Get started

Cookie Audit Checklist — 12 Things to Check on Your Website

checklist 8 min read Updated 2026-03-23

Cookie Audit Checklist — 12 Things to Check on Your Website

Use this checklist to assess your site’s cookie compliance. Each item is testable and observable — you don’t need technical expertise. Go through each one and note whether it passes or fails. Failures are your action items.

Initial Setup

1. Do Non-Essential Cookies Fire Before the User Interacts With Your Banner?

Test: Open your site. Open the browser’s Developer Tools (F12) and go to the Network tab. Clear all cookies. Reload the page and immediately watch the Network tab without interacting with anything.

Pass criteria: You see requests only to your own domain and essential infrastructure (CDN, analytics host if analytics is essential, etc.). You do NOT see requests to Google Analytics, Facebook, advertising networks, or other trackers until the banner appears and you interact with it.

Fail criteria: You see requests to Google, Facebook, LinkedIn, HubSpot, or other third-party domains firing immediately. The banner appears later. These are pre-consent requests — you’ve placed cookies without consent.

Action if failed: Your consent mechanism is non-functional. The banner is decorative. You need to reconfigure your site to block these scripts until consent is given. This typically requires a consent management platform (CMP) with script-blocking integration.

Priority: CRITICAL. Pre-consent tracking is the most fundamental PECR breach.

2. Does Your Banner Actually Block Non-Essential Cookies?

Test: Clear cookies. Load your site. Click “Reject all” (or equivalent). Watch the Network tab. Reload the page.

Pass criteria: The same trackers you saw firing pre-consent in test #1 do NOT fire now. Non-essential requests are blocked.

Fail criteria: The same requests continue to fire. Your “Reject all” button has no effect on script execution. The banner is decorative.

Action if failed: Your CMP is not properly configured to block scripts. Either it’s not integrated with your tag manager (Google Tag Manager, etc.), or the integration isn’t working. Contact your CMP vendor or your developer.

Priority: CRITICAL.

3. Is “Reject All” as Prominent as “Accept All”?

Test: Look at your cookie banner. Find “Accept all” and “Reject all” buttons (or equivalent reject option).

Pass criteria: Both buttons are the same size, same color, same distance from the top of the banner. Both are equally easy to click. Or the banner offers “Reject all” as a top-level button on the initial banner, not hidden in a settings menu.

Fail criteria: “Accept all” is a large, colored button and “Reject all” is small text, or “Reject all” requires clicking through to a settings page, or “Reject all” doesn’t exist and users must use a settings page to opt out of each category individually.

Action if failed: Reconfigure your banner. Both options must be equally prominent.

Priority: HIGH. Lack of genuine choice violates PECR’s “freely given” requirement.

4. Can You Opt Out of Specific Categories (Not Just All-or-Nothing)?

Test: Look for a “Customize” or “Reject all” option that lets you toggle categories individually.

Pass criteria: Your banner offers granular choice — accept analytics while rejecting marketing, for example. Or you can reject all and accept only specific categories. Either granular or all-or-nothing consent is acceptable; granular is better.

Fail criteria: The only options are “Accept all” or navigate to a settings page. Users can’t make nuanced choices on the initial banner.

Action if failed: Configure your CMP to offer category-level granularity on the initial banner or in a quickly accessible customization panel.

Priority: MEDIUM. This improves user experience and demonstrates genuine choice, but all-or-nothing is legally compliant if “Reject all” is equally prominent.

5. Are Any Non-Essential Categories Pre-Ticked?

Test: Open your banner and look for checkboxes. Which ones are checked by default?

Pass criteria: No non-essential categories are pre-checked. Essential categories may be pre-checked (they don’t require consent anyway). All other categories are unchecked and require user action to enable.

Fail criteria: Analytics, marketing, or functional cookies are pre-ticked. Users must uncheck to opt out.

Action if failed: Reconfigure your banner so no non-essential categories are pre-checked by default.

Priority: CRITICAL. Pre-ticked boxes violate PECR’s “freely given” requirement.

Disclosure and Documentation

Test: Look for a link on your website (usually in the footer or from the banner) to a “Cookie Policy” or “Cookies” page.

Pass criteria: You have a standalone cookie policy or a clearly labeled “Cookies” section in your privacy policy. This policy lists specific cookies with names, purposes, providers, and durations.

Fail criteria: You mention cookies in your privacy policy but don’t have detailed information. Or you have no cookie information at all. Or you have a generic “we use cookies” statement without listing specific cookies.

Action if failed: Write a cookie policy. Most CMPs generate this automatically from a scan of your site. If yours doesn’t, use a template or hire someone to create one. Minimum requirement: name, purpose, provider, and duration for each cookie.

Priority: HIGH. PECR requires “clear and comprehensive information.”

Test: Open your cookie policy. Look for a list or table of cookies.

Pass criteria: You list cookies by name (e.g., _ga, _gid, fbp), their purpose (what they measure or do), their provider (Google, Facebook, etc.), their type (session or persistent), and their duration (how long they persist).

Fail criteria: You have a policy but it’s vague (“we use Google Analytics to understand user behavior”) without listing specific cookies. Or you don’t list duration or provider.

