--- title: "How to Check Cookies and Trackers on a Website" description: "How to analyze cookies, local storage, and tracking pixels on a website. GDPR and ePrivacy compliance audit in your browser." date: 2026-01-17 category: UPER tags: ["Cookies", "GDPR", "Tracking", "Privacy", "UPER SEO Auditor"] url: https://uper.pl/en/blog/check-cookies-and-trackers/ --- # How to Check Cookies and Trackers on a Website Do you know what cookies your website sets? How many of them require user consent? What trackers are running in the background? In this article, I'll show you how to conduct a complete cookies and trackers audit. ## Why Is a Cookie Audit Important? ### Legal Requirements - **GDPR** (Europe) - requires consent before setting non-essential cookies - **ePrivacy** - regulates cookies and electronic tracking - **CCPA** (California) - right to opt-out of data "sale" - **LGPD** (Brazil) - similar requirements to GDPR ### Consequences of Violations | Regulation | Maximum Penalty | |------------|-----------------| | GDPR | 4% of turnover or €20 million | | ePrivacy | Depends on EU country | | CCPA | $7,500 per violation | ### Common Problems - Analytics cookies without consent - Advertising trackers before acceptance - Missing cookie documentation - Incomplete privacy policy ## What Exactly to Check? ### 1. HTTP Cookies Traditional cookies set by the `Set-Cookie` header: - **First-party** - from the same domain - **Third-party** - from external domains - **Session** - deleted after closing the browser - **Persistent** - with expiration date ### 2. Local Storage Data stored in the browser without expiration: ```javascript localStorage.setItem('user_preferences', JSON.stringify({...})); ``` ### 3. Session Storage Data deleted after closing the tab: ```javascript sessionStorage.setItem('cart_items', JSON.stringify([...])); ``` ### 4. IndexedDB Browser database for larger amounts of data. ### 5. Tracking Pixels Invisible 1x1 images sending data to servers: - Facebook Pixel - Google Analytics - LinkedIn Insight Tag - TikTok Pixel ## UPER SEO Auditor - Tracker Audit The [UPER SEO Auditor](https://chromewebstore.google.com/detail/uper-seo-auditor/khhpbeckpphaoiemjdijhbfpjnendage) extension includes a full cookies and trackers audit in the **Trackers** tab. ### How to Run the Audit? 1. Open the page in your browser 2. Launch the UPER SEO Auditor panel 3. Go to the **Trackers** tab 4. Results appear automatically ![Cookies and Trackers in UPER SEO Auditor](../../assets/images/blog/uper-seo-auditor-cookies.png) ### What Will You See? The extension shows: - **Number of cookies** - broken down by category - **Local/Session Storage** - all keys - **IndexedDB** - detected databases - **Tracking pixels** - Facebook, Google, etc. ## Cookie Categories The auditor automatically categorizes cookies: ### Necessary Cookies essential for the website to function: - User session - Shopping cart - Language preferences - CSRF token **Do not require consent** - can be set before acceptance. ### Functional Cookies improving UX: - Remembered form data - Display preferences - Recently viewed products - Chat settings **Require consent** - users should be able to decline. ### Analytics Cookies for traffic analysis: - Google Analytics (`_ga`, `_gid`) - Hotjar (`_hjid`) - Plausible, Matomo **Require consent** - the main reason for cookie banners. ### Marketing Cookies for ad targeting: - Facebook Pixel (`_fbp`, `_fbc`) - Google Ads (`_gcl_au`) - LinkedIn (`li_sugr`) - Remarketing **Require consent** - often the most invasive. ### Unknown Cookies not recognized by the database. They may be: - Custom developer cookies - New third-party cookies - Outdated cookies ## Cookie Details For each cookie, you'll see: | Field | Description | |-------|-------------| | **Name** | Cookie name | | **Value** | Value (may be truncated) | | **Domain** | Domain (`.example.com` = all subdomains) | | **Path** | Path scope | | **Expires** | Expiration date or "Session" | | **Secure** | HTTPS only | | **HttpOnly** | Not accessible to JavaScript | | **SameSite** | Strict, Lax, or None | ### Security Flags The extension checks flags: - ✅ **Secure** - cookie only over