Cookie Audits Explained: How to Identify and Classify Trackers

Mar 24, 2026

Article by

GoTrust

Cookie audits

Introduction 

Every time a user lands on a website, a series of small data exchanges happens in the background. Cookies and tracking technologies record preferences, log session activity, feed advertising platforms, and, in some cases, build detailed behavioural profiles across dozens of sites. Most of this happens invisibly, and a significant portion of it happens without the website owner’s active knowledge. 

A cookie audit changes that. It is the process of systematically scanning a website, identifying every tracker in operation, mapping each one to a purpose and a legal basis, and producing a documented record that can be used to build compliant consent flows. Cookie audits have become a core compliance obligation for governance under both the EU’s GDPR and ePrivacy Directive and India’s Digital Personal Data Protection Act, 2023 (DPDP Act). 

Regulators are no longer satisfied with visible cookie banners. France’s CNIL, Germany’s BfDI, and Sweden’s IMY have each issued significant enforcement actions targeting websites where cookies fired before consent was recorded, or where consent logs could not be produced on demand. In India, the Data Protection Board gains enforcement powers in 2027, and cookie-based processing falls squarely within the DPDP Act’s consent requirements. The audit is where compliance actually begins. 

A cookie audit is a comprehensive scan of the tracking technologies operating on a website, combined with an analysis of whether each has a valid legal basis. An audit typically covers three areas: the organisation’s cookie documentation (the cookie policy and privacy policy), the cookie banner and consent mechanism, and a technical scan of up to thousands of website pages to produce a categorised report of every cookie in operation, including any that cannot be identified or classified. 

The case for conducting one regularly is grounded in enforcement data by regulatory agencies such as CNIL and ICO. Regulatory investigations in 2024 and 2025 specifically targeted undisclosed third-party trackers, misclassified cookies presented as “necessary” when they required consent, and the absence of verifiable consent records. Marketing and development teams routinely deploy new tracking pixels, analytics integrations, and third-party scripts without privacy review. Without continuous monitoring, these become unlawful processing activities that the organisation cannot identify, let alone validate. 

The output of a well-run audit is a documented register of every tracker, name, purpose, retention period, data collected, whether it is first-party or third-party, and which legal basis applies. That inventory drives the consent banner configuration, the cookie policy, and the records an organisation can produce upon regulatory inspections. 

Understanding Cookie Categories 

The four-category classification framework used across GDPR guidance and most consent management platforms is not arbitrary. Each category represents a distinct purpose and, critically, a distinct legal position under both the ePrivacy Directive and the DPDP Act. Misclassifying a cookie is one of the most consistently enforced compliance failures; the most common version is labelling analytics or advertising cookies as “strictly necessary” to avoid triggering a consent requirement.

  1. Strictly Necessary Cookies 

Strictly necessary cookies are those without which the requested service simply cannot be delivered. Under Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC), these are the only cookies that do not require prior informed consent. The exemption is narrow and operates under two distinct grounds. Under Exemption B (strictly necessary for a user-requested service), it covers session cookies that hold shopping basket contents and authentication cookies that maintain a login state. Separately, Exemption A (transmission of a communication) applies to load balancing cookies and similar technical cookies required to route network traffic 

Strictly necessary does not mean useful to the organisation. It means the user cannot access the service they asked for without it. Two conditions must both be met: the specific functionality requires the cookie, and the user explicitly requested that functionality. Language preference cookies that a user has actively set can qualify; analytics cookies that the organisation finds valuable cannot, even if configured to be privacy-friendly. Although consent is not required for strictly necessary cookies, organisations are still expected to inform users of their existence via a cookie policy.

  1. Preference or Functionality Cookies 

Preference cookies remember user choices that go beyond what is strictly required for service delivery. Common examples include remembered language settings, personalised display options, and region or currency preferences. These do not collect personal data for advertising purposes, but they do store information about individual behaviour across sessions. 

Under both the ePrivacy Directive and the DPDP Act, preference cookies require consent unless they satisfy the narrow exemption. Some cookies used for remembering language preferences can, in some circumstances, fall within the strictly necessary exemption where those preferences were explicitly set by the user, though national DPAs apply this inconsistently. In practice, organisations should obtain consent for preference cookies rather than assume the exemption applies, unless legal advice in the specific jurisdiction confirms otherwise. 

