Do you know what cookies your website sets? How many of them require user consent? What trackers are running in the background? In this article, I’ll show you how to conduct a complete cookies and trackers audit.

  • GDPR (Europe) - requires consent before setting non-essential cookies
  • ePrivacy - regulates cookies and electronic tracking
  • CCPA (California) - right to opt-out of data “sale”
  • LGPD (Brazil) - similar requirements to GDPR

Consequences of Violations

RegulationMaximum Penalty
GDPR4% of turnover or €20 million
ePrivacyDepends on EU country
CCPA$7,500 per violation

Common Problems

  • Analytics cookies without consent
  • Advertising trackers before acceptance
  • Missing cookie documentation
  • Incomplete privacy policy

What Exactly to Check?

1. HTTP Cookies

Traditional cookies set by the Set-Cookie header:

  • First-party - from the same domain
  • Third-party - from external domains
  • Session - deleted after closing the browser
  • Persistent - with expiration date

2. Local Storage

Data stored in the browser without expiration:

localStorage.setItem('user_preferences', JSON.stringify({...}));

3. Session Storage

Data deleted after closing the tab:

sessionStorage.setItem('cart_items', JSON.stringify([...]));

4. IndexedDB

Browser database for larger amounts of data.

5. Tracking Pixels

Invisible 1x1 images sending data to servers:

  • Facebook Pixel
  • Google Analytics
  • LinkedIn Insight Tag
  • TikTok Pixel

UPER SEO Auditor - Tracker Audit

The UPER SEO Auditor extension includes a full cookies and trackers audit in the Trackers tab.

How to Run the Audit?

  1. Open the page in your browser
  2. Launch the UPER SEO Auditor panel
  3. Go to the Trackers tab
  4. Results appear automatically

Cookies and Trackers in UPER SEO Auditor

What Will You See?

The extension shows:

  • Number of cookies - broken down by category
  • Local/Session Storage - all keys
  • IndexedDB - detected databases
  • Tracking pixels - Facebook, Google, etc.

The auditor automatically categorizes cookies:

Necessary

Cookies essential for the website to function:

  • User session
  • Shopping cart
  • Language preferences
  • CSRF token

Do not require consent - can be set before acceptance.

Functional

Cookies improving UX:

  • Remembered form data
  • Display preferences
  • Recently viewed products
  • Chat settings

Require consent - users should be able to decline.

Analytics

Cookies for traffic analysis:

  • Google Analytics (_ga, _gid)
  • Hotjar (_hjid)
  • Plausible, Matomo

Require consent - the main reason for cookie banners.

Marketing

Cookies for ad targeting:

  • Facebook Pixel (_fbp, _fbc)
  • Google Ads (_gcl_au)
  • LinkedIn (li_sugr)
  • Remarketing

Require consent - often the most invasive.

Unknown

Cookies not recognized by the database. They may be:

  • Custom developer cookies
  • New third-party cookies
  • Outdated cookies

For each cookie, you’ll see:

FieldDescription
NameCookie name
ValueValue (may be truncated)
DomainDomain (.example.com = all subdomains)
PathPath scope
ExpiresExpiration date or “Session”
SecureHTTPS only
HttpOnlyNot accessible to JavaScript
SameSiteStrict, Lax, or None

Security Flags

The extension checks flags:

  • Secure - cookie only over HTTPS
  • HttpOnly - XSS protection
  • SameSite=Strict/Lax - CSRF protection
  • ⚠️ SameSite=None - requires Secure

Tracking Pixels

The auditor detects popular tracking pixels:

PixelDomain
Facebook Pixelfacebook.com/tr
Google Analyticsgoogle-analytics.com/collect
Google Adsgoogleads.g.doubleclick.net
LinkedInpx.ads.linkedin.com
TikTokanalytics.tiktok.com
Twitteranalytics.twitter.com
Pinterestct.pinterest.com

Local Storage and Session Storage

The extension shows all storage keys:

Local Storage:
├── user_id: "abc123"
├── cart: "[{...}]"
├── theme: "dark"
└── _ga_session: "{...}"

Session Storage:
├── current_page: "3"
└── filter_state: "{...}"

Note: Local Storage data doesn’t expire. If it contains user identifiers, it also requires consent.

CMP Detection

The extension detects popular consent management platforms:

  • Cookiebot
  • OneTrust
  • TrustArc
  • Usercentrics
  • Cookie Notice
  • GDPR Cookie Consent

The most important test: what cookies are set BEFORE acceptance?

How to Conduct the Test?

  1. Open the page in incognito mode
  2. DO NOT accept the cookie banner
  3. Launch UPER SEO Auditor
  4. Check the Trackers tab

Should only see:

  • Necessary cookies
  • Technical session cookies

Should NOT see:

  • Google Analytics
  • Facebook Pixel
  • Marketing cookies

After Acceptance

  1. Accept all cookies
  2. Refresh the panel
  3. Check for new cookies

Now analytics and marketing should appear.

Issues to Detect

❌ GA4 Before Consent

_ga, _gid set without acceptance

Solution: Configure Google Consent Mode v2.

❌ Facebook Pixel Before Consent

_fbp cookie set automatically

Solution: Conditional loading of FB script.

❌ Missing SameSite

Cookie "session_id" without SameSite attribute

Solution: Add SameSite=Lax or Strict.

❌ Third-party Cookies Without Secure

Cookie from external domain without Secure flag

Solution: Set Secure; SameSite=None.

Data Export

Tracker audit results are included in PDF export:

  • List of all cookies
  • Category breakdown
  • Detected pixels
  • Security flags

Complementary Tools

Allows manual editing and deletion of cookies.

Chrome DevTools > Application

The Application tab shows:

  • Cookies
  • Local Storage
  • Session Storage
  • IndexedDB
  • Cache Storage

Webpagetest.org

Shows cookies set on first load.

Best Practices

1. Document All Cookies

Create a table in your privacy policy:

NamePurposeLifetimeCategory
session_idUser sessionSessionNecessary
_gaStatistics2 yearsAnalytics

2. Minimize Cookies

  • Use Local Storage for data that doesn’t need to be sent to the server
  • Shorten cookie lifetimes
  • Remove unused cookies

For Google Analytics and Ads:

gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'ad_storage': 'denied'
});

4. Test Regularly

  • Check cookies after each deploy
  • Test in incognito mode
  • Verify after consent acceptance and rejection

Summary

Cookies and trackers audit in UPER SEO Auditor allows you to:

  • See all cookies - broken down by category
  • Detect trackers - pixels, storage, IndexedDB
  • Identify issues - cookies before consent
  • Check security flags - Secure, HttpOnly, SameSite

It’s an essential tool for anyone who wants to be GDPR and ePrivacy compliant.

Try UPER SEO Auditor and check what trackers are running on your website.

Sources

  1. GDPR - Official Text https://gdpr.eu/

  2. ePrivacy Directive https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058

  3. Google Consent Mode https://developers.google.com/tag-platform/devguides/consent

  4. Cookie Database - Cookiepedia https://cookiepedia.co.uk/