Cookie Banner Generator
Back to all articles
Cookie Scanner
Cookie Audit
Privacy Compliance
GDPR
PIPEDA
Cookie Scanning
18 min read

Cookie Scanner: The Complete Guide to Auditing Your Website's Cookies

Learn how to use a cookie scanner to audit your website for compliance. Compare free and paid cookie scanning tools, understand scan results, and fix issues fast.

Cookie Scanner: The Complete Guide to Auditing Your Website's Cookies

Direct Answer: A cookie scanner is a tool that automatically crawls your website, detects every cookie and tracking technology in use, and categorizes them for privacy compliance. Running a cookie scan is the essential first step to meeting GDPR, PIPEDA, CCPA, and other privacy law requirements — because you cannot disclose or manage cookies you do not know about. Most websites have between 15 and 80 cookies, and many site owners are unaware of more than half of them.

Scan your website for free →

Table of Contents

A cookie scanner (also called a cookie audit tool or cookie checker) is software that automatically visits your website, loads its pages, and identifies every cookie, tracking pixel, and data collection technology present. It then categorizes each item — necessary, analytics, marketing, or functional — so you know exactly what data your site collects from visitors.

Every major privacy regulation requires you to disclose the cookies your website uses and, in most cases, obtain consent before setting non-essential ones. Here is the problem: the average website sets between 20 and 80 cookies, and most site owners are only aware of a fraction of them.

Cookies can appear on your site without your knowledge through:

  • Third-party scripts — ad networks, social media widgets, chat tools, and embedded videos each bring their own cookies
  • CMS plugins — WordPress, Shopify, and other platforms install cookies through themes and plugins
  • CDN and hosting providers — services like Cloudflare or AWS may set performance cookies
  • Analytics tools — Google Analytics alone sets 4-6 cookies per visitor

Without running a cookie scan, you are almost certainly non-compliant. Under GDPR cookie consent requirements, failing to disclose cookies can result in fines of up to 4% of global revenue or 20 million euros. Under PIPEDA and Quebec's Law 25, penalties reach $25 million. And under the CCPA, consumers can sue for $100-$750 per incident for certain violations.

The bottom line: You cannot write an accurate cookie policy, configure a compliant consent banner, or respond to a regulator's inquiry without first knowing what cookies your website sets. A cookie scanner gives you that visibility.

Understanding how a cookie audit tool works helps you choose the right one and interpret results correctly. Here is what happens behind the scenes when you scan a website for cookies.

The Technical Process

Most cookie scanning tools follow a four-stage process:

1. Crawling The scanner visits your website like a browser would, starting from your homepage and following internal links. Advanced scanners render JavaScript to catch dynamically loaded cookies — a critical distinction, since many tracking scripts only fire after the page fully loads.

2. Detection As each page loads, the scanner captures:

  • HTTP cookies set via Set-Cookie headers
  • JavaScript cookies set via document.cookie
  • Local storage and session storage entries
  • Tracking pixels and web beacons (1x1 pixel images that send data to third parties)
  • Fingerprinting scripts that collect device and browser information

3. Classification Detected cookies are categorized based on their purpose:

| Category | Purpose | Consent Required? | Examples | |----------|---------|-------------------|----------| | Strictly Necessary | Core site functionality | No | Session IDs, CSRF tokens, load balancers | | Functional | Enhanced features | Recommended | Language preferences, theme settings | | Analytics | Usage tracking | Yes | Google Analytics (_ga, _gid), Hotjar | | Marketing | Ad targeting and retargeting | Yes | Facebook Pixel (_fbp), Google Ads (_gcl_au) |

4. Reporting The scanner generates a report listing every cookie found, including its name, domain, expiration period, category, and whether it is first-party or third-party.

Not all cookie scanning tools are created equal. The best scanners offer:

  • JavaScript rendering — catches cookies set by dynamically loaded scripts (roughly 40% of tracking cookies are set this way)
  • Multi-page crawling — scans beyond the homepage to find cookies on login pages, checkout flows, and subdomains
  • Cookie database matching — automatically identifies known cookies (like _ga for Google Analytics) instead of just listing unknown entries
  • Regular re-scanning — compliance is not a one-time event; your cookie landscape changes every time you update a plugin or add a new tool

Step-by-Step: How to Scan Your Website for Cookies

Ready to run your first cookie scan? Follow these steps to get a complete picture of your website's cookie usage.

Select a scanner that fits your needs. For a quick, no-cost audit, use a free cookie scanner that provides instant results. For enterprise sites with thousands of pages, consider a paid tool with scheduled scanning.

