Most GDPR website reviews fail at one simple point:
They check what the website says, but not what the website actually does.
A privacy policy may look fine.
A cookie banner may appear on page load.
A consent management platform may be configured.
But when a real user visits the site, what happens in the browser?
That is the part developers, privacy teams, and compliance reviewers need to inspect carefully.
A proper GDPR website audit should review runtime behavior:
- Which scripts load?
- Which cookies are set?
- Which third-party requests fire?
- What happens before consent?
- What changes after “Reject All”?
- What changes after “Accept All”?
- Are tracking pixels active before user choice?
- Are identifiers being sent in URLs, headers, or payloads?
- Is there technical evidence that consent choices are actually enforced?
This article is a practical developer-focused walkthrough of what to check.
This is not legal advice. A technical audit can help identify and document risk signals, but legal interpretation should be handled by qualified legal or compliance teams.
What Is a GDPR Website Audit?
A GDPR website audit is a technical review of how a website processes personal data during real visits.
From a developer’s point of view, this means checking things like:
- Cookies
- Local storage
- Session storage
- Network requests
- Request headers
- Response headers
- Set-Cookie headers
- Request payloads
- Third-party scripts
- Analytics tools
- Advertising pixels
- Tag managers
- Consent states
- Cross-border endpoint signals
- HAR files and screenshots as evidence
The goal is not to say, “this website is fully compliant.”
That would be too broad.
The goal is better framed as:
Identify and document technical website behavior that may need privacy, legal, or compliance review.
That difference matters.
Why the Cookie Banner Is Not Enough
A cookie banner is only the visible part.
The real behavior happens underneath.
A website can show a clean banner with:
- Accept All
- Reject All
- Manage Preferences
- Necessary Cookies
- Analytics Cookies
- Marketing Cookies
But the important question is:
Does the website behavior actually change when the user makes a consent choice?
For example:
- Are analytics scripts loading before consent?
- Are marketing pixels firing before consent?
- Is Google Tag Manager triggering tags too early?
- Are cookies set before the user clicks anything?
- Does “Reject All” actually stop non-essential requests?
- Does granular consent activate only selected categories?
A banner that looks correct visually can still fail technically if scripts are not gated properly.
That is why developers should test consent at runtime.
Step 1: Start With a Clean Browser State
Before opening DevTools, create a clean test environment.
Use:
- A fresh browser profile
- Incognito/private window
- Disabled extensions
- Cleared cookies
- Cleared local storage
- Cleared session storage
- Disabled cache
- A documented test URL
Also record:
- Date and time
- Browser version
- Device type
- Operating system
- Test location or geo context, if relevant
- Consent state being tested
This matters because old cookies, cached scripts, browser extensions, or previous consent states can distort the result.
If the audit needs to be reviewed later, reproducibility matters.
Step 2: Open DevTools and Inspect Network Requests
Open browser DevTools and go to the Network tab.
Before reloading the page:
- Enable Preserve log
- Enable Disable cache
- Clear the network panel
- Reload the page
- Do not interact with the cookie banner yet
Now observe what fires on first load.
Useful filters:
scriptxhrfetchimgdocument- third-party domains
- tracking-related endpoints
- pixel requests
- POST requests
Look closely at:
- Request URL
- Request method
- Status code
- Domain
- Initiator
- Request headers
- Response headers
- Query parameters
- Payload
- Set-Cookie headers
This first page load becomes your baseline.
You are trying to answer:
What happens before the visitor has made any consent choice?
Step 3: Look for Pre-Consent Tracking
Pre-consent behavior is one of the most important things to inspect.
Check whether these load before user interaction:
- Analytics scripts
- Advertising pixels
- Tag manager events
- Heatmap tools
- Session replay tools
- A/B testing scripts
- Retargeting scripts
- Third-party cookies
- Device fingerprinting scripts
Examples of things to watch for:
analytics.example.com/collect
www.googletagmanager.com/gtm.js
connect.facebook.net
cdn.segment.com
hotjar.com
doubleclick.net
`
The presence of a third-party script does not automatically mean there is a legal issue. Context matters.
But if analytics or marketing requests fire before consent, it may be a technical risk signal that should be reviewed.
Step 4: Test Consent Scenarios
Do not test only one consent state.
A practical audit should test multiple scenarios.
