SecureSpellsSecureSpells
    6 min read
    Step-by-step GDPR compliance audit: browser, network, and consent check

    AI-generated (Gemini Pro)

    How to Audit Your Website for GDPR Compliance (Step-by-Step Guide)

    How to Audit Your Website for GDPR Compliance (Step-by-Step Guide)

    Many websites fail GDPR compliance audits because they never check what actually runs on the site. This step-by-step guide shows how to audit your website for real compliance: what loads before consent, what leaves your domain, and how to fix the main risks.

    GDPR compliance audit
    A check that your site obtains consent before non-essential tracking, discloses data processing clearly, and behaves in line with what you promise. Real audits look at runtime behaviour, not only policy text.
    Runtime audit
    Testing that runs your site in a real browser and observes what loads and when — including scripts and trackers that load after page load. Static checks (HTML only) miss these.
    Consent before tracking
    Under GDPR and ePrivacy, non-essential cookies and tracking must not run until the user has given valid consent. If trackers load before “Accept”, you are in violation.

    GDPR requires consent before processing for non-essential tracking and clear, accessible privacy information. To audit properly you must test actual behaviour: what scripts and requests run before consent, what loads dynamically, and whether your disclosures match reality. This guide walks through five steps — from checking pre-consent load to using an automated runtime scanner — so you can find and fix the most common violations. For product and pricing, see SecureSpells and pricing.

    This article is for educational purposes and does not constitute legal advice. For compliance decisions, consult a qualified legal or privacy professional.

    Step 1: Check what loads before consent

    Visit your website in a private/incognito window and do not click “Accept” or “Allow” on the cookie banner. In the browser’s Network tab (or with a compliance tool), see what requests are made on first load. Trackers and analytics should not load until after consent. If you see Google Analytics, ad scripts, or other non-essential requests before you have accepted cookies, you have a consent violation.

    Learn more: Cookies loading before consent.

    Step 2: Check network requests

    Trackers send data to third-party servers. Many site owners never inspect this. Filter the Network tab by known domains (e.g. google-analytics.com, doubleclick.net, facebook.com) or by “tracking”/“analytics” if your tool supports it. Requests to these domains before consent indicate that tracking is running too early. Note which scripts or tags trigger them so you can fix the implementation.

    Step 3: Check dynamically loaded scripts

    Many trackers load after the initial page load — for example via Google Tag Manager or other tag management scripts. Static testing (reading HTML or a single snapshot) misses these. You need a runtime view: either watch the Network tab over a few seconds after load, or use a scanner that runs the page in a real browser and reports what fired and when. If you only check the initial HTML, you may wrongly assume you are compliant.

    Related: Why runtime GDPR scanning is one of the most reliable ways to detect real violations.

    Step 4: Check your privacy disclosures

    Your privacy (and cookie) policy must clearly disclose which trackers you use, what data you collect, and for what purposes. Check that:

    • Trackers — Analytics, advertising, and other third-party scripts are named and explained.
    • Data collection — Types of data (e.g. IP, device, behaviour) are described.
    • Purpose and legal basis — You state why you process data (e.g. consent, legitimate interest) and how users can withdraw consent or opt out.

    If your policy is vague or missing key tools that your audit found, update it.

    Related: Privacy policy best practices.

    Step 5: Use a compliance scanner

    Manual audits are time-consuming and easy to get wrong. Automated runtime scanners load your site like a real user and report pre-consent tracking, hidden requests, and other compliance risks. SecureSpells runs a full runtime audit and surfaces:

    • Hidden trackers — Scripts or pixels that load before or without consent.
    • Consent violations — Non-essential cookies or tracking firing on first visit.
    • Compliance risks — A prioritised view so you can fix the highest-impact issues first.

    Run a full audit: See what loads before consent and what leaves your site. One scan, clear report.

    Run a free audit: SecureSpells.

    What SecureSpells detects

    A SecureSpells runtime audit identifies:

    • Hidden trackers — Third-party scripts and requests that run before consent or that you did not know were present.
    • Consent violations — Analytics, ads, or other non-essential tracking firing on first load.
    • Compliance risks — Summarised so you can block trackers until consent, fix your banner, and align disclosures with actual behaviour.

    Combined with the manual steps above (especially reviewing your privacy policy), you get a realistic picture of your GDPR exposure.

    Final takeaway

    Most violations are invisible until you test. Audit your site by checking what loads before consent, what network requests are made, what loads dynamically, and whether your disclosures are accurate. Use a runtime compliance scanner to automate the technical part, then fix the issues and keep your policy in sync. Scanning and fixing early is far cheaper than dealing with a complaint or fine.

    Scan your website now: Run a free GDPR compliance audit.

    Frequently asked questions

    How do I audit my website for GDPR compliance?

    Test real behaviour: (1) Visit your site without accepting cookies and check what loads. (2) Inspect network requests to see which trackers fire. (3) Account for scripts that load after page load. (4) Review your privacy policy for accuracy and completeness. (5) Use a runtime compliance scanner to automate detection of pre-consent tracking and hidden risks.

    What should not load before cookie consent?

    Non-essential cookies and tracking should not load before consent. That includes analytics (e.g. Google Analytics), advertising scripts, and other third-party trackers. Strictly necessary cookies (e.g. for the consent banner itself or security) may run before consent if they are limited to that purpose.

    Why do I need a runtime audit and not just a static check?

    Many trackers are injected dynamically (e.g. via Google Tag Manager) after the initial page load. A static check of HTML or a single snapshot misses them. A runtime audit runs your site in a real browser and observes what actually loads and when, so you see pre-consent violations that static tools cannot detect.

    What does SecureSpells check in a GDPR audit?

    SecureSpells runs your site in a real browser and reports: trackers or scripts loading before consent, hidden third-party requests, consent bypasses, and other compliance risks. It gives you a clear list of issues to fix so you can block tracking until consent and align your disclosures with actual behaviour.

    Related articles

    Share:

    Share:
    SecureSpells

    SecureSpells

    Find GDPR risks on your live site before regulators do

    Check it out on Product Hunt →

    Read Next

    Continuous Privacy Monitoring

    Stop Privacy Violations
    Before They Happen

    Don't wait for a privacy violation to cost you thousands. Your privacy spells need a little work... but we've got the magic to fix them instantly.

    Create Free AccountView Agency Plans
    Free audit included
    Risk score report
    No credit card