Is the free audit really free?

Yes, completely free. Just enter your URL — no account, no email, no credit card. You get your overall score and top issues instantly. Want more? Create a free account to save your report and get 2 pro scan credits.

How long until I get my report?

The Quick Scan is typically under 60 seconds. Paid reports are generated and emailed within 2–3 minutes of payment.

9 categories: SEO & Search Visibility, Website Performance & Speed, Mobile Experience, Security & Privacy, Accessibility, Content & Messaging, Technical Health, Trust & Credibility, and Local SEO & Google Business. Each category is scored independently, and we provide specific evidence and fix instructions for every issue found.

Do I need technical knowledge?

Not at all. Reports are written in plain language with prioritized, step-by-step recommendations. Each issue is labeled with who can fix it, and many are things you can do yourself without touching code.

How accurate is the analysis?

We analyze your actual live website, checking real page speed, real HTML structure, and real content. Every finding comes with specific evidence from your site, so you can verify it yourself.

Absolutely. We only use your email to deliver your report. No spam, no sharing with third parties. We analyze publicly accessible pages (the same thing Google sees). We never store passwords, we don't access admin panels, and we never sell your data. All connections are encrypted with 256-bit SSL. See our Privacy Policy for full details.

Can I see a sample report before buying?

Yes! Check out our interactive demo report to see exactly what a full audit looks like, with real findings, evidence, and fix instructions you can explore.

How do I cancel my subscription?

You can cancel anytime from your dashboard. Just click "Manage Subscription" to open the billing portal. Your audit access continues until the end of your current billing period.

Who built FreeSiteAudit?

FreeSiteAudit was built by web professionals who wanted to make professional-grade website audits accessible to every business owner. We combined real-world SEO and web development experience with automation to deliver clear, actionable reports.

May 27, 2026·11 min read·Checklists

Cookie Consent Audit: What You Need to Be Compliant

A plain-English guide to auditing your cookie consent banner for GDPR, CCPA, and ePrivacy compliance — what to check, what to fix, and how to verify it works.

# Cookie Consent Audit: What You Need to Be Compliant

If your website sets a tracking cookie before a visitor clicks anything, you probably have a compliance problem. It's the most common mistake small business sites make — and the easiest one for a regulator, a competitor, or a privacy-savvy customer to spot.

This guide walks you through a practical cookie consent audit. No legalese. Just what to check, what to fix, and how to confirm it actually works.

Close-up of a cookie consent banner on a small business bakery website displayed in a Chrome browser, showing equally weighted Accept All, Reject All, and Customize buttons side by side at the bottom of the homepage above the fold

Why this matters for small businesses

Cookie consent rules aren't just for enterprise sites. If you have visitors from the EU, the UK, California, Colorado, Virginia, Connecticut, Utah, or any of the growing list of US states with privacy laws, you're on the hook. GDPR fines can reach 4% of annual revenue, but the realistic risks for most small businesses are:

A customer complaint to a data protection authority
A class action under California's CCPA/CPRA
Lower conversion from a poorly designed banner
Lost trust when a savvy customer sees you firing Facebook Pixel before they consent

Most sites fail audits not because the owner is careless, but because a theme, plugin, or agency added tracking scripts without checking what fires when.

What "consent" actually means under the major laws

GDPR (EU/UK) requires consent that is freely given, specific, informed, and unambiguous:

A clear affirmative action (clicking a button — not "continued browsing")
Reject must be as easy as Accept
No pre-ticked boxes
No non-essential cookies before consent
Cookie categories and third parties must be disclosed
Withdrawing consent must be as easy as giving it

CCPA/CPRA (California) uses an opt-out model, but you still need:

A clear "Do Not Sell or Share My Personal Information" link
Recognition of the Global Privacy Control (GPC) browser signal
A privacy policy listing the categories of data you collect and share

The ePrivacy Directive — not GDPR — is the EU law that actually governs cookies. It requires opt-in for anything that isn't strictly necessary.

If you serve both EU and US visitors, you generally need a geo-aware banner.

The 8-point cookie consent audit

Run through it in order. Most failures hide between steps 3 and 5.

1. Inventory every cookie and tracker

Open your homepage in an incognito window. In DevTools, go to Application → Cookies and list everything set before you click anything. Then visit a product page, a blog post, and your contact form. Note any new cookies.

Also check:

Local storage and session storage
Pixel fires (Network tab, filter by "facebook", "google", "tiktok")
Cookies set by your CMS, CDN, A/B testing tool, chat widget, or video embed

Build a simple spreadsheet: Cookie name, Domain, Purpose, Category (necessary / functional / analytics / marketing), Duration, Third party. If you can't explain what a cookie does, mark it for removal until you can.

2. Check what fires before consent

This is where most sites fail. Reload in a fresh incognito window. Before you touch the banner, check the Network tab.

Red flags if any of these load pre-consent:

google-analytics.com or googletagmanager.com (unless using consent mode)
facebook.net or connect.facebook.net
hotjar.com, clarity.ms, fullstory.com
doubleclick.net
linkedin.com/li.lms-analytics
TikTok analytics
Any retargeting or ad network

Strictly necessary is a narrow category: shopping cart sessions, CSRF tokens, theme preferences. Analytics is not strictly necessary, no matter what your developer says.

A cluttered website footer captured in a browser window with a pre-checked "I agree" checkbox and a single OK button, lit with a red warning highlight overlay and a small annotation arrow flagging it as a non-compliant dark pattern

3. Audit the banner itself

Score yours against this mini-checklist:

[ ] Visible on first load, before any non-essential tracking fires
[ ] Accept and Reject buttons are equally prominent (same size, color, position)
[ ] No pre-ticked boxes for non-essential categories
[ ] A clear link to granular settings where users toggle individual categories
[ ] A link to the full cookie policy
[ ] Closing with the X or clicking outside does NOT count as consent
[ ] No "implied consent" language like "by continuing you agree…"

Dark patterns to remove: a giant green Accept All next to a tiny gray "Manage preferences." A Reject option buried two clicks deep. Consent walls blocking content are heavily scrutinized in the EU.

4. Verify the categories make sense

Most consent platforms group cookies into:

Strictly necessary — always on, no consent needed
Functional / preferences — language, region, dark mode
Analytics / performance — Google Analytics, Plausible, Matomo, Hotjar
Marketing / advertising — Facebook Pixel, Google Ads, TikTok Pixel, retargeting

Open the granular settings on your own banner. Every cookie from step 1 should sit in the right category. A common bug: Google Analytics ends up in "Strictly necessary" because someone misconfigured the platform. Move it.

5. Test that rejecting actually rejects

This catches the most violations.

Open your site in a fresh incognito window
Click Reject All (or toggle every non-necessary category off)
Browse 3–4 pages for about 60 seconds
Recheck DevTools

You should see only strictly necessary cookies. No _ga, no _fbp, no _gcl_au. If you do, your consent management platform isn't gating scripts — it's just hiding the banner. This is the #1 audit finding in the wild.

The fix is usually one of:

Move Google Analytics into Tag Manager with consent mode v2
Configure your CMP to block scripts by category, not just display the banner
Replace hardcoded