GDPR cookie audit: the DPO’s practical guide to detecting and fixing compliance issues
19/05/2026 |
74% of DPOs work alone. That single figure captures the scale of the challenge they face in ensuring day-to-day cookie compliance. Here is a guide — and, better still, a 30-day plan — to audit, correct and industrialise cookie compliance.
Friday evening, 6:15 pm. Amélie, DPO at a fashion company, receives a text from the brand’s website manager: “We found something in the logs. We need to talk.” Amélie has been in the role for three years. She knows this message and what it means. It always precedes a nasty surprise: a tag firing before the banner, a pixel left behind after a campaign, a contractor who still has access to the TMS (Tag Management System) and whose access nobody ever revoked.
Working from home that day, Amélie — who had already mentally switched off for the weekend — reopens her laptop and starts chasing something that, once again, had weeks of head start on her.
DPO: a role under pressure
This scenario is fictional — but realistic. For the majority of DPOs in France, it is the norm. According to the 2024 AFCDP/CNIL/Afpa survey, the number of DPOs in France grew from 21,000 in 2019 to over 34,000 in early 2024. Impressive progress — yet CNIL formal notices for cookie non-compliance keep coming. A paradox? Only on the surface. Several figures from the same survey help explain why:
- 74% of DPOs work alone, with no team
- 85% fulfil the role part-time, alongside another function
- 63% have no dedicated budget
The result: 61% of part-time DPOs spend 25% or less of their working time on their DPO duties.
Amélie, like thousands of her peers, monitors dozens of digital properties with tools from another era, from an already overloaded schedule, in a constantly shifting landscape. Tracking that reconfigures with every update, marketing teams adding pixels without validation, agencies accessing the TMS directly…
In this context, cookie compliance cannot rest on a periodic audit cycle — especially since it is just one item on the DPO’s long to-do list. The context, the stakes and the available resources demand a method.
Cookies before consent, ghost tags, piggybacking: the 7 compliance failures that put you at risk
There is something CNIL formal notices never say: in the vast majority of cases, non-compliance is not the result of bad intent. Nobody in Amélie’s organisation deliberately decided to drop cookies before consent. These failures happen because a CMP rule was misconfigured during a migration, because a developer pushed an update on a Friday without going through the validation process, or because a “temporary” tag placed during a sale campaign was never removed.
Below is a list of the scenarios that repeat themselves, each with its symptom, cause, regulatory risk and common remediation actions:
| Scenario | Observable symptom | Probable cause | GDPR risk | Remediation |
|---|---|---|---|---|
| Cookie before consent | Tag active on page load | CMP rule misconfigured | Breach of Art. 82 (French Data Protection Act) | Inspect network requests before clicking the consent banner |
| Ghost tag | Unknown vendor appearing in logs | Script not removed after campaign end | Processing without a legal basis | Cross-reference TMS inventory with network logs |
| Forgotten scope | Non-compliance on a subdomain | Outside the initial audit scope | Same risk, broader perimeter | List all subdomains and test them one by one |
| Piggybacking | Data sent to an undeclared third party | Unaudited tag cascade | Transfer without information | Analyse network calls fired by each tag |
| Breaking update | Tags firing despite collected consent | Deployment without CMP re-validation | Consent not honoured | Replay the user journey after every deployment |
| Cross-device inconsistency | Different behaviour on mobile vs desktop | Consent string not passed through | Consent not enforceable | Test on 3 separate devices |
| Blurred governance | Tags added without validation | No approval workflow in place | Permanent exposure | Ask IT: “who can add a tag to production?” |
CMP: Consent Management Platform | TMS: Tag Management System | GDPR: General Data Protection Regulation | Art. 82: Article 82 of the French Data Protection Act
These seven scenarios share one thing in common: they are invisible to the DPO without active, continuous detection tooling. In other words, a site update or an A/B test can bring them back the day after an audit.
Cookie non-compliance detected: the 48-hour emergency triage
Back to Amélie. The anomaly is confirmed: a retargeting tag is firing before the user interacts with the consent banner. The incident is real. It covers all desktop traffic for the past 12 days. The last audit was 15 days ago.
Her first instinct, like most DPOs in this situation, is to understand before acting. A laudable intention — but a mistake. Before trying to understand, you need to contain the issue and work through a remediation checklist.
Actions to take within 48 hours:
- Verify that the CMP (Consent Management Platform) is active and functional, and that consent logs are available and timestamped
- Identify the tags firing before consent
- Define the scope of the impact (pages, devices, environments)
- List all third parties involved
- Document the internal notification to the data controller
- Check subdomains
- Review staging environments
- List all deployments from the past 30 days
- Log every corrective action as it is implemented
What not to do:
- Correct on the fly without a trace
- Downplay the incident without objective data
- Wait until you “fully understand” before notifying the data controller
One point deserves explicit clarification here. The DPO is an advisor and controller, not the operational owner of compliance. While it is the DPO’s role to escalate and document the alert, it is the data controller who remains on the front line (Articles 37–39 of the GDPR, as reiterated in the CNIL’s GDPR Practical Guide).
