Why Cookie Audits Matter for Compliance
Every cookie your website sets is a potential compliance liability. Under Article 5(3) of the ePrivacy Directive, storing information on a visitor's device requires prior informed consent - with narrow exceptions for strictly necessary cookies. Regulators such as CNIL and the ICO now use automated scanning tools to detect violations, and fines for cookie non-compliance have reached nine figures.
A manual audit using Chrome DevTools remains one of the most reliable ways to verify what your site actually does versus what your consent banner claims. Automated scanners catch the obvious issues. DevTools catches everything else.
This walkthrough covers three key areas of DevTools: the Application panel for inspecting stored cookies, the Network tab for observing cookies in transit, and the Issues panel for catching SameSite and security warnings.
Opening the Application Panel
Press F12 or Ctrl+Shift+I (Windows/Linux) or Cmd+Option+I (macOS) to open DevTools. Select the Application tab from the top menu. If it is not visible, click the double-arrow overflow icon to find it.
In the left sidebar, expand Storage and then Cookies. Each domain that has set cookies on the current page appears as a separate entry. Click a domain to view its cookies in the main panel.
The cookie table displays columns for Name, Value, Domain, Path, Expires, Size, HttpOnly, Secure, SameSite, Partition Key, and Priority. You can sort by any column header. The built-in filter box at the top searches by cookie name or value - filtering by other attributes is not supported natively, so column sorting is your best tool for grouping cookies by attribute.
Key Cookie Attributes to Check
Each cookie attribute tells you something about its purpose and security posture. During an audit, focus on these columns:
| Attribute | What to Look For | Compliance Implication |
|---|---|---|
SameSite | Values: Strict, Lax, or None | Cookies with None are sent cross-site and likely used for tracking. These almost always require consent. |
HttpOnly | True or false | Cookies accessible to JavaScript (HttpOnly=false) can be read by third-party scripts. Check if this is intentional. |
Secure | True or false | Cookies without the Secure flag transmit over HTTP. Any SameSite=None cookie must also be Secure. |
Expires | Date or Session | Long-lived cookies (months or years) deserve extra scrutiny. Session cookies expire when the browser closes. |
Domain | First-party or third-party domain | Third-party domains indicate external services setting cookies on your site. Each one needs documenting. |
Partition Key | Present or empty | Partitioned cookies (CHIPS) are scoped per top-level site, reducing cross-site tracking risk. |
Sort the table by the SameSite column to group all None cookies together. These are third-party cookies or cookies intended for cross-site use, and they represent your highest-priority consent requirements.
Identifying Cookies by Category
Not every cookie requires consent. Strictly necessary cookies - those essential for basic site functionality - are exempt under the ePrivacy Directive. The challenge lies in correctly categorising everything else.
Common cookies and their typical categories:
PHPSESSID,JSESSIONID- Session management. Typically strictly necessary.pll_language- Language preference. Usually functional._ga,_ga_*,_gid- Google Analytics cookies. Require consent in the EU and UK._fbp,_fbc- Meta Pixel cookies. Marketing/advertising. Always require consent._gcl_au- Google Ads conversion linking. Marketing cookie. Requires consent.
Cross-reference each cookie against your cookie categories in your consent management platform. Any cookie present in the browser that is not declared in your cookie policy is a compliance gap.
Using the Network Tab to Trace Cookie Behaviour
The Application panel shows cookies stored at a point in time. The Network tab shows cookies being set and sent with each HTTP request, which gives you the full picture of cookie lifecycle.
Open the Network tab and reload the page. Click any request in the list, then select the Cookies sub-tab. This view splits into two sections: cookies sent with the request (Request Cookies) and cookies set by the response (Set-Cookie headers).
This is where you catch timing violations. If _ga or _fbp appears in a Set-Cookie header on the very first page load - before any consent interaction - your site is setting tracking cookies without consent. That is a clear breach of GDPR cookie consent requirements and the ePrivacy Directive.
Filtering Network Requests for Cookies
Type has-response-header:set-cookie in the Network tab filter bar to isolate only those requests that set cookies. This dramatically reduces noise and lets you focus on which endpoints and third-party scripts are writing to the cookie jar.
You can also filter by domain to see only third-party requests. Type -domain:yourdomain.com to exclude your own domain and reveal every external service communicating with your visitors' browsers.
