 1: Inventory your cookies

Step 2: Categorise your cookies

Step 3: Check your cookie banner

Step 4: Repeat regularly