Amélie is not there to put out the fire — but to make sure the right extinguishers are in the right hands, and that everything is properly recorded.
GDPR cookie audit: tag inventory, corrections and register update
The fire is out. The incident is contained and documented. Now begins the real work — the kind that drives structural change.
The tag inventory is the centrepiece of this phase. For every tag present across the properties, the following must be documented: purpose, vendor, trigger rule, legal basis, consent required, internal owner, date added, compliance status. (Yes, this list is long.)
This exercise is also an opportunity to ask — or re-ask — key questions:
To IT:
- Who has access to the TMS (Tag Management System)?
- Is there a validation process before a script is deployed?
- At what point in the script execution order is the CMP (Consent Management Platform) loaded?
To marketing:
- Which tools have been added in the last 6 months?
- Are any pixels placed directly in HTML templates, bypassing the TMS?
To the agency:
- Which tags have you deployed on our properties?
- Do you have direct access to our TMS?
The answers often reveal governance gaps, untracked access, and “temporary” tags that were never removed after a campaign ended. Amélie may discover that three different people, across three different teams, can push a tag to production without anyone knowing. A failure that is behind a large proportion of the incidents she has dealt with over three years.
From periodic checks to continuous cookie monitoring: the first-month turning point
This is the moment where Amélie gets to choose what kind of DPO she wants to be going forward.
Option one: stay in reactive mode — patch incidents as they arise, redo the same inventory in six months, deal with the next Friday-evening text with the same urgency.
Option two: build a proactive capability.
The structural problem with tracking is that it never stands still. A one-off audit is a photograph. Tracking is a film that evolves with every update, every A/B test, every new marketing integration. And this is where robotic crawling hits its structural limits against a digital landscape that changes in real time.
| Robotic crawler | Real traffic monitoring | |
|---|---|---|
| Detection frequency | Periodic (weekly or monthly) | Continuous, on every real session |
| Pages covered | Predefined sample | All visited pages |
| Conditional tag detection | Limited | Full coverage (A/B tests, behavioural targeting) |
| Drift over time | Invisible between two scans | Visible in real time |
| Enforceable evidence | Weak (snapshot at a point in time) | Strong (timestamped log of real traffic) |
This continuous monitoring logic is the foundation of Commanders Act’s Cookie Scanner. Built on real user traffic detection rather than a crawl robot, Cookie Scanner identifies conditional tags that only appear on specific segments or after specific user actions — giving it the ability to explore the blind spots that periodic audits typically miss.
30 days to move from incident to continuous compliance
Here is the action plan Amélie will follow, from corrective actions to a sustainable monitoring model:
- Week 1: full inventory of active tags across all properties
- Week 2: fix priority non-compliance issues, update the processing register
- Week 3: deploy tag governance (validation workflow, defined owners)
- Week 4: activate continuous monitoring, first dashboard review
GDPR cookie compliance: repositioning the DPO as an architect
Three months later, Amélie has not received another Friday-evening text (yes, this article is optimistic). Not because incidents have disappeared — let’s not be naive — but because Amélie now sees non-compliant cookies before they become incidents.
The real question is therefore not “how do we react faster?” but “how do we stop having to react in a crisis?” Who knows when a CNIL inspection might come? Who knows when a consumer will loudly call out a consent violation on social media? These are sensitive questions for a DPO like Amélie — who, like many of her peers, works alone, without a budget, part-time in this role, and cannot monitor every digital property in the organisation. What she can do is put in place the alert mechanisms that do that monitoring for her — and reposition herself as a governance architect rather than a compliance firefighter.
GDPR cookie audit: the most frequently asked questions
-
Is the DPO responsible for their organisation’s cookie compliance?
No. The DPO is an advisor and controller, not the operational owner. Under the GDPR, it is the data controller who is on the front line (Articles 37–39). The DPO’s role is to ensure that non-compliance is identified, reported and documented.
-
What is a cookie dropped before consent?
A tracker deposited on the user’s device as soon as the page loads, before any interaction with the consent banner. This constitutes a breach of Article 82 of the French Data Protection Act (Loi Informatique et Libertés), regardless of the purpose of the tracker involved.
-
How do I check whether my site drops cookies before consent?
Manual method: open the browser DevTools (Network tab), reload the page without interacting with the banner, then inspect the network requests fired. Systematic method: deploy continuous monitoring based on real user traffic — it detects these drops across all pages and environments, including after every update or A/B test.
-
Where do I start when I discover a cookie compliance issue?
With the 48-hour triage checklist detailed in Part 2: verify the CMP, identify tags firing before consent, define the scope of the impact, notify internally and log every corrective action as it is implemented.
-
What is the difference between a one-off cookie audit and continuous monitoring?
A one-off audit takes a snapshot of the site at a specific point in time, across a sample of pages. Continuous monitoring analyses real traffic across all visited pages, in real time.
Find more about our Real Time Cookie Scanner tool, an automated solution that detects, analyzes, and monitors a website’s cookies in real time, helping ensure continuous compliance with the GDPR and CNIL recommendations.