Step 2: Enter Your Website URL

Navigate to your chosen scanner and enter your full domain (e.g., https://www.yoursite.com). Make sure to include the correct protocol (https:// vs http://) and any www prefix your site uses.

Pro Tip: Scan both www.yoursite.com and yoursite.com separately if your site responds on both — they may set different cookies.

Step 3: Wait for the Scan to Complete

A basic scan typically takes 30-90 seconds for a single page. Multi-page scans that crawl 50-100 pages may take 5-15 minutes. During this time, the scanner is:

  • Loading each page in a headless browser
  • Waiting for all JavaScript to execute
  • Recording every cookie, storage entry, and tracking technology

Step 4: Review the Results

Your scan report will show:

  • Total number of cookies found across all scanned pages
  • Category breakdown (necessary, analytics, marketing, functional)
  • First-party vs third-party cookie counts
  • Cookie details (name, domain, path, expiration, secure flag, SameSite attribute)

Step 5: Identify Issues

Look for these common problems:

  • Undisclosed cookies — cookies not mentioned in your privacy policy
  • Missing consent — analytics or marketing cookies loading before user consent
  • Excessive expiration — cookies lasting longer than necessary (GDPR recommends maximum 13 months for analytics cookies)
  • Insecure cookies — cookies without the Secure or HttpOnly flags on HTTPS sites
  • Unknown third-party cookies — cookies from domains you do not recognize

Step 6: Export and Document

Download your scan results as a CSV or PDF. You will need this documentation for:

  • Building your cookie policy
  • Configuring your cookie banner
  • Demonstrating compliance to regulators
  • Comparing against future scans to track changes

Running a cookie checker is only useful if you know how to interpret the results. Here is what to look for in your scan report.

First-Party vs Third-Party Cookies

First-party cookies are set by your domain (e.g., yoursite.com). These typically include session cookies, login tokens, and preferences. You have full control over these.

Third-party cookies are set by external domains (e.g., google-analytics.com, facebook.com, doubleclick.net). These are the cookies that cause the most compliance issues because:

  • You may not know they exist
  • They often track users across multiple websites
  • They almost always require consent
  • Google Chrome is phasing out third-party cookies through its Privacy Sandbox initiative

When reviewing individual cookies in your cookie audit report, pay attention to these attributes:

| Attribute | What It Means | What to Look For | |-----------|--------------|------------------| | Name | Cookie identifier | Match against known cookie databases | | Domain | Who set it | Third-party domains you don't recognize | | Expiration | How long it persists | Anything over 13 months (GDPR guidance) | | Secure | HTTPS-only | Should be true for all cookies on HTTPS sites | | HttpOnly | Not accessible via JavaScript | Should be true for authentication cookies | | SameSite | Cross-site behavior | Should be Strict or Lax for most cookies | | Path | URL scope | Overly broad paths may indicate poor cookie hygiene |

Red Flags in Scan Results

Watch for these warning signs:

  • Cookies from ad networks you haven't integrated — this suggests a plugin or script is loading third-party ads without your knowledge
  • Session cookies without HttpOnly — these are vulnerable to XSS (cross-site scripting) attacks
  • Persistent cookies with no expiration — these violate the storage limitation principle under GDPR Article 5(1)(e)
  • Cookies set before consent — if your scan shows cookies being set on page load before any user interaction, your consent mechanism is broken

Choosing between a free cookie scanner and paid cookie audit software depends on your website's size, complexity, and compliance requirements. Here is an honest comparison.

Best for: Small to medium websites, initial audits, one-off compliance checks.

What free tools typically offer:

  • Single-page or limited multi-page scanning
  • Basic cookie detection (HTTP cookies, some JavaScript cookies)
  • Category classification based on known cookie databases
  • Downloadable reports (CSV or PDF)

Limitations of free tools:

  • May not render JavaScript fully, missing dynamically loaded cookies
  • Limited to scanning a few pages per run
  • No scheduled or automated re-scanning
  • Minimal support for localStorage, sessionStorage, or fingerprinting detection

The cookie-banner.ca free cookie scanner scans your homepage and key landing pages, detects both first-party and third-party cookies, and categorizes them automatically — giving you a clear picture of your compliance status at no cost.

Best for: Enterprise websites, e-commerce sites with hundreds of pages, organizations under strict regulatory scrutiny.

