UK Cookie Audit: Check Website Cookies for GDPR Compliance (Step-by-Step)

If you run a small business website, cookies can feel like a “set and forget” job. You add analytics, a booking widget, a live chat tool, or a marketing pixel… and suddenly your site is dropping dozens (sometimes hundreds) of cookies.

That’s exactly why doing a cookie audit matters. It’s the practical process of working out what cookies your site actually uses, what they do, and whether you’re collecting consent properly under UK rules.

The good news is you don’t need to be a developer (or a privacy lawyer) to understand the basics. With a clear process, most SMEs can get their cookie compliance into good shape and reduce the risk of complaints, regulator attention, or customer distrust.

Below, we’ll walk you through a step-by-step cookie audit you can run on your own website, plus the documents and settings that usually need updating afterwards.

What Is A Cookie Audit (And Why Should SMEs Care)?

A cookie audit is a structured check of the cookies and similar tracking technologies used on your website (and sometimes in your app), including:

• Which cookies are set (first-party and third-party)
• Who sets them (you or an embedded service provider)
• What they do (e.g. essential functionality, analytics, advertising)
• How long they last (session vs persistent, retention periods)
• Whether consent is required and whether your site is collecting it correctly

For small businesses, the practical reasons to run a cookie audit are straightforward:

• Customers notice when cookie banners are confusing or misleading (and it can damage trust)
• Marketing performance can be affected if consent is implemented incorrectly (you may lose tracking data or collect it unlawfully)
• Regulatory risk increases if non-essential cookies are set without consent
• It’s easier to fix early than to untangle later after adding more tools and integrations

Think of it like tidying up your website’s “behind the scenes” data habits. It’s part of having strong legal foundations from day one.

Which UK Laws Apply To Cookies?

In the UK, cookies are mainly regulated by two overlapping legal regimes:

1) PECR (Privacy And Electronic Communications Regulations)

PECR is the key set of rules that governs cookies and similar technologies. In simple terms, PECR generally requires you to:

• Tell users clearly what cookies are doing; and
• Get consent before setting non-essential cookies (with some limited exceptions).

The big takeaway: most analytics and marketing cookies require consent before they’re placed on a user’s device.

2) UK GDPR And The Data Protection Act 2018

Where cookies involve processing personal data (which is common, especially with analytics identifiers, advertising IDs, and user profiles), you also need to comply with the UK GDPR and Data Protection Act 2018.

That typically means having:

• a lawful basis for processing personal data (this may be consent in many cookie-based tracking scenarios, but it can depend on what you’re doing and which data is involved)
• transparent privacy information (what you do, why, and with whom you share data)
• appropriate contracts and governance if vendors process data for you
• security measures and retention controls

This is why your Privacy Policy and cookie banner settings need to line up with what your website is actually doing.

Cookie Audit Step-By-Step (A Practical Checklist For SMEs)

Below is a practical cookie audit process you can follow even if you’re not technical. If you have a web developer or marketing agency, you can also hand this list to them and ask them to provide the information.

Step 1: List Every Tool Connected To Your Website

Before you scan for cookies, map the usual suspects. Most “mystery cookies” come from tools you (or your web agency) have added over time.

Make a list of everything that could set cookies or track user behaviour, such as:

• analytics tools
• advertising pixels / conversion tracking
• email marketing signup forms
• live chat widgets
• embedded video players
• booking systems
• payment widgets
• social media embeds
• A/B testing tools

This step matters because a cookie audit isn’t only “your” cookies. Embedded services can drop their own cookies too.

Step 2: Run A Cookie Scan (And Do It More Than Once)

Next, scan your website to identify cookies and trackers.

For a thorough cookie audit, scan:

• your homepage
• checkout / booking pages (often heavy on third-party scripts)
• contact forms
• blog pages
• landing pages used for ads

Also test in different scenarios, because cookies can be triggered differently depending on actions taken:

• first visit vs returning visit
• before consent vs after consent
• incognito/private browsing mode
• mobile and desktop

Tip: a cookie scan is a great starting point, but it won’t always catch everything (for example, some tracking can use pixels, local storage, SDKs, or server-side tagging). If something looks “too clean” compared to the tools you’ve installed, dig deeper.

