How To Conduct A Cookie Audit Under UK Privacy Law

If your website uses cookies, pixels or analytics, a cookie audit isn’t just a “nice to have” - it’s a core part of your legal compliance and a smart way to build customer trust.

The good news? You don’t need a huge budget or technical team to get it right. With a simple, step-by-step audit, you can map what’s running on your site, fix your consent banner, tidy up your documentation and stay on the right side of UK privacy law.

In this guide, we’ll explain what a cookie audit involves, which UK laws apply, how to run one in practice, and the common pitfalls to avoid - all in plain English.

What Is A Cookie Audit And Why It Matters

A cookie audit is a structured review of the cookies and similar technologies on your website or app. You identify what’s being set, by whom, for how long, and why. Then you assess whether you need consent, how you capture that consent, and whether your banner and policy accurately reflect reality.

Why it matters:

• Compliance: Cookies are regulated by the Privacy and Electronic Communications Regulations (PECR) as well as the UK GDPR and the Data Protection Act 2018.
• Trust: Clear choices and honest explanations reduce complaints and increase user confidence.
• Risk reduction: Poor cookie practices are a common reason for enforcement by the Information Commissioner’s Office (ICO).
• Better data: Lawful, consent-based tracking gives you more reliable analytics you can actually use.

Put simply, a cookie audit helps you understand what’s happening on your site today and gives you a roadmap to make it compliant and user-friendly.

What UK Laws Apply To Cookies And Trackers?

There are three main legal pillars to understand. You don’t need to be a lawyer - here’s the plain-English version.

PECR (Privacy and Electronic Communications Regulations)

PECR covers the use of cookies and similar technologies (like pixels, local storage, SDKs). The default rule is consent before setting non-essential cookies. “Strictly necessary” cookies (for example, those needed to load the site, keep a shopping basket, or provide a service the user asked for) generally don’t require consent, but they still require transparency.

UK GDPR + Data Protection Act 2018

Once a cookie collects personal data (which many analytics and advertising cookies do), UK GDPR applies. That means you need a lawful basis (often consent for advertising/analytics), transparency, purpose limitation, data minimisation, retention controls and security measures. You also need a lawful way to handle user rights - such as access or deletion requests - connected to cookie-derived personal data.

ICO Guidance And Enforcement

The ICO expects consent to be granular, freely given, informed and unambiguous. That means no pre-ticked boxes, no implied consent just from scrolling, and no “accept all” with no easy “reject all.” If you rely on consent, you must be able to demonstrate it and allow users to change their mind at any time.

How To Run A Cookie Audit Step-By-Step

You can approach a cookie audit as a repeatable project. Here’s a practical workflow you can run quarterly or whenever you change vendors.

1) Scan And Inventory Your Cookies

Start by scanning your site (including staging or subdomains if relevant) to see what cookies, pixels and storage objects are set. Capture:

• Name, provider and category (strictly necessary, functional, performance/analytics, advertising/targeting)
• Purpose and description
• Expiry (session vs persistent and duration)
• Whether it’s first-party or third-party
• Page(s) or events that trigger it

Don’t forget non-cookie technologies like local storage, session storage, fingerprinting scripts, or in-app SDKs - PECR covers “similar technologies,” not just cookies.

2) Classify What’s “Strictly Necessary”

Be honest and conservative. Payment checkout cookies and load-balancing are typically necessary; A/B testing, heatmaps, remarketing and most analytics are not. If in doubt, treat it as non-essential.

3) Map Your Legal Bases And Consent Requirements

For any non-essential tracker, assume PECR consent is required. Where the cookie collects personal data, identify your UK GDPR lawful basis. For advertising and most analytics, that will usually be consent. Ensure your consent is:

• Granular (separate toggles for different categories, not one blanket “OK”)
• Opt-in (no pre-ticked boxes, no nudging via dark patterns)
• Documented (store timestamp, preferences, and version of your policy/banner)

4) Fix Your Cookie Banner And Controls

Your banner should appear on first visit, explain what you use and why, and provide equal prominence to accept and decline. Provide a “Manage preferences” link so users can pick categories, and a persistent link (e.g. in your footer) so they can change their mind later.

If you’re redesigning your interface, it’s worth reviewing practical guidance on cookie banners that comply and making sure you offer a clear reject all option alongside “accept”.

5) Update Your Cookie Policy And Privacy Disclosures

Your policy should match your audit. Include a table or clear list of categories, typical cookies, purposes, retention and third-party providers. Explain how users can withdraw consent and how consent is logged. If you don’t have one, consider a tailored Privacy Policy aligned with your cookie setup.

6) Review Third-Party Vendors And Contracts

If third parties set cookies (e.g. ad networks, embedded videos, analytics tools), review how data flows and whether the provider acts as a processor or a controller. Where you share personal data with a processor, you’ll generally need a Data Processing Agreement with UK GDPR-required clauses. For controller-to-controller sharing (e.g. certain adtech arrangements), a Data Sharing Agreement may be appropriate.

7) Implement Prior Consent (And Blocking) Correctly

Non-essential cookies should be blocked until consent is given. Practically, this means firing scripts only after the relevant preference is on. Test in multiple browsers and devices. If your consent tool can’t block scripts before consent, it’s time to upgrade.