Test 1: First Load Without Interaction
Reload the page with no prior consent and do not click anything.
Document:
- Scripts loaded
- Cookies set
- Third-party requests
- Tracking pixels
- Payloads
- Set-Cookie headers
Test 2: Reject All
Click “Reject All” and reload if needed.
Compare against first load:
- Did analytics stop?
- Did marketing scripts stop?
- Did pixels stop firing?
- Are non-essential cookies still being created?
Test 3: Accept All
Click “Accept All.”
Document what activates:
- Analytics scripts
- Marketing scripts
- Cookies
- Third-party domains
- Request payloads
- Tag manager activity
Test 4: Granular Consent
Accept only one category, such as analytics, and reject marketing.
Then check:
- Did only analytics activate?
- Did marketing remain blocked?
- Did unselected categories still fire?
Test 5: Reload After Consent
Reload the page after a consent choice.
Check whether the website remembers and applies the previous choice correctly.
Step 5: Compare Runtime Behavior
The key is comparison.
A useful audit does not only ask, “what loaded?”
It asks:
What changed between no interaction, reject all, accept all, and granular consent?
Here is a simple review table:
| Consent State | What to Check | Potential Risk Signal |
|---|---|---|
| No interaction | Initial requests before any banner action | Marketing or analytics scripts fire before user choice |
| Reject All | Requests after explicit rejection | Non-essential tracking still runs |
| Accept All | Requests after acceptance | Scripts activate but are not documented |
| Granular consent | Only selected categories | Unselected categories still trigger |
| Reload after consent | Persistent consent state | Previous choice is ignored or overwritten |
If network activity is almost identical between “Reject All” and “Accept All,” that may indicate consent choices are not being enforced at runtime.
Step 6: Inspect Cookies Properly
Do not only count cookies.
Review cookie behavior.
Check:
- Cookie name
- Domain
- Path
- Expiry
- SameSite value
- Secure flag
- HttpOnly flag
- First-party or third-party
- When it was set
- Which consent state triggered it
- Whether it is classified correctly
For example, a cookie marked as “necessary” should be reviewed if it appears to support analytics, marketing, retargeting, or profiling.
Cookie classification should match actual purpose and behavior.
Step 7: Inspect Headers and Payloads
A lot of privacy risk signals do not appear in the UI.
They appear in request details.
Check for personal data or identifiers in:
- URL parameters
- Request payloads
- Referrer headers
- Cookies
- Authorization headers
- Tracking event data
Examples:
text
?email=user@example.com
?user_id=12345
?customer_id=98765
Payload examples:
json
{
"event": "purchase",
"email_hash": "abc123...",
"device_id": "device-789",
"cart_value": 149.00
}
Header examples:
text
Referer: https://example.com/reset-password?email=user@example.com
Cookie: _ga=GA1.2.123456789.1716191111
User-Agent: Mozilla/5.0...
A hashed email is not always anonymous. If it can be linked back to a person or used across systems, it may still require review.
Step 8: Map Third-Party Domains
Modern websites rely heavily on third-party tools.
During the audit, create a third-party domain inventory.
Common categories:
- Analytics
- Advertising
- Tag management
- CDN
- Payment
- Chat widget
- Heatmaps
- Session replay
- Fraud detection
- A/B testing
- CRM
- Marketing automation
For each third-party domain, document:
| Field | Example |
|---|---|
| Domain | analytics.example.com |
| Category | Analytics |
| Consent state | Before consent / after accept / after reject |
| Data observed | Cookie ID, IP, event data |
| Request type | Script, XHR, image beacon |
| Vendor disclosed? | Yes / No / Needs review |
| Risk note | May require review |
The goal is to compare actual runtime behavior against privacy notices, cookie declarations, vendor lists, and processor records.
Step 9: Review Cross-Border Request Signals
If the website serves EU users, international transfer signals may matter.
From a technical audit perspective, you can document:
- Third-party endpoint domains
- Hosting or vendor geography where available
- Request destinations
- Consent state during transfer
- Data indicators sent
- Vendor category
This does not automatically decide whether a transfer is lawful or unlawful.
But it creates technical evidence that legal or compliance teams can review alongside transfer safeguards and vendor documentation.