What paid tools typically offer:

  • Full-site crawling (hundreds or thousands of pages)
  • Scheduled automatic re-scanning (weekly, monthly)
  • Advanced detection (localStorage, fingerprinting, tracking pixels)
  • Consent monitoring (verifying cookies are blocked until consent)
  • Integration with consent management platforms (CMPs)
  • Compliance reporting for auditors and legal teams
  • Multi-domain and subdomain scanning

Feature Comparison Table

| Feature | Free Scanner | Paid Scanner | |---------|-------------|-------------| | Pages scanned | 1-10 | 100-10,000+ | | JavaScript rendering | Basic | Full | | Cookie categorization | Yes | Yes + custom rules | | Scheduled scans | No | Yes (weekly/monthly) | | localStorage detection | Limited | Yes | | Tracking pixel detection | No | Yes | | Consent verification | No | Yes | | Multi-domain support | No | Yes | | Compliance reports | Basic | Detailed + exportable | | Typical cost | $0 | $30-$300/month |

Pro Tip: Start with a free cookie scan to understand your baseline. If your site has more than 50 pages or you handle sensitive data, consider upgrading to a paid solution with scheduled monitoring.

One of the most common mistakes website owners make is treating cookie scanning as a one-time task. Privacy regulations like GDPR and PIPEDA treat compliance as an ongoing obligation, and your cookie landscape changes constantly.

Your website's cookies change every time you:

  • Update a WordPress plugin — plugins can add or modify cookies without warning
  • Add a new marketing tool — installing HubSpot, Intercom, or a chat widget introduces new cookies
  • Update your CMS or theme — framework updates can change cookie behavior
  • Change ad networks or analytics providers — switching from Universal Analytics to GA4, for example, changed cookie names and behavior
  • Embed third-party content — YouTube videos, social media feeds, and maps all set cookies

According to research by Cookiebot, the average website's cookie inventory changes by 15-25% per quarter due to plugin updates, script changes, and third-party modifications.

| Website Type | Minimum Scan Frequency | Recommended Frequency | |-------------|----------------------|----------------------| | Personal blog | Quarterly | Monthly | | Small business | Monthly | Bi-weekly | | E-commerce | Bi-weekly | Weekly | | Enterprise / SaaS | Weekly | Daily (automated) | | Healthcare / Finance | Weekly | Daily (automated) |

Trigger-Based Scanning

Beyond scheduled scans, run an immediate cookie scan whenever you:

  1. Deploy a new feature or page
  2. Install or update a plugin
  3. Add a third-party integration (analytics, ads, chat, payments)
  4. Receive a user complaint about tracking
  5. Undergo a regulatory inquiry or audit
  6. Update your consent management platform

Finding cookies is only half the job. Here is a step-by-step remediation process to follow after running your cookie audit tool.

Review each cookie in your scan results and assign it to the correct category:

  • Necessary — required for the site to function (no consent needed)
  • Functional — enhances user experience (consent recommended)
  • Analytics — tracks user behavior (consent required)
  • Marketing — used for advertising and retargeting (consent required)

If you are unsure about a cookie's purpose, search its name in a cookie database like Cookiepedia or the Open Cookie Database.

Step 2: Remove Unnecessary Cookies

Audit whether each cookie serves a legitimate purpose. Common candidates for removal:

  • Deprecated tracking scripts — old analytics or ad codes that are no longer in use
  • Duplicate cookies — multiple analytics tools tracking the same metrics
  • Test or development cookies — debug cookies that were never removed from production
  • Unused plugin cookies — cookies from plugins you deactivated but did not uninstall

Your cookie policy must list every cookie your site uses. For each cookie, include:

  • Cookie name
  • Provider/domain
  • Purpose
  • Category
  • Expiration period
  • Whether it is first-party or third-party

Using your scan results, configure your cookie banner to:

  • Block all non-essential cookies until the user consents
  • Group cookies into categories that match your policy
  • Provide granular toggle controls for each category
  • Load scripts conditionally based on consent status

After configuring your banner, run another scan to verify that:

  • No analytics or marketing cookies are set before consent
  • Necessary cookies still function correctly
  • Consented cookies load properly after the user accepts

Step 6: Set Up Ongoing Monitoring

Schedule regular scans to catch new cookies as they appear. Document each scan with:

  • Date of scan
  • Number of cookies found (by category)
  • New cookies since last scan
  • Actions taken for each new cookie

The cookie-banner.ca cookie scanner is designed to give website owners a fast, accurate view of their cookie compliance status — at no cost.

What Our Scanner Does

  1. Enter your URL — type your website address and click "Scan"
  2. Automated crawl — our scanner visits your site in a headless browser, rendering JavaScript just like a real visitor would
  3. Full detection — we capture HTTP cookies, JavaScript cookies, and third-party requests
  4. Instant categorization — each cookie is matched against our database of 50,000+ known cookies and categorized automatically
  5. Compliance report — you receive a clear breakdown of cookies by category, with flagged compliance issues

Why Website Owners Choose Our Scanner

  • No signup required — scan instantly without creating an account
  • Accurate JavaScript rendering — catches cookies that basic crawlers miss
  • Privacy-first — we do not store your scan data or share it with third parties
  • Actionable results — every issue includes a clear explanation and fix recommendation
  • Seamless next step — connect your scan results directly to our cookie banner builder to create a compliant consent banner pre-configured with the exact cookies your site uses

Ready to see what cookies your website is setting? Run a free cookie scan now →

Conclusion

A cookie scanner is the foundation of privacy compliance for any website. Without knowing exactly what cookies and tracking technologies your site uses, you cannot write an accurate cookie policy, configure a compliant consent banner, or respond to regulatory inquiries with confidence.

