Cookie Scanner: When Real-Time Monitoring Replaces Automated Audits

Every week, new, undeclared cookies appear on your digital properties. Traditional crawlers don’t see them. Commanders Act has designed a scanner that uses real traffic to detect what robots miss.
The scenario is familiar, yet it keeps repeating itself: a company deploys its Consent Management Platform, configures its cookie categories, displays a banner compliant with CNIL recommendations, and then moves on to other things. The compliance project is checked off. The DPO breathes a sigh of relief. The digital team returns to its daily routine.

A false sense of security

Except that cookie compliance isn’t a static state—it’s an ongoing process. And between the day the CMP is configured and the moment an audit takes place, a website’s technical ecosystem has had time to change several times. 

Here are a few examples from everyday life:

• The social media agency activates meta tags for retargeting… without going through the declaration process (even though the media agency, which was trained for this purpose, follows it)
•  Following an update, a DoubleClick script loads a cookie from a third-party DSP that’s completely unknown
• Under pressure (to deliver results), the marketing team subscribes to AB Tasty to optimize its content personalization scenarios and proceeds with activation on its own without notifying the relevant stakeholders (compliance).

Let’s not forget dormant cookies (unused but present) or technical cookies linked to redirects or iframes, sometimes just to embed a simple YouTube video…  Sources of non-compliance are numerous and often outside the teams’ field of vision.

On high-traffic media or e-commerce sites, it’s common to see between 1 and 5 new or renewed third-party cookies per week. In recent studies, such as the Web Almanac 2025, while half of all sites have 9 cookies, the top quarter averages up to 23 cookies. Among the Alexa Top 100, an average of 52 cookies per site is observed. Unsurprisingly, these cookies are not always declared in the cookie notice, or are set before the visitor has even given their consent.

The reasons are well known and often stem from a failure to communicate. A classic scenario: an acquisition manager activates a new Meta pixel for a retargeting campaign. In a bit of a rush, they forget to notify the media agency responsible for updating the cookie notice. And just like that, a third-party cookie goes unreported until the next crawl—we’ll come back to this.

All these examples are very real but do not necessarily convey the scale of the phenomenon. In fact, there is a considerable gap between the solutions agreed upon in contracts and the cookies actually set. Over time, this gap results in an accumulation of cookies unknown to the teams responsible for compliance. An accumulation that translates into increased risks.

Penalties that no longer apply only to GAFAM

For a long time, GDPR fines related to cookies seemed to be reserved for tech giants. Google was fined €150 million for a “opt-out” mechanism that was more complex than the “opt-in” one; Meta was fined €60 million for similar reasons. In 2024, Orange was fined €50 million for displaying ads in its webmail without explicit consent (a fine the operator is contesting).

The scope has since broadened. Of the 83 penalties issued by the CNIL in 2025, 21 relate to cookies. While a few notable cases—Shein, Condé Nast, American Express France—have been made public, the majority of unnamed cases involve publishers and e-commerce sites penalized for misleading banners, cookies placed prematurely, or failure to honor consent withdrawal.

Beyond the fine, there is a whole chain of consequences: damage to the brand’s reputation, loss of consumer trust, and negative media coverage. And the risk is not only collective; a DPO and/or a company executive faces civil liability, or even criminal liability in the most serious cases of negligence.

Why crawler-based audits are no longer enough

To address these risks, the market’s traditional response has relied on crawlers: bots that scan a website’s pages at regular intervals to compile a list of cookies. While this approach has its merits, its structural limitations often become apparent only when it’s too late.

Consider the scenario of a Friday-night deployment (the one you should avoid): a chatbot provider updates its service, and the widget that hosts it places a new tracking cookie on all pages starting Monday morning. The problem: the crawl is scheduled for every Sunday. For six days, the cookie is placed on 100% of traffic before consent is obtained.

Furthermore, a crawler operates based on predefined scenarios. You must configure paths, maintain them with every site update, and manage access to logged-in areas. The tool scans the site at a fixed frequency—typically weekly or monthly—which leaves exposure windows that can sometimes be quite long. It may miss conditional cookies, triggered only by a scroll, a click, or passing through a specific conversion funnel. Nor does it detect selective cookies, set only for certain profiles or under specific technical conditions.

In practice, the scenarios followed by the crawl do not reflect the complexity of the scenarios designed by agencies or algorithms—scenarios that are not based solely on visiting a product page or a shopping cart. On the contrary, these scenarios are often multi-conditional: “having viewed 3 products in the same category,” “returning between 72 hours and 1 week after a purchase,” etc. These are difficult to replicate with a crawler.

These crawling solutions are also resource-intensive: dedicated servers are required. And the more frequently scans occur, the higher the cost—which forces many companies to accept an uncomfortable compromise between cost and security.

Cookie Scanner: continuous monitoring of real traffic

You can’t control what you can’t see. This realization led Commanders Act to develop its Cookie Scanner, based on a different approach. The tool does not simulate visits: it relies on a JavaScript script deployed directly via the consent platform, a container, or a GTM tag, and analyzes the site’s real traffic from actual users, whether they are opt-in or opt-out.

Since monitoring of organic traffic is performed continuously, there are no scenarios to configure, no user journeys to maintain, and no additional server costs. And the tool captures the reality of the user journey using first-party and third-party cookies, local storage, and session storage. It identifies cookies set before consent is given, detects missing trackers, and filters them by frequency of appearance to distinguish systematic cookies from marginal ones.

When an undeclared cookie is detected, an alert is sent—via Slack, email, or webhook. The team can then take action: block the cookie, trace it back to the responsible script using Cookie Origin—a feature that traces the cookie’s origin—and update the record. This record can also be dynamically populated by the scanner.

Artificial intelligence-driven enrichment completes the system: each detected cookie is automatically categorized, described, and associated with the responsible partner, drawing on a database enriched by two market repositories. Together, this provides documented traceability that can be presented in the event of an audit.

From auditing to continuous compliance: a shift in approach

With its continuous monitoring, Cookie Scanner enables teams to adapt to the dynamic nature and diversity of cookies—in an ecosystem where every partner, every script update, and every new integration can introduce an invisible risk.

Regulators, however, are not making this mistake. The CNIL has tightened its controls, activist groups are filing more complaints, and the regulatory framework continues to evolve, particularly on topics such as local storage, which also constitutes a read-write operation subject to consent.

For brands, the challenge is no longer whether they are compliant today, but ensuring they will remain so tomorrow.

Commanders Act Cookie Scanner tool: