SecureSpells
Website Cookie Scanner Guide: How to Scan Sites Correctly
Website Cookie Scanner Guide: How to Scan Sites Correctly
To scan a website for cookie compliance, set up a clean consent state first (private window, no prior cookies), then run the scan and review three areas: what fires before consent, what third-party domains receive data, and whether your consent banner actually blocks tracking. Findings should map to specific scripts and remediation steps — a cookie list alone is not enough.
Website cookie scanners range from simple inventory tools to full runtime compliance auditors. Getting useful results depends on how you set up the scan, not just which tool you use. This guide explains how to scan correctly and what to do with the results. Scope: EU/EEA GDPR and ePrivacy Directive. UK GDPR applies equivalent requirements.
This article is for educational purposes and does not constitute legal advice. For compliance decisions, consult a qualified legal or privacy professional.
- Website cookie scanner
A tool that visits your site and records cookies, tracking scripts, and network requests, producing a report that shows what data is collected and what compliance risks are present.
- Pre-consent state
The state of your site before a visitor interacts with the consent banner — i.e. first load with no prior consent given. Scanning in this state reveals which cookies and trackers fire without consent, which is the highest compliance risk.
- Remediation
The set of technical changes that fix identified compliance issues — for example, blocking a tracker in GTM until consent is granted, or updating CMP configuration to gate a script.
Pre-scan setup and consent-state testing
Most scan errors come from scanning in the wrong state. Before running a cookie scan:
- Clear all cookies and consent records. Use a private/incognito browser window. If testing manually, delete cookies for your domain in DevTools → Application → Storage.
- Do not accept the consent banner. If you accept cookies before scanning, you will see the post-consent cookie set — which misses the most important question: what fires before consent.
- Scan in rejected state too. Run a second scan after explicitly rejecting all cookies. Any trackers that still fire in this state represent a consent bypass.
- Test multiple pages. Compliance risks often appear on specific pages (checkout, blog, landing pages) — not just the homepage. Scan your highest-traffic URLs.
- Use a tool that supports consent-state simulation. Runtime scanners (e.g. SecureSpells) automate consent rejection and report pre-consent behavior; static scanners do not.
Interpreting scanner results
A scanner report typically contains:
| Report section | What to look for |
|---|---|
| Cookies list | Categories (necessary vs non-essential); which are set pre-consent |
| Third-party domains | External domains that receive requests on page load — check for analytics, ad networks, pixels |
| Pre-consent requests | Any non-necessary request before consent = compliance risk |
| CMP behavior | Does the scan confirm that rejecting cookies stops tracking? |
| Risk score / priority | Which issues are highest severity (usually pre-consent analytics and ad tracking) |
Focus first on pre-consent non-essential tracking — this is the primary enforcement target under GDPR and ePrivacy. See Cookies loading before consent for examples.
Turning findings into remediation tasks
For each finding, map it to a specific fix:
| Finding | Remediation |
|---|---|
| Analytics fires before consent | Move GA tag / GTM trigger to fire only after consent is granted; use Consent Mode v2 |
| Ad pixel fires pre-consent | Gate pixel in GTM or CMP tag blocking; verify with re-scan |
| CMP does not block on reject | Check CMP configuration; verify tag blocking mode is enabled |
| Undisclosed third party found | Add to cookie/privacy policy; gate or remove if no lawful basis |
| Same cookie/tracker on multiple pages | Fix at tag manager level, not page by page |
After each fix, re-scan to confirm the issue is resolved. Sites change with every release; scheduled or recurring scans reduce the risk of new violations going undetected.
Scan your site now. See what cookies and trackers fire before consent.
Methodology and sources
- EDPB Cookie Banner Taskforce report on pre-consent behavior expectations.
- ePrivacy Directive and GDPR Art. 5(3) requirements for consent before non-essential storage.
- Last updated: 2026-03-26.
Related Articles