Key Takeaways:

  • Every website has more cookies than its owner realizes — third-party scripts, plugins, and CDNs add cookies without your knowledge
  • Cookie scanning is not a one-time task — your cookie inventory changes every time you update a plugin, add a tool, or deploy new code
  • Free scanners are a strong starting point — use a free cookie scanner for your initial audit and to establish a baseline
  • Remediation matters more than detection — after scanning, categorize every cookie, remove unnecessary ones, update your policy, and configure your consent banner accordingly
  • Ongoing monitoring protects you — schedule monthly or weekly scans to catch changes before they become compliance violations

The gap between what website owners think their sites collect and what they actually collect is the single biggest compliance risk in privacy today. A cookie scan closes that gap in under 90 seconds.

Next Steps:

  1. Scan your website for free to see your current cookie inventory
  2. Review and categorize every cookie found
  3. Remove unnecessary tracking cookies
  4. Build a compliant cookie banner using your scan results
  5. Schedule monthly re-scans to stay compliant

Start your audit now: Scan your website for free with cookie-banner.ca →

Frequently Asked Questions

A cookie scanner is a tool that crawls your website to detect all cookies, tracking scripts, and third-party data collection technologies. It categorizes each cookie by type (necessary, analytics, marketing) and flags compliance issues under GDPR, PIPEDA, CCPA, and other privacy laws. Think of it as an X-ray for your website's data collection practices.

How often should I scan my website for cookies?

You should scan your website for cookies at least once per month, and always after adding new tools, plugins, or third-party integrations. E-commerce and SaaS websites should scan weekly or more frequently. Privacy regulations treat cookie compliance as an ongoing obligation — a scan from six months ago does not reflect your current compliance status.

Free cookie scanners can detect most first-party and third-party cookies, making them suitable for initial audits and small websites with under 50 pages. However, paid tools offer deeper scanning capabilities — multi-page crawls, JavaScript-rendered cookie detection, localStorage monitoring, and scheduled re-scans — that larger or regulated websites need.

First, identify each undisclosed cookie's source (plugin, third-party script, ad network). Then take one of three actions: remove the cookie if it is unnecessary, add it to your cookie policy with proper categorization, or block it until user consent is obtained. Undisclosed tracking cookies are a compliance violation under GDPR, PIPEDA, and most other privacy laws.

Most cookie scanners detect HTTP cookies and JavaScript cookies. Advanced cookie analyzers also identify localStorage entries, sessionStorage data, tracking pixels, fingerprinting scripts, and web beacons. No single scanner catches every possible tracking method, which is why combining automated scanning with periodic manual code reviews is the recommended approach.

Yes. Google Analytics alone sets multiple cookies (_ga, _gid, _gat) and may trigger additional third-party requests. But more importantly, your CMS, hosting provider, CDN, theme, and plugins are almost certainly setting cookies you are not aware of. Research shows most websites have 15-50+ cookies even with minimal third-party integrations. A website cookie scanner reveals the full picture.

A cookie scan is the automated process of detecting cookies on your website using a scanning tool. A cookie audit is the broader compliance exercise that includes scanning, categorizing cookies, reviewing your cookie policy, verifying consent mechanisms, and documenting everything. A scan is one step within a full audit. Both are essential for maintaining cookie consent compliance.

Take the first step toward cookie compliance today. Scan your website for free →

Read more

How to Add a Cookie Banner to WordPress (Free, No Plugin)

Add a GDPR-compliant cookie banner to WordPress in under 5 minutes — no plugin required. Free setup guide with screenshots. Works with any WordPress theme.

Do I Need Consent for Google Analytics and Facebook Pixel Under PIPEDA?

Yes. PIPEDA requires explicit consent for Google Analytics, Facebook Pixel, and other tracking tools because they collect personal information. You must block these scripts until users give permission.

How to Set Up Cookie Banner Generator with Google Tag Manager (Consent Mode v2)

Step-by-step guide to installing Cookie Banner Generator's GTM Community Template for Google Consent Mode v2. Configure default consent states, regional overrides, ads data redaction, and URL passthrough in minutes.