  1.  Analytics or Performance Cookies 

Analytics cookies collect information about how users interact with a website: which pages they visit, how long they stay, which links they click, and where they arrive from. Standard implementations such as Google Analytics assign a unique identifier to each visitor and log their session behaviour. That identifier, combined with IP address and device signals, is sufficient to identify an individual under the GDPR definition of personal data under Article 4(1). 

The consent position for analytics cookies is less uniform across jurisdictions than it is for the other categories, and this is where organisations most commonly make errors. Third-party analytics cookies are almost always subject to consent requirements. The UK ICO and the Belgian and Irish DPAs take the position that analytics cookies always require consent; France’s CNIL and Germany’s BfDI permit narrow and restrictive exemptions for first-party analytics where data is genuinely anonymised, opt-outs are available, and cross-site tracking is disabled. Under India’s DPDP Act, analytics cookies that process personal data require consent with no equivalent carve-out. 

The safest position for most organisations is to treat standard analytics implementations as requiring consent, configure cookie blocking so analytics scripts do not fire until consent is recorded, and document the legal analysis supporting any exemption claim for first-party configurations. National DPA enforcement from 2024 and 2025 is consistent that legitimate interest is not a valid basis for analytics cookies; consent or genuine anonymisation are the only defensible positions. 

  1. Marketing or Targeting Cookies 

Marketing cookies track user behaviour across websites to build behavioural profiles for targeted advertising. They are almost always third-party, placed by advertising networks rather than the website itself, and they share data across the advertising ecosystem. A Facebook Pixel, a Google Ads conversion tag, and a programmatic ad network cookie are all marketing cookies. They are among the most data-intensive trackers in common use and attract the most regulatory scrutiny. 

Under the ePrivacy Directive and GDPR, marketing cookies require prior, explicit, granular consent with no exemption available. Consent must be obtained before the cookie fires; loading an advertising script in the page header and waiting for the user to respond to a banner is a compliance failure. All non-necessary cookies must be blocked from executing before consent is obtained, and “Accept All” and “Reject All” options must have equal visual prominence under Article 7(3) GDPR, where ease of withdrawing consent must be ensured. This is not retroactive in application hence, processing that occurred prior to withdrawal is still lawful. Under India’s DPDP Act, marketing cookies that process personal data, including behavioural tracking and profiling, require the same affirmative, purpose-specific consent under Section 6(1) of the DPDP Act, with the additional restriction that behavioural monitoring of children is entirely prohibited. 

The Legal Framework: What GDPR, the ePrivacy Directive, and the DPDP Act Require 

The EU: ePrivacy Directive and GDPR Working Together 

The EU’s cookie compliance framework operates across two instruments. The ePrivacy Directive (2002/58/EC), as amended by Directive 2009/136/EC, is the lex specialis that determines when consent is required: it applies to any technology that stores or accesses information on a user’s device. The GDPR then defines what valid consent looks like. ePrivacy sets the trigger for consent; the GDPR sets the standard it must meet. 

Under Article 5(3) of the ePrivacy Directive, prior opt-in consent is required to store or access information on a user’s device, unless strictly necessary for a service the user explicitly requested. This applies not only to HTTP cookies but also to local storage, browser caches, pixels, URL tracking parameters, fingerprinting, and any other mechanism that stores or accesses information on terminal equipment. In October 2024, the EDPB confirmed in Guidelines 2/2023 (version 2.0) that the execution of tags or pixels on a website falls within the technical scope of Article 5(3) and requires explicit consent unless absolutely necessary for the website to function. The GDPR then sets the consent standard under Article 4(11) freely given, specific, informed, and unambiguous, with no pre-ticked boxes and no conditioning of services on consent to non-essential processing. 

Enforcement under this framework has intensified considerably. Cumulative GDPR fines across 2,245 enforcement actions totalled €5.65 billion as of March 2025, with consent violations among the most frequently enforced categories. France’s CNIL issued €139 million in combined cookie-related fines between 2022 and 2024, including a €150 million fine against Google in January 2022 for dark pattern cookie banners. The BfDI found that over 40% of German firms audited in 2024 failed to produce valid consent evidence within the 10-day response window. 