Step 10: Preserve Evidence
A GDPR website audit becomes much more useful when findings are backed by evidence.
Useful evidence includes:
- HAR files
- Screenshots
- Consent state screenshots
- Cookie tables
- Request URLs
- Request headers
- Response headers
- Set-Cookie headers
- Payload examples
- Third-party domain maps
- Timestamps
- Browser details
- Test environment notes
A practical evidence note might look like this:
text
Test: First load without interaction
URL: https://example.com/
Browser: Chrome
Consent state: No interaction
Finding: analytics.example.com request fired before consent
Evidence: HAR file, screenshot, request headers, Set-Cookie header
Review note: May require privacy/compliance review
This is much better than saying:
“Maybe tracking is happening.”
Evidence makes the conversation specific.
Common Technical Risk Signals
Here are common findings that may need review.
1. Analytics Before Consent
Analytics requests fire before the user clicks the banner.
This may create consent enforcement concerns depending on the tool, configuration, purpose, and lawful basis.
2. Advertising Pixel Auto-Firing
Marketing pixels load automatically on first page load.
This may require review because advertising pixels often involve identifiers, profiling, or cross-site tracking.
3. Personal Data in URLs
Email addresses, user IDs, session IDs, or tokens appear in URLs.
This can create exposure risk, especially through referrer headers.
4. Undocumented Third-Party Scripts
A vendor receives data but does not appear in the privacy notice, cookie notice, or vendor inventory.
This may create transparency or processor documentation concerns.
5. Cookie Misclassification
A tracking cookie is labeled as “necessary.”
This should be compared against actual purpose, behavior, and consent category.
6. Consent Choice Has No Runtime Effect
Reject All and Accept All produce almost the same network behavior.
This may indicate the CMP is visually present but not technically enforcing choices.
Manual Audit vs Audit Tools
Manual DevTools inspection is valuable because it shows real runtime behavior.
But it is also time-consuming.
Cookie scanners can help identify cookies, but they may miss consent-state differences, payloads, headers, and dynamic script behavior.
CMP dashboards can show configuration, but configuration alone does not prove scripts are gated properly.
A stronger audit combines:
- Manual inspection
- Consent scenario testing
- Cookie review
- Third-party domain mapping
- HAR evidence
- Screenshots
- Structured documentation
This is where evidence-backed website audit reports are useful.
They organize technical findings so developers, privacy teams, legal teams, agencies, and founders can review the same evidence trail.
What a Good GDPR Website Audit Report Should Include
A useful audit report should include:
- Executive summary
- Audit scope
- Tested URLs
- Browser and device details
- Consent scenarios
- Cookies observed
- Third-party domains
- Tracking pixels
- Network request evidence
- HAR files
- Screenshots
- Header and payload examples
- Risk notes
- Recommended review areas
- Evidence appendix
The report should be technical enough for developers and clear enough for compliance stakeholders.
That balance matters.
Developers need the raw behavior.
Compliance teams need the interpretation context.
Legal teams need evidence they can review.
Founders need to understand the business risk without reading a HAR file line by line.
When to Escalate to Legal or Compliance Teams
Technical teams should escalate findings when:
- Trackers fire before consent
- Advertising pixels load automatically
- Consent choices do not change runtime behavior
- Personal data appears in URLs or payloads
- Third-party scripts are undocumented
- Analytics cookies are labeled necessary
- Server-side tracking sends personal data to third parties
- EU traffic appears to reach non-EEA endpoints
- Consent logs are missing or incomplete
- Privacy notices do not match observed behavior
The technical audit shows what happened.
Legal and compliance teams decide what it means.
Final Thoughts
A GDPR website audit is not just about checking if a cookie banner exists.
It is about checking whether the website behavior matches the privacy promise.
For developers, the practical question is:
What does the site actually send, store, load, and trigger during a real visit?
Once you answer that with technical evidence, the privacy review becomes much more grounded.
If you want the full step-by-step version, we published the original guide here:
https://www.auditzo.com/blog/gdpr-website-audit-process-2026/
You can also check GDPR risk signals on your website here:
https://www.auditzo.com/check-website-gdpr-compliance
And if you want to see how evidence can be structured, here is a sample evidence-backed website privacy audit report:
https://www.auditzo.com/sample-website-privacy-compliance-audit-report
`
Top comments (0)