Action if failed: Update your policy. Most CMPs provide templates. If not, copy this format:

Cookie NamePurposeProviderDuration
_gaAnalytics — user ID trackingGoogle2 years
_gidAnalytics — session trackingGoogle24 hours
fbpFacebook Pixel trackingFacebook3 months

Priority: HIGH.

Test: Open your banner. Look for a link to your cookie policy.

Pass criteria: The banner has a visible link (“Cookie policy,” “Learn more,” etc.) that opens your policy without requiring additional clicks or navigation.

Fail criteria: The banner doesn’t link to your policy. Users must search for it themselves.

Action if failed: Add a link from your banner to your policy. Most CMPs support this configuration.

Priority: MEDIUM. This improves transparency.

Ongoing Rights

Test: After accepting consent, look for a way to change preferences. Typically this is a footer link like “Cookie preferences” or “Manage cookies.”

Pass criteria: You have a persistent link (visible on every page, usually in the footer) that opens a preference center. The center lets you change what you consented to and withdraw consent entirely.

Fail criteria: The banner disappears after the first visit and there’s no way to change preferences. Or the link exists but doesn’t work.

Action if failed: Add a persistent footer link that opens your CMP’s preference center. Most CMPs provide this functionality.

Priority: HIGH. PECR explicitly requires withdrawal rights.

Test: Accept consent, then withdraw it. Check the Network tab on reload.

Pass criteria: After withdrawing consent, non-essential requests don’t fire.

Fail criteria: After withdrawing, the requests continue. Your withdrawal mechanism doesn’t actually block scripts.

Action if failed: Your CMP’s withdrawal mechanism isn’t properly integrated with your script blocking. Contact your CMP vendor or developer.

Priority: CRITICAL.

Accessibility and Functionality

11. Is Your Banner Keyboard Navigable and Screen Reader Compatible?

Test: Open your banner and try navigating using only the Tab key (no mouse). Can you reach all buttons and links? Does a screen reader (NVDA, JAWS, or built-in reader) read the button text correctly?

Pass criteria: You can navigate the entire banner using Tab. All buttons are reachable. Text labels are read correctly by screen readers.

Fail criteria: The banner requires a mouse to interact with. Screen reader doesn’t announce button labels or choices.

Action if failed: Update your banner to meet WCAG 2.1 AA accessibility standards. Most modern CMPs meet these standards out of the box, but custom banners may not.

Priority: MEDIUM-HIGH. This is both a PECR issue (genuine choice requires accessibility) and an accessibility law issue.

12. Do You Re-Audit Your Cookies Quarterly?

Test: Look at your tracking or audit records. When was the last time you scanned your site for cookies?

Pass criteria: You have evidence of quarterly re-scans. You’ve documented new cookies discovered and updated your policy accordingly.

Fail criteria: You scanned once and haven’t re-audited since. You don’t have a process for catching new cookies when plugins or integrations change.

Action if failed: Set a calendar reminder to re-scan every three months. Use Cookiebot, CookieYes, or browser tools. Update your policy and consent mechanism if new cookies appear.

Priority: MEDIUM. Websites change; your compliance mechanism needs to keep pace.

Scoring

Passes: 11–12 You’re compliant. Maintain quarterly audits and keep your policy current.

Passes: 8–10 You’re mostly compliant with some gaps. Address failures in order of priority (CRITICAL first).

Passes: 5–7 You have significant compliance gaps. You need a functional consent mechanism and updated policies.

Passes: 0–4 Your cookie compliance is non-compliant. You need to implement a CMP, configure script blocking, and write a proper policy. Start with items marked CRITICAL.

Going Deeper

If you find gaps, here’s what to do:

Pre-consent tracking or non-functional consent mechanism? Your site needs a consent management platform (CMP) with proper script-blocking integration. Cookiebot, CookieYes, and Termly are good options. Installation typically takes a few hours and costs £40–350/month depending on your site’s complexity.

Missing or inadequate cookie policy? Most CMPs generate this automatically. If yours doesn’t, create a table listing each cookie with name, purpose, provider, and duration.

Missing withdrawal rights or preference center? Your CMP should provide this. If not, reconfigure it or switch to one that does.

Accessibility issues? Make sure your banner is keyboard navigable and screen reader compatible. This may require custom CSS or working with your CMP vendor.

For a comprehensive audit with specific remediation steps, Bartram Web screens your site against PECR standards and flags each issue with guidance on how to fix it. To stay informed about cookie and GDPR compliance updates, subscribe to our fortnightly newsletter.

Updated 2026-03-23

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your website →

More from this hub

PECR Explained — UK Cookie Law Beyond GDPR

PECR is the UK law that governs cookie placement — separate from GDPR. What it requires, who must comply, what happens if you don't, and how it changed under the 2026 DUAA.

Read article →

What's Really Loading on UK Websites — The Tracker Research

What the ICO, academic research, and industry audits reveal about tracker and cookie compliance on UK websites. We've compiled the findings to show you where compliance is failing and what it means.

Read article →

How to Set Up a Compliant Cookie Consent Mechanism

Step-by-step setup of a compliant cookie consent mechanism: choosing a CMP, configuring genuine choice, blocking pre-consent scripts, policy writing, and testing.

Read article →