Every privacy regulation that covers cookies — GDPR, CCPA, Quebec Law 25, the ePrivacy Directive — requires you to know exactly what cookies your website sets and to disclose them to visitors. The problem is that cookies change constantly. Third-party scripts update, marketing teams add new tools, and developers integrate new services. A manual cookie audit done today is out of date by next week.
Automatic cookie scanning solves this. Here's how it works and what to look for in a consent management platform.
What is automatic cookie scanning?
Automatic cookie scanning is a process where a consent management platform (CMP) crawls your website, loads your pages in a real browser environment, and records every cookie, local storage item, and tracking technology that gets set. The scanner then categorises each item — typically into groups like "strictly necessary," "analytics," "marketing," and "preferences" — and maps them to known vendors.
This process runs on a schedule (daily, weekly, or on-demand) so your cookie inventory stays current without any manual intervention.
Why manual cookie audits fail
If you've ever tried to manually catalogue your website's cookies, you know the problems:
Third-party scripts set cookies you don't control. Google Analytics, Facebook Pixel, HubSpot, Intercom, and dozens of other tools each set their own cookies. You can't know what they'll set just by reading their documentation.
Cookies change with every script update. A third-party vendor updating their JavaScript can introduce new cookies or change existing ones. Your audit is immediately stale.
Different pages set different cookies. Your homepage may set five cookies while your checkout page sets fifteen. A manual audit of one page misses the rest.
Dynamic content creates dynamic cookies. Embedded videos, social widgets, chatbots, and A/B testing tools all set cookies conditionally. You won't catch them unless you trigger the right conditions.
Regulations require ongoing accuracy. GDPR Article 13 and the ePrivacy Directive require that your cookie policy accurately reflects what cookies are being set. An outdated audit means an inaccurate policy, which means non-compliance.
How CookieChimp's automatic scanning works
CookieChimp takes a comprehensive approach to cookie scanning:
1. Browser-based crawling
CookieChimp loads your pages in a real browser environment — not just a simple HTTP request. This means it executes JavaScript, loads iframes, triggers lazy-loaded content, and captures cookies that only appear after client-side rendering. This is critical for modern websites built with React, Next.js, Vue, or any SPA framework.
2. Automatic categorisation
Once cookies are detected, CookieChimp categorises each one automatically. It maintains its own database of known storage items and vendors, and for anything it hasn't seen before, it goes out to the internet to research the cookie — looking at the vendor's own documentation, privacy policies, and developer resources to find out what the storage item is, what it's used for, and how long it persists. That information is used to assign the correct category (strictly necessary, analytics, marketing, or preferences) and build a complete description. This eliminates the manual work of researching each cookie yourself and deciding where it belongs.
3. Vendor identification
For every cookie, CookieChimp identifies the vendor that sets it. This is essential for your cookie policy, which needs to disclose not just what cookies exist but who sets them and why.
4. Live vendor list embed
CookieChimp provides a vendor list embed that you can drop into your existing cookie policy page. The embed displays a live, always-current list of vendors and storage items — fully synced with what visitors see on your consent banner and what you manage in the CookieChimp platform. When cookies change, your policy page reflects it instantly with no manual editing.
5. Scheduled and on-demand scans
Scans run on a regular schedule to catch changes, and you can trigger an on-demand scan any time you deploy new code or add a new third-party integration.
What to look for in a cookie scanner
Not all automatic scanners are equal. Here's what separates a good scanner from a basic one:
| Capability | Why it matters |
|---|---|
| Real browser execution | Simple HTTP scanners miss JavaScript-set cookies |
| Multi-page crawling | Single-page scans miss cookies set on deeper pages |
| Auto categorisation | Manual categorisation doesn't scale |
| Vendor mapping | Required by GDPR for transparent disclosure |
| Scheduled scans | One-time scans go stale immediately |
| Local storage detection | Modern trackers use localStorage and sessionStorage, not just cookies |
| Embeddable vendor list | Your policy page must match your actual cookies |
The compliance impact
Accurate cookie scanning directly affects your compliance posture:
GDPR (EU): You must inform users about every cookie before it's set and obtain consent for non-essential cookies. An incomplete cookie inventory means you're setting undisclosed cookies, which is a violation.
CCPA (California): While CCPA focuses on personal information rather than cookies specifically, cookies that track users for advertising purposes must be disclosed, and users must be able to opt out.
Quebec Law 25 (Canada): Requires informed consent for collecting personal information through cookies, with specific requirements for French-language disclosure.
ePrivacy Directive (EU): Explicitly requires consent before storing or accessing information on a user's device (cookies, local storage, etc.), with limited exceptions for strictly necessary operations.
An automatic scanner is the only reliable way to maintain compliance across all of these regulations simultaneously.
Getting started
If your current consent management setup relies on a manual cookie list that someone updated months ago, you're almost certainly non-compliant.
CookieChimp makes this simple:
- Add the CookieChimp script to your site
- CookieChimp automatically scans and categorises every cookie
- Drop the vendor list embed into your cookie policy page for a live, always-current disclosure
- Scheduled scans keep everything current as your site evolves
No spreadsheets. No manual research. No stale cookie lists. Get started with CookieChimp and let automatic scanning handle your cookie compliance.