A significant development occurred in November 2025 when the European Commission published a proposal to reform the ePrivacy regime. Rather than a wholesale shift to opt-out, the proposal creates specific carve-outs, including for first-party audience measurement and security purposes, that would permit processing without consent in narrowly defined circumstances. It also proposes to integrate the core cookie rules into a new Article 88a of the GDPR. Whether controllers will be able to rely on legitimate interest more broadly under the revised regime remains contested, and the ePrivacy Directive continues to apply for non-personal data, meaning many operators will still need to navigate both frameworks even after any reform. The proposal is at an early legislative stage. The current consent-based framework remains fully in force until any reform comes into effect, which even optimistic projections place no earlier than 2027, with the specific cookie provisions subject to their own transitional period thereafter. 

India: The DPDP Act, the IT Rules, and What’s Different 

India’s DPDP Act does not mention cookies by name, but its scope is clear. The Act governs the processing of “digital personal data,” defined under Section 2(t) as any data about an individual who is identifiable directly or indirectly. Cookies that assign unique identifiers, log IP addresses, track browsing behaviour, or enable profiling fall within this definition, and their processing requires consent under Sections 4 and 6 of the Act. 

The threshold question for any cookie deployment under the DPDP Act is whether personal data is being processed. If it is, Section 6(1) requires that consent be free, specific, informed, unconditional, and unambiguous, requiring a clear affirmative action. Strictly necessary cookies that do not process personal data, such as a session cookie that holds basket contents with no user identifier, may fall outside the Act’s scope entirely. But the moment a cookie assigns or reads a persistent identifier linked to an individual’s behaviour, the Act applies. One meaningful difference from the GDPR is the granularity question. Under GDPR, consent for each cookie purpose must be granular, users should be able to accept or reject different categories of cookies. The DPDP Act, on the other hand, doesn’t explicitly deal with cookies or require this level of granularity. However, it still insists on consent being specific, informed and purpose-based. So, relying only on a blanket cookie consent approach may not be enough to ensure compliance.  However, the MeitY Business Requirements Document for Consent Management (June 2025) recommends that banners provide “Accept,” “Reject,” and “Customise” options as best practice. Phase 2 rules may impose more granular requirements. 

For cookies that process sensitive personal data, the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules) remain relevant alongside the DPDP Act, though there is an active debate about the precise extent to which they remain operative given the DPDP Act’s Section 40 repeal provision and the absence of a commencement notification for that section. Where cookies collect health data, financial information, biometric data, or similar sensitive categories, the SPDI Rules require written consent obtainable through electronic means. The DPDP Act’s consent standard applies on top of this, creating a layered obligation for platforms that process sensitive data through cookie-based mechanisms. 

India’s DPDP Act imposes an additional restriction with no direct GDPR equivalent: the absolute prohibition on behavioural monitoring of children under Section 9. Section 9 prohibits data fiduciaries from tracking, behavioural monitoring, or conducting targeted advertising directed at minors. It should be noted, however, that Rule 11 read with the Fourth Schedule of the DPDP Rules 2025 exempts specific classes of data fiduciaries, including clinical establishments, educational institutions, and crèches, from the prohibitions in Sections 9(1) and 9(3). For commercial advertising-driven tracking, the prohibition operates without qualification as to that user. 

Key Differences 

  • Granular consent: GDPR requires purpose-level granular consent under Article 6(1)(a) (users can accept analytics and reject marketing separately). The DPDP Act currently permits general consent for cookies, though best practice under the MeitY BRD recommends category-level choices. 


  • Legitimate interests: GDPR permits legitimate interest as a lawful basis under Article 6(1)(f) in limited contexts, though enforcement practice has rendered it an unreliable basis for non-essential tracking. The DPDP Act has no equivalent; consent is the only available basis for most cookie-based processing. 


  • Age limit: GDPR requires parental consent for processing children’s data. The DPDP Act’s Section 9 goes further, prohibiting behavioural monitoring and targeted advertising directed at minors, subject to the Rule 11 exemptions for specified categories of data fiduciary. 


  • Enforcement timeline: GDPR enforcement is active and fines are substantial. India’s Data Protection Board is expected to begin enforcement from 2027, but organisations should be building compliant infrastructure now. 

Functioning of a Cookie Audit: What must be covered 

A cookie audit that produces only a list of cookie names is insufficient for compliance purposes. A complete audit addresses five areas: 

  1. Identify: A technical scan of all website pages to identify every cookie and tracker firing, including those placed by third-party scripts, embedded content (social media widgets, video players), advertising tags, and analytics integrations. Automated scanning tools provide a baseline, but automated detection must be supplemented with manual review of tag management systems, marketing automation platforms, and third-party integrations. Tag managers in particular allow scripts to be deployed outside the audit cycle, meaning consent logs can become misaligned with the actual cookie inventory if only point-in-time audits are conducted. 


