A cookie scanner is an automated crawler that visits every page of your site and triggers the cookies and trackers that load. It matches each one against a cookie database and returns a categorized report so you can disclose and block them for GDPR and CCPA compliance.
Below: the six-step scan process, what it actually detects, where its accuracy runs out, and how it compares to checking cookies by hand.
What Is a Cookie Scanner? (The Short Answer)
A cookie scanner is an automated tool that crawls a website and detects every cookie and tracking technology it loads. It lists each one with its name, provider, purpose, and duration, and it is also called a cookie checker or a cookie scanning tool.
The scanner is the discovery engine behind a working cookie consent setup. It finds what a site actually loads before you write a cookie policy or configure a banner, so neither document is a guess. If you need a refresher on what a cookie is first, that page covers the basics; this one covers the tool that finds them.
How Does a Cookie Scanner Work? Step by Step
Most cookie scanners follow the same six-step sequence, from crawling your pages to delivering a categorized report.
Step 1: You Enter a URL or Connect Your Site
A scan starts one of two ways. A free online checker asks for a single URL and scans that one page on demand. A compliance platform connects to your domain through an installed script and scans the whole site on a schedule.
Either way, the scanner needs a list of pages to visit. It usually pulls this from your sitemap. Gated funnel pages that are not linked from your navigation or sitemap need a manual URL list so the crawler can find them.
Step 2: The Crawler Visits Your Pages Like a Real Visitor
The scanner is a web crawler that reviews your site page by page, following links the way a real visitor would. Some tools run this crawl through a headless browser: a real browser engine with no visible window, driven entirely by code.
A headless browser matters because some cookies only fire after a specific interaction. The crawler scrolls and clicks through pages to trigger those cookies, not just the ones that load on page arrival. A crawler that only fetches raw HTML misses this category entirely.
Step 3: It Detects Cookies, Trackers, Scripts, and Iframes
As each page loads, the scanner captures everything that fires: first-party cookies, third-party cookies, third-party requests, tracking pixels, scripts, and iframes.
Detection scope extends to timing, not just presence. A capable scanner produces two separate reports. One lists cookies that fired before consent; the other lists cookies that fired after consent was given (Piwik PRO documents this two-report split). That split is what proves your pre-consent blocking works, rather than just assuming it does.
Step 4: It Matches Each Cookie to a Cookie Database
A raw cookie name like _ga or _fbp tells you nothing on its own. The scanner matches each detected cookie against a reference database to fill in the provider, the purpose, and the retention period.
Some vendors maintain databases of 100,000 or more known cookies, pre-categorized and described (CookieScript and CookieYes each cite a database of that size). Cookies the database does not recognize are marked "unclassified" and held for manual review rather than guessed at.
Step 5: It Sorts the Cookies Into Categories
Every matched cookie gets sorted into a compliance category: essential, analytics, advertising, functional, or unclassified. Cookie categories determine which cookies your banner can load automatically and which need consent first.
Step 6: It Returns a Scan Report (and Keeps Re-Scanning)
The output is a report listing each cookie's name, provider, category, domain, and duration. Most platforms let you export or view this from a dashboard.
A scan is a snapshot, not a permanent record. Sites add new tools, tags, and embeds constantly, so a one-time scan goes stale within weeks. Scanners handle this with an initial scan at setup, a recurring weekly scan, and an on-demand re-scan whenever you add something new.
What Does a Cookie Scanner Actually Detect?
A capable scanner covers more than the cookie jar. It also flags the trackers, scripts, and embeds that ride alongside cookies on the same page.
| Item detected | What it is | Why it matters for consent |
|---|---|---|
| First-party cookies | Set by the domain the visitor is on | Usually essential or preference-related; lower consent risk |
| Third-party cookies | Set by an external domain loaded on your page | The main compliance target for ad and analytics consent |
| Tracking pixels / beacons | Invisible images or scripts that report visitor activity to a third party | Fire silently; easy to miss without a scan |
| Scripts (analytics, ad tags) | JavaScript that loads a vendor's tracking or measurement code | Often the source of the cookies and requests above |
| Iframes (YouTube, Maps embeds) | Embedded third-party content inside your page | Can set cookies from a domain you never directly loaded |
| Third-party requests | Network calls to an external domain that may not set a cookie at all | First-party and third-party cookies get most of the attention, but a request without a cookie can still count as tracking under some laws |
Knowing the different types of cookies a scan can surface helps you read the report correctly. Not every row carries the same risk level.
Cookie Scanner in Practice: A Real-World Example
Maria runs a 40-page Webflow store. Her site loads Google Analytics, the Meta pixel, a YouTube product-demo embed, and Intercom chat.
She connects her domain to a scanner and runs an initial scan. The crawler visits all 40 pages, following her sitemap and clicking through her product filters to trigger interaction-based cookies. It detects _ga (first-party, Google Analytics), _fbp (Meta's advertising cookie), a set of cookies from the embedded YouTube player, and two Intercom session cookies. Three additional cookies come back unclassified.
The scan report splits results into a pre-consent list and a post-consent list. Maria sees four advertising cookies, including _fbp, firing before any visitor clicks accept. She turns on auto-blocking for the advertising category, and the cookie consent banner automatically lists the categories the scan just found.