Tip: if non-essential cookies appear before a user has consented, that’s a red flag you’ll want to fix quickly.

Step 3: Categorise Cookies (Essential vs Non-Essential)

Once you’ve identified cookies, categorise them. A simple and common approach is:

• Strictly necessary cookies (essential for basic site functions and user-requested services)
• Preferences / functionality cookies (remembering settings, language, etc.)
• Analytics / performance cookies (site usage measurement and improvement)
• Marketing / advertising cookies (targeted ads, retargeting, cross-site tracking)

In UK practice, strictly necessary cookies can usually be placed without consent, but this is interpreted narrowly - it generally means the cookie is genuinely required for a service the user has asked for (not just “useful” for your business). You still need to be transparent about them.

Most other categories require opt-in consent before they’re set.

Step 4: Identify Who Controls Each Cookie (You, Or A Third Party?)

This is where SMEs often get caught out.

For each cookie, note:

• Is it first-party (set by your domain) or third-party (set by another domain)?
• Which vendor/service sets it?
• What data it collects (even if it’s “just” identifiers)
• Whether data is shared outside the UK (international transfers)

If third-party providers process personal data for you, you may also need contractual protections and vendor oversight (this is part of GDPR compliance, not just “cookie banner” compliance).

Step 5: Check Your Consent Mechanism Works Properly

This is the part most people think of when they hear cookie audit: the banner. But the key issue isn’t how it looks - it’s what it does.

In practice, you want to check:

• No non-essential cookies fire before consent (unless a clear exception applies)
• Users can choose granularly (e.g. analytics off, marketing off)
• Consent is opt-in (not assumed by silence or pre-ticked boxes)
• It’s as easy to reject as to accept (avoid designs that nudge users into “accept all”)
• Users can change their mind later (a persistent “cookie settings” link is common)

Also check whether your site still drops cookies when:

• a user clicks “Reject”
• a user closes the banner without making a choice
• a user accepts only certain categories

If your current setup can’t reliably control scripts, it may need a technical rebuild (and it’s usually worth doing properly rather than patching it repeatedly).

Step 6: Update Your Cookie Register (What You’ll Publish In Your Cookie Policy)

A cookie audit should end with a clear “cookie register” or “cookie table” that sets out, in plain English:

• cookie name
• purpose
• category (necessary/analytics/marketing etc.)
• duration (session/persistent, expiry period)
• provider (first party/third party)

This is typically presented in your Cookie Policy. The policy should match the reality of what your site does today, not what it did six months ago.

Step 7: Cross-Check Your Privacy Disclosures And Data Handling

Cookies don’t exist in a vacuum. If cookies involve personal data, your broader privacy compliance needs to support what you’re doing.

As part of your cookie audit, sanity-check:

• Does your Privacy Policy clearly explain your use of analytics/marketing tracking?
• Do you disclose key third parties and categories of recipients?
• Have you set appropriate retention periods for data collected through tracking?
• Do you have a plan if something goes wrong (like unauthorised access or accidental disclosure)?

For many SMEs, having a data breach response plan is a sensible part of being privacy-ready, especially if marketing data, customer accounts, or order histories are involved.

Step 8: Set A Review Cycle (Because Cookies Change)

A cookie audit isn’t a one-off job. Cookies can change when you:

• install a new plugin
• add a new payment option
• embed a new booking tool
• change your website theme
• ask your marketing agency to “improve tracking”

For most SMEs, a practical approach is:

• quick check monthly (especially after website updates)
• full cookie audit every 6–12 months
• immediate audit after adding new marketing or analytics tools

Common Cookie Audit Problems We See (And How To Fix Them)

Even well-meaning businesses can end up with cookie compliance issues. Here are some of the most common ones, and how you can tackle them.