  2. Classification: Each discovered cookie must be assigned to one of the four categories: strictly necessary, preference, analytics, or marketing. Misclassification is itself a compliance risk; enforcement actions from 2024 and 2025 specifically targeted misclassified analytics cookies labelled, as necessary. 


  3. Legal basis: For each cookie, the audit must identify the applicable legal basis. Under GDPR, strictly necessary cookies rely on the Article 5(3) ePrivacy exemption; all others require consent under Article 6(1)(a) GDPR. Under the DPDP Act, cookies that process personal data require consent under Section 6(1) unless they fall within a Section 7 legitimate use, which is unlikely for most commercial tracking. 


  4. Documentation: The audit output should be a cookie declaration: a structured register listing every cookie’s name, category, purpose, data collected, retention period, and whether it is first-party or third-party. This declaration populates the cookie policy, the consent banner’s information layer, and the records held in case of a regulatory inquiry. 


  5. Consent review mechanism: The audit should assess whether the existing consent banner blocks non-necessary cookies before consent is recorded, whether “Accept All” and “Reject All” options have equal prominence under Article 7 GDPR, whether withdrawal is as easy as giving consent, and whether consent logs are being maintained in an auditable format. France’s CNIL requires five-year retention of consent logs; Germany’s BfDI examines server-side proof of consent; and under India’s DPDP Act, the Section 6(5) evidentiary burden requires fiduciaries to prove compliant consent in any proceeding. 

Common Compliance Failures and What They Cost 

Regulatory investigations consistently reveal the same patterns. Understanding them is useful for organisations conducting their first audit or reviewing an existing programme. 

  • Cookies firing before consent: Non-essential cookies that execute on page load, before any consent interaction, are the single most commonly penalised failure. The technical fix requires a Consent Management Platform that actually blocks scripts until consent is recorded; a cookie banner that appears on screen while cookies run in the background is not compliant. 


  • Misclassification: Presenting analytics or advertising cookies as “strictly necessary” to avoid triggering a consent requirement has been directly targeted by CNIL and BfDI enforcement. The strictly necessary category under Article 5(3) is narrow and applies only where the cookie is technically essential for a service the user explicitly requested. 


  • Dark patterns in consent banners: Designs that make “Accept All” visually prominent while burying “Reject All” in sub-menus, or that require multiple clicks to decline, fail the freely given standard under GDPR Article 7 and the unconditional consent requirement under DPDP Act Section 6(1). Sweden’s IMY and France’s CNIL have both issued penalties specifically for manipulative banner design. 


  • Undisclosed third-party trackers: Trackers that appear in a technical scan but are absent from the cookie policy and consent banner represent an undisclosed processing activity. Marketing teams frequently add tracking pixels and advertising tags without notifying the privacy or legal function. Because tag managers allow scripts to be deployed between scheduled audits, continuous monitoring is necessary, not only periodic reviews. 


  • No consent records: When regulators investigate, they ask for consent logs. Organisations that cannot demonstrate what information was presented to users, when, and what they chose in response, have no defence regardless of how well-designed their banner appears. Consent records need to be structured for efficient querying and export, not merely stored. 

Conclusion 

A cookie audit is not a one-time compliance exercise. Websites change continuously, marketing teams deploy new trackers, and the regulatory landscape under both GDPR and the DPDP Act continues to evolve. The audit establishes the foundation; the cookie inventory, the consent mechanism, and the audit logs it produces all require ongoing maintenance. 

The four cookie categories determine whether consent is required, what form that consent must take, and what the consequences of misclassification are. Presenting a marketing cookie as strictly necessary does not make it exempt under Article 5(3); it makes the non-compliance harder to correct when regulators investigate. 

Under GDPR and the ePrivacy Directive, the enforcement data makes the risk concrete: €5.65 billion in cumulative fines, enforcement specifically targeting consent failures, and national DPAs actively auditing websites without prior warning. Under India’s DPDP Act, the Data Protection Board’s enforcement powers from 2027 will bring the same scrutiny to Indian websites and to any organisation processing data of Indian users, wherever it is based. Organisations that conduct thorough audits, classify trackers accurately, and build consent infrastructure capable of demonstrating compliance under both frameworks will be substantially better positioned when that scrutiny arrives.