Most website owners know they set cookies. Far fewer know exactly which cookies, from which vendors, for which purposes, and for how long. That gap between assumption and reality is where compliance risk lives - and where regulators start asking questions.
Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a visitor's device requires prior informed consent unless the cookie is strictly necessary to deliver a service the visitor explicitly requested. The GDPR then defines what "valid consent" actually means: freely given, specific, informed, and unambiguous. You cannot meet either standard if you do not know what your site is setting in the first place.
Why a Cookie Inventory Matters
Regulators are not interested in vague assurances. The French CNIL sanctioned 21 organisations for cookie violations in 2025 alone, contributing to a record total of nearly 487 million euros in fines that year. Among the highest-profile cases, Google was fined 325 million euros and Shein 150 million euros - both in September 2025 - for placing advertising cookies before visitors had any opportunity to consent. A common thread across these enforcement actions is that the organisations either did not know exactly which cookies fired on page load or failed to map them to the correct consent categories.
Knowing your cookies is the first step toward a defensible compliance position. It also feeds directly into your cookie policy, your consent banner configuration, and the categories displayed to visitors.
Method 1: Check Cookies Manually in Your Browser
Every modern browser includes developer tools that let you inspect cookies on any page. This method costs nothing and gives you a real-time snapshot of what is active on a given URL.
Google Chrome
Open your site in an Incognito window (Ctrl+Shift+N on Windows, Cmd+Shift+N on Mac) so you start with a clean slate. Right-click anywhere on the page and select Inspect, then navigate to the Application tab. In the left sidebar, expand Storage and click Cookies. You will see every cookie grouped by domain. Each row shows the cookie name, value, domain, path, expiry, size, and flags like Secure, HttpOnly, and SameSite.
Cookies with a domain matching your own site (e.g. .example.com) are first-party cookies. Those with a different domain - .google-analytics.com, .facebook.com, .doubleclick.net - are third-party cookies set by external scripts embedded on your page.
Firefox
Open a Private Window, navigate to your site, and press F12 to open Developer Tools. Select the Storage tab, then Cookies. Firefox displays the same fields as Chrome: name, domain, path, expiry, and attributes. It also flags cookies with a shield icon when its Enhanced Tracking Protection has blocked them, which is useful for spotting trackers that Safari and Firefox already restrict by default.
Safari
Enable the Develop menu (Safari > Settings > Advanced > "Show Develop menu in menu bar"), then open your site in a Private window. Go to Develop > Show Web Inspector, select the Storage tab, and click Cookies. Safari's Intelligent Tracking Prevention (ITP) caps the expiry of many cookies set via JavaScript to seven days, so the values you see here may differ from Chrome.
Limitations of Manual Checks
Browser developer tools only show cookies on the page you are currently viewing. Cookies that fire on other pages - the checkout flow, a login form, an embedded video - will not appear unless you visit those pages individually. Manual inspection also misses cookies that load conditionally, such as those triggered only after a visitor interacts with a chat widget or accepts a consent prompt.
Method 2: Use an Automated Cookie Scanner
An automated scanner crawls multiple pages of your site, renders JavaScript, and catalogues every cookie it encounters. Most scanners also attempt to classify cookies into standard categories: necessary, functional, analytics, and marketing.
Kukie.io offers a free cookie scanner that does exactly this. Enter your URL, and the tool crawls the site, identifies each cookie by name, domain, and duration, and maps it against a database of known cookies. The result is a categorised inventory you can use directly in your consent banner setup.
Automated scanners are faster and more thorough than manual checks because they follow internal links and simulate user interactions. They also record cookies set by third-party scripts - ad pixels, social media embeds, analytics tags - that you may not have deliberately installed.
Method 3: Inspect HTTP Headers and Network Requests
For a deeper technical view, open Chrome DevTools and switch to the Network tab before loading the page. Reload your site and look at the Set-Cookie headers in the response headers of each request. This shows you exactly when a cookie is created during the page load sequence - critically, whether it is set before or after a consent signal fires.
| Attribute | What It Tells You | Why It Matters for Compliance |
|---|---|---|
Domain | Which domain owns the cookie | Distinguishes first-party from third-party cookies |
Expires / Max-Age | When the cookie expires | Must be disclosed in your cookie policy; persistent cookies require consent |
SameSite | Cross-site sending behaviour | Affects whether the cookie works across domains; None requires Secure |
HttpOnly | Not accessible via JavaScript | Server-set cookies may not appear in document.cookie |
Secure | Only sent over HTTPS | Good security practice; required when SameSite=None |
Filtering the Network tab by "Set-Cookie" reveals the exact moment each cookie is placed. If you see a _ga or _fbp cookie in the response headers before any consent mechanism has loaded, that is a compliance problem under the GDPR's cookie consent rules.