A week later, Maria adds a new retargeting pixel for a holiday promotion. The scheduled weekly re-scan picks it up automatically, and it shows up unclassified until she assigns it a category.
What a Cookie Scanner Cannot Find (and Why Accuracy Varies)
No scanner catches 100% of cookies. Accuracy depends on how deep it crawls and how the site behaves when the bot visits.
- Free single-URL scans sample one page. A quick online checker gives a rough estimate; it does not scan the entire website in one pass.
- Pages behind a login or SSO are a known blind spot. Most public scanners only see logged-out pages, so gated dashboards and member areas go unchecked.
- Interaction-only cookies need a bot that clicks and scrolls. A crawler that only loads raw HTML misses cookies that fire after a specific action.
- Brand-new or rare cookies get left unclassified. A scanner can only match what its database already knows.
- Sites change between scans. New tags, plugins, and embeds get added constantly, so yesterday's scan does not describe today's site.
This is why a recurring, full-site scan beats a single free snapshot. Pairing scans with running a cookie audit and periodic manual review catches what any one scan misses.
Why Your Website Needs a Cookie Scanner
You cannot disclose, block, or get consent for a cookie you have not found. GDPR and CCPA both require an accurate, current cookie inventory before your banner and policy mean anything.
A scan gives you four concrete things:
- An accurate list for your cookie policy, instead of a guess
- Correct categories so your consent banner blocks the right cookies by default
- Proof that pre-consent blocking works, from the before-and-after report
- A current inventory as you add new tools, since sites change constantly
An accurate inventory is the foundation of cookie compliance under GDPR and CCPA. It is also the input a cookie audit runs on: the scan finds the cookies, and the audit documents and fixes them.
Cookie Scanner vs Manual Cookie Check (Browser DevTools)
A scanner and a browser's built-in tools solve the same problem at different scales.
| Manual DevTools check | Automated cookie scanner | |
|---|---|---|
| Coverage | One page at a time | Full site in one run |
| Effort | Click through every URL yourself | One scan covers everything |
| Categorization | None; you see raw cookie names | Automatic, by category |
| Documentation | None | Exportable report |
| Ongoing monitoring | Manual, whenever you remember | Scheduled, automatic |
Checking manually works fine for a spot check: right-click a page, choose Inspect, then open Application (Chrome) or Storage (Firefox) and select Cookies. It shows you exactly what one page set. It does not scale past a handful of pages or categorize anything, which is why a scanner exists for the whole-site job.
Free Online Cookie Scanner vs Built-In CMP Scanner
A free online checker and a scanner built into a compliance platform serve different stages of the same job.
| Free online checker | CMP-integrated scanner | |
|---|---|---|
| Pages scanned | One URL per scan | Full site, including subdomains |
| Schedule | One-off, on demand | Recurring, plus on-demand |
| Categorization + policy output | Often none | Included, feeds your policy and banner |
| Blocking | No | Yes, auto-blocks by category |
| Cost | Free | Included with a paid CMP |
A free single-URL scanner is a fine first look at what one page loads. An ongoing compliance setup needs a scanner built into your consent platform instead. It also has to auto-block cookies and keep your banner's categories current.
FAQs
Is a cookie scanner free?
Yes, many are. Free online cookie checkers scan a single URL at no cost. Paid or CMP-integrated scanners add full-site crawling, scheduling, categorization, and blocking on top of that, which is what an ongoing compliance setup actually needs.
How accurate are cookie scanners?
Good but never perfect. Accuracy depends on crawl depth, whether the bot triggers interaction-based cookies, and how fresh the scan is. New cookies and cookies behind a login are the most commonly missed.
How often should I scan my website for cookies?
Run an initial scan, then re-scan on a schedule, typically weekly, and again after adding any new tool, plugin, or marketing tag. Sites add cookies constantly, so a scan from months ago is already out of date.
What is the difference between a cookie scanner and a cookie audit?
A cookie scanner is the automated tool that finds and lists cookies. A cookie audit is the broader review process that uses the scan's results to classify, document, and fix what it finds.
Can a cookie scanner find cookies behind a login?
Often not. Pages behind SSO or a login wall are a known blind spot for most scanners. Some enterprise tools support authenticated scans, but the majority of public scanners only see logged-out pages.
Does a cookie scanner block cookies too?
Scanning and blocking are separate jobs. A scanner finds and lists cookies; a consent platform then blocks non-essential cookies and scripts until the visitor consents. Many platforms bundle both functions together.
Can I scan a website's cookies myself in the browser?
Yes, for one page at a time. Right-click, choose Inspect, then open Application (Chrome) or Storage (Firefox) and select Cookies. It does not scale across a whole site, categorize anything, or leave a report, which is why scanners exist.
Understanding how a cookie scanner works is the first step to running one on your own site instead of guessing at what it might find. Consently's cookie scanning crawls your site on a schedule and categorizes every cookie it detects. It uses those results to auto-block non-essential cookies and populate your banner. See how it works on your own site with Consently's cookie scanning.