8) Test, Log And Train

• Test: Open your site in a private window with all caches cleared. Confirm no non-essential cookies set before consent.
• Log: Keep a record of your audit, the banner version, policy version and vendor list.
• Train: Make sure marketing and dev teams know how consent affects tag managers, pixels and new tool rollouts.

9) Re-Audit Regularly

Websites evolve quickly. Re-run your cookie audit every quarter or when you add a new tool, change your tag manager or run new campaigns. This keeps your documentation aligned with reality.

What To Include In Your Cookie Policy And Banner

Your cookie policy and banner should work together. Think of the banner as the concise “front door,” and the policy as the detailed explanation.

Cookie Banner Essentials

• Plain-English summary of what you use cookies for
• Accept all/Reject all with equal prominence
• Granular controls (e.g. “Analytics”, “Advertising”, “Functional”)
• Clear link to “Manage preferences” and your cookie policy
• No pre-ticked boxes or implied consent
• Cookie blocking until consent (for non-essential categories)

Cookie Policy Essentials

• How cookies and similar technologies work on your site or app
• Categories of cookies with examples and purposes
• Retention periods (or how you determine them)
• Third parties involved and links to their policies
• How users can withdraw consent or change settings
• How consent is recorded, and date of last update

If your site or app handles health, children’s data or other sensitive categories, you’ll likely need extra safeguards and very clear consent flows. It’s wise to get tailored advice through a short data protection consultation so your interface and policy reflect your specific risks.

Common Cookie Audit Pitfalls To Avoid

Even well-meaning businesses can stumble on the same issues. Here’s what to watch for.

Pre-Consent Firing

Analytics or marketing tags firing before consent is captured is a classic breach. Check your tag manager triggers and ensure all non-essential tags depend on the right consent state.

Inconsistent Documentation

Your banner says one thing, your policy says another, and your site does a third. During an audit, alignment matters. Keep a single source of truth and update everything together.

“Cookie Wall” Tactics

Blocking access until a user clicks “accept all” is risky under the ICO’s expectations. Consent should be freely given - users must be able to say no without being punished.

Mislabelled “Necessary” Cookies

Calling A/B testing or ad remarketing “strictly necessary” won’t fly. If it’s not essential to provide a service the user requested, get consent.

Missing User Controls

Users should be able to change their mind at any time. Add a persistent “Cookies” or “Privacy settings” link in your footer that re-opens your preferences panel.

No Record-Keeping

If you rely on consent, you need to demonstrate it. Your consent platform should log the preference state, timestamp and consent version. This helps with audit trails and complaints handling.

Ignoring Non-Cookie Tech

Local storage, fingerprinting, pixels and SDKs can all fall under PECR. Make sure your audit covers anything that stores or accesses information on a device.

Legal Documents And Processes That Support Compliance

Your cookie audit connects to a few key documents and processes that keep your business protected day-to-day.

Privacy Policy Aligned To UK GDPR

Make sure your Privacy Policy explains how you use analytics and advertising tools, your lawful bases, retention and user rights. A properly tailored Privacy Policy saves back-and-forth with customers and reduces risk.

Processor Contracts And Due Diligence

When suppliers process personal data for you (hosting, analytics, marketing platforms), put a compliant Data Processing Agreement in place. For controller-to-controller flows, consider a Data Sharing Agreement outlining roles and responsibilities.

Consent, Logs And Governance

Have a simple internal register covering cookie categories, vendors, data locations and consent mechanisms. This makes it easier to respond to user rights requests and to demonstrate accountability under UK GDPR.

Handling User Requests

Be prepared to answer access and deletion requests related to cookie-derived data. Having a process informed by UK timelines for subject access requests makes life easier when queries arrive.

Incident Response

If a tag misconfiguration exposes data or an unauthorised third party gets access, you’ll want a clear playbook. A short, practical Data Breach Response Plan helps you contain issues quickly and decide whether you need to notify the ICO or affected users.

Costs And Registration

Most UK organisations that process personal data must pay an annual data protection fee to the ICO unless exempt. It’s quick to check whether an ICO fee exemption applies to you.

Website Legal Basics

Alongside your privacy set-up, make sure your customer-facing terms are consistent with how your site operates. If you offer services or subscriptions online, your Website Terms and Conditions and cancellation rights should be clear and align with your data practices.

Key Takeaways

• A cookie audit maps all cookies and similar technologies on your site, classifies them, and makes sure consent, documentation and blocking are all working together.
• PECR requires prior consent for non-essential cookies, and UK GDPR applies where personal data is involved - consent must be specific, informed and freely given.
• Block non-essential cookies until users opt in, offer an easy “reject all” and granular controls, and keep your banner, policy and technical set-up consistent.
• Keep records: log consent states, vendor lists and policy versions so you can demonstrate accountability and handle user requests efficiently.
• Support your audit with the right legals, including a tailored Privacy Policy, a Data Processing Agreement with processors, and a Data Breach Response Plan.
• Re-audit regularly - especially after adding new tools, changing your tag manager or launching new campaigns - to stay compliant and maintain user trust.

If you’d like help running a cookie audit, refreshing your Privacy Policy or setting up compliant banners and contracts, our friendly team can guide you. You can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.