Method 4: Audit Local Storage and Session Storage
Cookies are not the only storage mechanism privacy law covers. The EDPB's updated guidelines on Article 5(3), published in October 2024, confirm that local storage, session storage, and IndexedDB fall within scope whenever they store or access information on a visitor's device. In Chrome DevTools, these appear under Application > Storage alongside cookies. If a marketing script writes a unique identifier into localStorage rather than a cookie, that identifier still requires consent.
What to Record in Your Cookie Inventory
Once you have identified your cookies through one or more of the methods above, document each one. A proper inventory includes the cookie name, the domain that sets it, its purpose, the duration (session or persistent, and if persistent, the exact expiry), the category (necessary, functional, analytics, or marketing), and the third-party vendor responsible if applicable.
This inventory feeds into three outputs that regulators expect to see:
Your cookie policy - listing every cookie, its purpose, and its duration.
Your consent banner - grouping cookies into categories so visitors can make informed choices.
Your records of processing activities under GDPR Article 30 - since cookie-based tracking constitutes personal data processing.
How Often to Scan
A cookie inventory is not a one-off task. New cookies appear whenever a developer adds a script, a plugin updates, or a marketing team installs a new tracking pixel. The CNIL's enforcement record makes clear that "set and forget" approaches do not satisfy ongoing compliance obligations.
For most sites, a monthly automated scan is a sensible baseline. E-commerce sites running frequent campaigns or A/B tests should scan weekly. If your consent management platform supports scheduled scans, enable them - they catch rogue cookies before a regulator does.
Common Surprises When You First Scan
Most site owners discover more cookies than expected on their first scan. Third-party embeds are the usual culprit. A YouTube video embed, a Google Maps widget, or a social sharing button each brings its own set of cookies. An embedded YouTube player sets cookies from .youtube.com and .google.com unless you use the privacy-enhanced embed URL (youtube-nocookie.com).
Tag managers add another layer. If Google Tag Manager loads all tags before consent is collected, every tag's cookies fire immediately - analytics, remarketing, heat-mapping, everything. Configuring your tag manager to respect consent signals through Google Consent Mode v2 or manual trigger rules is essential to avoid exactly the kind of pre-consent cookie loading that cost Google and Shein hundreds of millions of euros in fines.
Frequently Asked Questions
How can I check cookies on a specific page without any tools?
Open the page in a private or incognito browser window, right-click, select Inspect, and navigate to Application (Chrome) or Storage (Firefox). Under the Cookies section you will see every cookie active on that page, along with its domain, expiry, and attributes.
Do I need to list cookies in my cookie policy even if they are set by third parties?
Yes. Under the GDPR and ePrivacy Directive, you are responsible for all cookies placed on your visitors' devices through your site, regardless of whether a third-party script sets them. Your cookie policy must disclose each cookie's name, purpose, provider, and duration.
How often should I run a cookie scan on my website?
At minimum, once a month. Sites with frequent changes to scripts, plugins, or marketing campaigns should scan weekly. Automated scheduled scans through a consent management platform are the most reliable approach.
Can local storage and session storage trigger the same consent requirements as cookies?
Yes. The EDPB's 2024 guidelines on Article 5(3) of the ePrivacy Directive confirm that any technology that stores or accesses information on a user's device falls within scope. Local storage, session storage, and IndexedDB all require consent if used for non-essential purposes such as analytics or advertising.
What is the difference between a manual cookie check and an automated cookie scan?
A manual check using browser developer tools shows cookies on a single page at a single moment. An automated scanner crawls multiple pages, renders JavaScript, and captures cookies that load conditionally or on interaction - giving a more complete picture of your site's cookie footprint.
Why do I see different cookies in Chrome, Firefox, and Safari?
Safari and Firefox block most third-party cookies by default through Intelligent Tracking Prevention and Enhanced Tracking Protection respectively. Chrome still allows third-party cookies unless the user opts out. As a result, a full cookie audit should use Chrome (or a scanner that uses Chromium) to capture every cookie your site attempts to set.
Start With a Free Cookie Scan
If you have never checked what cookies your site sets, the fastest way to get a clear picture is to run an automated scan. Kukie.io's free scanner identifies, categorises, and documents every cookie - giving you the inventory you need for your policy, your banner, and your next conversation with a regulator.
