Compliance & GDPR
How to audit your website's GDPR compliance in 2026
Having a cookie banner proves nothing. A site's GDPR compliance is observed in the browser: what fires before any click, and what really happens when someone refuses. Here's how to audit your site — by hand, then in 90 seconds.
Most sites we audit show a banner and assume they're compliant. Yet in a majority of cases, trackers — Google Analytics, Meta Pixel, retargeting — fire before the visitor clicks anything, or keep running after a refusal. The banner reassures, but blocks nothing. A GDPR audit exists precisely to measure that gap between what you believe and what your site actually does.
What a GDPR audit really checks
A useful audit doesn't read your privacy policy — it observes the page's technical behaviour. The points to check:
- Trackers before consent — which cookies and scripts fire on load, before any visitor action.
- Refusal effectiveness — after a "Refuse" click, do marketing trackers actually stop, or does only the banner disappear?
- Non-EU transfers — which servers and CDNs the data goes to (often the US, without guarantees).
- Consent banner — presence, and above all "Accept" / "Refuse" symmetry.
- Google Consent Mode v2 — properly configured, or in "granted by default" mode?
- Disguised trackers (CNAME cloaking) — trackers hidden as a first-party subdomain.
That's exactly what our free GDPR audit lists: it loads your page like a real visitor and runs three phases — before consent, after accept, after refuse.
The manual method: 10 minutes with DevTools
You can make a first assessment yourself, with no tool. Open your site in a private window, then your browser's developer tools (F12):
- "Application" tab → Cookies: reload the page without touching the banner. Any cookie beyond the strictly necessary ones (cart, session, security, the consent cookie itself) shouldn't be there.
- "Network" tab: look for third-party domains. Do you see calls to
google-analytics.com,facebook.netordoubleclick.netbefore your click? That's a gap. - Click "Refuse", then reload: do the same calls come back? If so, your refusal isn't effective.
This method is reliable but tedious, and it misses CNAME-cloaked trackers or those fired on a delay. Hence the value of an automated scan.
Compliance isn't read in a privacy policy: it's observed in the browser, before the click and after a refusal. If a marketing tracker runs in either of those two phases, you have a gap to fix.
The automated method: 90 seconds
Our tool replays those three phases for you and produces a readable report: observed gaps, detected trackers, non-EU transfers, banner state, Consent Mode. It's free, no signup, and keeps no report (everything lives at most two minutes in memory, from France).
Run the GDPR audit of your site →
Reading the result: the most common gaps
Four findings come up almost every time:
- Analytics before consent — Google Analytics loaded on first render. The #1 gap; see also our piece on the SEO cost of the cookie banner.
- Ineffective refusal — the banner closes but pixels keep running. On Shopify it's almost systematic: how to prove it in five minutes.
- Advertising pixels — Meta, TikTok, Google Ads, often dropped by a tag manager.
- Non-EU dependencies — CDNs and fonts hosted in the US, exposing your visitors' IP.
Fixing it: where to start
The logic isn't to "ask for consent better", but to reduce what makes it necessary. Three principles:
- Separate the uses: audience measurement on one side, marketing on the other. A measurement tool that neither reads nor writes anything on the device doesn't trigger the consent requirement (Article 5(3) of the ePrivacy Directive).
- Block before the click: no non-essential tracker should run until the visitor accepts, and a refusal must actually cut them off.
- Choose tools that don't open the debate: analytics with no cookie and no persistent identifier takes audience measurement out of the consent equation. That's Snorklee's approach — no banner, no cookie.
An audit is an indicative technical finding, not legal advice: it may contain false positives. For a decision, have it validated by a DPO or lawyer.
Beyond GDPR: sovereignty
Being "compliant" says nothing about where your data goes. A site can respect the GDPR while depending entirely on US services. To map those dependencies, complement the GDPR audit with our sovereignty checker: it reveals which third parties expose your visitors outside the EU and suggests European alternatives.
In short
Auditing your site isn't re-reading your terms: it's opening the browser and watching what fires before the click and after a refusal. Do it by hand to understand, then automate it to track it over time.
Audit your website's GDPR compliance for free →
How do I audit my website's GDPR compliance?
Open your site in a private window and inspect, in DevTools, the cookies and network requests fired before any click and after a refusal: only strictly necessary items should appear. An audit tool automates this across the three phases (before consent, after accept, after refuse).
Is the GDPR audit free?
Yes. Snorklee's audit is 100% free, no signup, and shows a report in about 90 seconds. No report is kept: it lives at most two minutes in memory, then is erased.
Is a cookie banner enough to be compliant?
No. A banner that doesn't stop trackers from firing before the click — or doesn't cut them after a refusal — doesn't make you compliant. Compliance is observed in the page's technical behaviour, not in the presence of a banner.
What does a website GDPR audit check?
Trackers set before consent, refusal effectiveness, data transfers outside the EU, the presence and symmetry of the banner, the Google Consent Mode v2 configuration and trackers hidden through CNAME cloaking.
Published June 2026. Legal framework: Article 5(3) of Directive 2002/58/EC (ePrivacy) — general information, not individualised legal advice. An automated audit is indicative and may contain false positives or false negatives.