Problem 1: “We Only Use Analytics” (But Analytics Still Needs Consent)

Many SMEs assume analytics cookies are harmless. In reality, analytics often involves unique identifiers and behavioural data, and consent is usually required before those cookies are set.

Fix: treat analytics as non-essential unless you have strong grounds otherwise, and ensure scripts only load after opt-in.

Problem 2: The Banner Collects Consent, But Cookies Fire Anyway

This is a technical implementation issue, and it’s very common. The banner records a preference, but your site still loads tracking scripts immediately on page load.

Fix: ensure scripts are properly blocked until consent is obtained. This usually means reviewing your tag setup, plugin configuration, and embedded third-party tools.

Problem 3: Cookie Policy Doesn’t Match Reality

Cookie policies often start as templates and then drift away from the site’s actual cookies over time.

Fix: update your cookie register after each cookie audit. If you can’t explain a cookie, investigate it (or remove the tool causing it).

Problem 4: No Way To Change Cookie Preferences

If users can’t easily revisit and adjust their cookie settings, you’re likely to get complaints - and it undermines the whole point of consent.

Fix: add a persistent “cookie settings” link (often in the footer) and make sure it actually works.

Problem 5: Consent Records And Governance Are Missing

If someone challenges your compliance, you want to be able to show what your process is and how you manage it.

Fix: document your cookie audit findings and keep internal notes on what you changed and when. Many SMEs roll this into a broader compliance approach like a GDPR package so it’s not just a one-off fix.

What Website Documents Should You Update After A Cookie Audit?

A cookie audit usually leads to updates in your website legal documents and customer-facing disclosures. The most common ones are:

Cookie Policy

Your cookie policy is where you explain what cookies you use and why, and how users can manage their choices. It should reflect your cookie register and your actual website behaviour.

This is often presented as a standalone Cookie Policy, with a link in your website footer and from your cookie banner.

Privacy Policy

Your privacy policy should explain how you process personal data collected via cookies and tracking - including the purposes (analytics, marketing), the types of data, and any sharing with third parties.

If you don’t have one yet (or it hasn’t been updated in a while), a GDPR-aligned Privacy Policy is usually essential for any business collecting website visitor data, enquiries, customer orders, or marketing leads.

Website Terms And Conditions

Your website terms won’t replace cookie consent, but they can help set expectations about how your site works, permitted use, and key disclaimers.

For many SMEs (especially those selling online, taking bookings, or publishing content), having clear Website Terms and Conditions is a useful part of the overall legal setup.

Internal Policies (If Staff Manage Website Or Marketing)

If your team members handle marketing tools, upload customer lists, or install plugins, you’ll want internal rules to keep things consistent.

An Acceptable Use Policy can help set practical boundaries on how staff use business systems and third-party tools (which, in turn, reduces privacy risk).

Data Breach Readiness

Cookies themselves aren’t always the source of a breach, but websites and tracking tools are part of your data ecosystem. If your site collects personal data (enquiries, customer accounts, marketing profiles), you should be ready to respond quickly if something goes wrong.

That’s where a data breach response plan can be a smart operational safeguard, even for smaller businesses.

Key Takeaways

• A cookie audit is a practical check of what cookies your website sets, what they do, who sets them, and whether consent is being collected correctly.
• In the UK, cookie compliance is mainly driven by PECR, with UK GDPR also applying where cookies involve personal data (which is very common).
• Most analytics and marketing cookies should not be set until a user has given opt-in consent.
• A strong cookie audit process includes scanning key pages, testing before/after consent, categorising cookies, identifying third parties, and documenting results in a cookie register.
• Your cookie audit should usually trigger updates to your Cookie Policy and Privacy Policy, and sometimes your internal processes and vendor management too.
• Cookie compliance isn’t “set and forget” - plan to re-audit after website changes and at least every 6–12 months.

If you’d like help reviewing your cookie consent setup and website privacy documents, you can reach us at 08081347754 or team@sprintlaw.co.uk.