Pillar 2 of 4
Find the cookie set before the consent banner showed up
We load your page in a clean browser, capture every cookie set in the first 2.5 seconds, and tell you which ones are tracking users without consent.
The pre-consent problem regulators care about
GDPR and ePrivacy require that any non-essential cookie or tracker is blocked until the user actively opts in. A surprising number of sites get this wrong because their tag manager fires Google Analytics or Meta Pixel before the consent banner has rendered. Even with a Cookiebot or OneTrust banner installed, the underlying scripts are often loaded with the page rather than gated behind the consent decision. We simulate a fresh visitor with no prior consent state. Anything in the cookie jar after page load — that isn't strictly necessary — is a finding.
Security flags that quietly fail in production
Modern browsers reject cookies with SameSite=None unless the Secure flag is present. We flag these because they break silently — your auth might appear to work locally and fail for a percentage of users in the wild. Long-expiry cookies (over a year) are a soft GDPR signal: regulators have written guidance suggesting cookie lifetimes should be proportionate to purpose, and 13 months is the de-facto retention cap most DPAs accept.
Classification you can trust
Every cookie name is checked against an exact-match dictionary first, then a prefix list (so _ga_XXXX inherits Google Analytics's classification). Cookies we can't classify get a minor severity finding so a human can confirm them — better to surface the unknown than to silently call it 'necessary'.
Exempel på findings
Pre-consent tracking upptäckt
Cookie "_fbp" (Meta Pixel, marknadsföring) sattes innan användaren gav samtycke. Coo kien utfärdades 1,2 sekunder efter sidladdning, medan consent-banner fortfarande var på väg att renderas. För att lösa detta: lägg Meta Pixel-scriptet bakom "marketing"-toggle i din consent management platform.
Cookie : _fbp Domain : .example.com Category : marketing Set at : t=1.2s (banner ej interagerad än) Expiry : 90 dagar
SameSite=None utan Secure-flagga
Sessionscookie "sid" sätts med SameSite=None men utan Secure-flagga. Moderna Chromium- och Firefox-webbläsare avvisar tyst kombinationen, så en andel av dina användare — alla som uppdaterat webbläsare senaste tre åren — tappar tillstånd intermittently. Lokal utveckling döljer problemet eftersom localhost behandlas som Secure.
Set-Cookie: sid=abc123; Path=/; SameSite=None; HttpOnly Fix: lägg till Secure-flaggan och se till att cookien endast sätts över HTTPS: Set-Cookie: sid=abc123; Path=/; SameSite=None; Secure; HttpOnly
Cookie-upphörande överstiger 13 månader
Cookie "_ga" (Google Analytics, analytics) sätts med en utgångstid på 24 månader. De flesta EU-myndigheter för dataskydd har publicerat riktlinjer där 13 månader behandlas som den de-facto maximigränsen för analytics-cookies, med stöd i ePrivacy proportionalitet. En tillsynsgranskning skulle flagga detta som alltför lång retention.
Cookie : _ga Expiry : 24 månader (730 dagar) DPA cap : 13 månader (CNIL, ICO, AEPD) Fix: i GA4 admin, sätt "Data retention" till 14 månader eller mindre, eller self-host med en anpassad utgångstid.
Scanna din site på 60 sekunder
25 fria credits. Inget kreditkort. Riktiga findings på sidan du bryr dig om.