The Issues Panel and SameSite Warnings
Chrome's Issues panel (accessible via the three-dot menu in DevTools or the yellow warning triangle) flags cookies with potential problems. Since Chrome 118, the Issues tab surfaces a specific warning: cookies sent in cross-site context that will be blocked in future browser versions.
These warnings highlight cookies with SameSite=None that may stop working as browsers tighten third-party cookie restrictions. Each warning identifies the affected cookie by name and domain, letting you track down the responsible script.
Pay attention to these categories of issues:
- Cookies with
SameSite=Nonebut without theSecureflag - These are already blocked by modern browsers. - Cookies missing the
SameSiteattribute entirely - Chrome defaults these toLax, which may break intended cross-site functionality. - Third-party cookies flagged for future deprecation - Review whether your site depends on these and plan alternatives.
The SameSite attribute is not just a technical concern. Misconfigured cookies can create unexpected tracking behaviour that falls outside the scope of the consent your visitors gave.
Testing with a Clean Browser Profile
Always audit cookies using a fresh browser profile or Incognito mode. Existing cookies from previous visits, cached consent states, and logged-in sessions all distort results.
Open an Incognito window (Ctrl+Shift+N or Cmd+Shift+N), navigate to your site, and open DevTools before interacting with the consent banner. Record which cookies are present before consent. Then accept all cookies and record the difference. Finally, repeat the process but reject all cookies - and verify that non-essential cookies are genuinely absent.
This three-step process - pre-consent, accept, reject - is exactly what regulators check during a cookie consent review. If cookies appear in the reject scenario that should only be present after acceptance, your script blocking is not working correctly.
Using the Privacy Sandbox Analysis Tool
Google provides the Privacy Sandbox Analysis Tool (PSAT), a DevTools extension that adds deeper cookie analysis capabilities. PSAT categorises cookies, highlights tracking cookies, and provides debugging pathways for Privacy Sandbox features like the Topics API and Attribution Reporting.
Install it from the Chrome Web Store. Once active, it adds a dedicated panel in DevTools that groups cookies by their likely purpose and flags those affected by third-party cookie deprecation. For sites with dozens of third-party integrations, PSAT saves significant time compared to manually inspecting each cookie.
Documenting Your Audit Findings
A cookie audit is only useful if the results are documented. For each cookie discovered, record the cookie name, domain, purpose, category (strictly necessary, functional, analytics, or marketing), duration, and whether it is first-party or third-party. This documentation forms part of your evidence for any DPA investigation.
Compare your DevTools findings against your published cookie policy. Undeclared cookies are a common finding in regulatory audits. Automated scanning tools such as the free cookie scanner from Kukie.io can supplement your manual audit by running scheduled checks and flagging new cookies as they appear.
Regular audits matter because cookies change. Every plugin update, new marketing tag, or third-party script integration can introduce cookies that were not present during your last review. Quarterly audits - combining both DevTools manual checks and automated scanning - give you the best coverage.
Frequently Asked Questions
How do I see all cookies set by a website in Chrome?
Open Chrome DevTools with F12, go to the Application tab, expand Storage in the left sidebar, and click Cookies. Each domain that sets cookies on the page is listed separately. Click a domain to view its cookies in a sortable table.
Can Chrome DevTools filter cookies by SameSite attribute?
The built-in filter box in the Application panel only searches by cookie name or value. To group cookies by SameSite, click the SameSite column header to sort. All cookies with SameSite=None will cluster together.
How do I check if cookies are set before consent is given?
Open an Incognito window, navigate to your site, and open the Application panel before interacting with the consent banner. Any non-essential cookies present at this stage are being set without consent, which violates the ePrivacy Directive and GDPR.
What does the SameSite warning in Chrome Issues panel mean?
Chrome flags cookies with SameSite=None that may be blocked as browsers restrict third-party cookies. The warning identifies the cookie name and domain so you can assess whether your site depends on it and plan alternatives.
How often should I audit cookies on my website?
Run a manual DevTools audit after every significant site change (new plugins, tracking tags, or third-party integrations) and combine it with automated scans on a quarterly schedule. Cookie inventories drift quickly as vendors update their scripts.
What is the Privacy Sandbox Analysis Tool in Chrome?
PSAT is a Chrome DevTools extension from Google that categorises cookies, highlights tracking cookies, and provides debugging for Privacy Sandbox features. It supplements the built-in Application panel with automated cookie analysis.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