HTTPS - ✅ **HttpOnly** - XSS protection - ✅ **SameSite=Strict/Lax** - CSRF protection - ⚠️ **SameSite=None** - requires Secure ## Tracking Pixels The auditor detects popular tracking pixels: | Pixel | Domain | |-------|--------| | Facebook Pixel | `facebook.com/tr` | | Google Analytics | `google-analytics.com/collect` | | Google Ads | `googleads.g.doubleclick.net` | | LinkedIn | `px.ads.linkedin.com` | | TikTok | `analytics.tiktok.com` | | Twitter | `analytics.twitter.com` | | Pinterest | `ct.pinterest.com` | ## Local Storage and Session Storage The extension shows all storage keys: ``` Local Storage: ├── user_id: "abc123" ├── cart: "[{...}]" ├── theme: "dark" └── _ga_session: "{...}" Session Storage: ├── current_page: "3" └── filter_state: "{...}" ``` **Note:** Local Storage data doesn't expire. If it contains user identifiers, it also requires consent. ## CMP Detection The extension detects popular consent management platforms: - Cookiebot - OneTrust - TrustArc - Usercentrics - Cookie Notice - GDPR Cookie Consent ## Before vs After Consent Audit The most important test: **what cookies are set BEFORE acceptance?** ### How to Conduct the Test? 1. Open the page in incognito mode 2. **DO NOT accept** the cookie banner 3. Launch UPER SEO Auditor 4. Check the Trackers tab **Should only see:** - Necessary cookies - Technical session cookies **Should NOT see:** - Google Analytics - Facebook Pixel - Marketing cookies ### After Acceptance 1. Accept all cookies 2. Refresh the panel 3. Check for new cookies Now analytics and marketing should appear. ## Issues to Detect ### ❌ GA4 Before Consent ``` _ga, _gid set without acceptance ``` **Solution:** Configure [Google Consent Mode v2](/en/blog/google-consent-mode-v2/). ### ❌ Facebook Pixel Before Consent ``` _fbp cookie set automatically ``` **Solution:** Conditional loading of FB script. ### ❌ Missing SameSite ``` Cookie "session_id" without SameSite attribute ``` **Solution:** Add `SameSite=Lax` or `Strict`. ### ❌ Third-party Cookies Without Secure ``` Cookie from external domain without Secure flag ``` **Solution:** Set `Secure; SameSite=None`. ## Data Export Tracker audit results are included in PDF export: - List of all cookies - Category breakdown - Detected pixels - Security flags ## Complementary Tools ### Cookie Editor (extension) Allows manual editing and deletion of cookies. ### Chrome DevTools > Application The Application tab shows: - Cookies - Local Storage - Session Storage - IndexedDB - Cache Storage ### Webpagetest.org Shows cookies set on first load. ## Best Practices ### 1. Document All Cookies Create a table in your privacy policy: | Name | Purpose | Lifetime | Category | |------|---------|----------|----------| | session_id | User session | Session | Necessary | | _ga | Statistics | 2 years | Analytics | ### 2. Minimize Cookies - Use Local Storage for data that doesn't need to be sent to the server - Shorten cookie lifetimes - Remove unused cookies ### 3. Configure Consent Mode For Google Analytics and Ads: ```javascript gtag('consent', 'default', { 'analytics_storage': 'denied', 'ad_storage': 'denied' }); ``` ### 4. Test Regularly - Check cookies after each deploy - Test in incognito mode - Verify after consent acceptance and rejection ## Summary Cookies and trackers audit in UPER SEO Auditor allows you to: - **See all cookies** - broken down by category - **Detect trackers** - pixels, storage, IndexedDB - **Identify issues** - cookies before consent - **Check security flags** - Secure, HttpOnly, SameSite It's an essential tool for anyone who wants to be GDPR and ePrivacy compliant. Try [UPER SEO Auditor](https://chromewebstore.google.com/detail/uper-seo-auditor/khhpbeckpphaoiemjdijhbfpjnendage) and check what trackers are running on your website. ## Sources 1. **GDPR - Official Text** [https://gdpr.eu/](https://gdpr.eu/) 2. **ePrivacy Directive** [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058) 3. **Google Consent Mode** [https://developers.google.com/tag-platform/devguides/consent](https://developers.google.com/tag-platform/devguides/consent) 4. **Cookie Database - Cookiepedia** [https://cookiepedia.co.uk/](https://cookiepedia.co.uk/)