Most websites that think they're GDPR compliant aren't. The banner displays, users click it, everything looks fine from the inside. But if your tracking scripts fire before consent, your banner is decorative and your site is in breach. The good news: you can check this yourself in about five minutes, for free, without legal expertise.
This guide shows you two ways to check your site, what the results actually mean, and how to fix the most common problem.
How Do I Know If My Website Is GDPR Compliant?
You can check GDPR compliance two ways: a free automated scanner that lists every cookie and tracker on your site, and a manual browser test that shows whether those trackers fire before consent. The scanner tells you what's running. The manual test tells you whether it's blocked correctly. You need both, because a site can have a perfect-looking banner and still leak data before the user clicks anything.
Neither method requires a lawyer. The automated scan takes seconds, and the manual test takes about two minutes in your browser's developer tools.
Method 1: Run a Free Cookie Scanner
A cookie scanner crawls your site and produces an inventory of every cookie and third-party script it finds, sorted by category: necessary, analytics, marketing, and so on. This catches trackers you may have forgotten about, including ones added by other tools or team members.
Run your domain through the Consentify GDPR scanner. Enter your URL and you'll get a categorized list of what's active on your site, which cookies require consent, and whether the page already has a consent platform detected. This is the fastest way to see your starting point before you set anything up.
Method 2: The Two-Minute Browser Test
The scanner shows what's running, but the more important question is whether those scripts fire before the user consents. This is where most sites fail, and it's the single thing regulators check first. Here's how to test it yourself:
- Open your site in a fresh incognito or private browser window.
- Before clicking anything on the cookie banner, open developer tools (F12 in Chrome or Firefox) and go to the Network tab.
- Filter for known tracking domains: type
google-analytics,facebook,doubleclick, orhotjarinto the filter box. - Reload the page and watch the network activity before you touch the banner.
The correct result is zero requests to those domains before you click Accept. If you see requests to tracking domains firing before you've interacted with the banner, your site is in breach of the ePrivacy Directive. The banner is decorative and tracking has already begun.
What Does It Mean If Trackers Fire Before Consent?
It means your consent banner isn't actually blocking anything. This is the most common GDPR mistake by far, and it's the one regulators target first. A banner that displays while Google Analytics or Meta Pixel run underneath it provides no legal protection, regardless of how professional it looks.
Enforcement in 2026 has shifted decisively toward auditing consent mechanisms, with regulators specifically testing whether non-essential scripts execute before a valid choice is made. The fix is to use a consent tool that blocks scripts at the source until consent is given, rather than one that just displays a banner on top of scripts that are already loading.
Which Cookies Actually Require Consent?
Any cookie not strictly necessary for your site to function requires consent. That includes Google Analytics, Meta Pixel, Google Ads, TikTok Pixel, LinkedIn Insight Tag, Hotjar, and most embedded third-party widgets. Cookies that are exempt include session cookies, login state, shopping cart data, and security tokens.
The category that trips people up most is analytics. GA4 still sets cookies tied to user identification and behavioral tracking, which places it outside the strictly necessary exemption, regardless of how anonymized you've configured it. If your scan shows GA4 and your banner doesn't block it before consent, that's your first thing to fix.
What a Scanner Can't Tell You
Automated scanners have real limits, and it's worth being honest about them. A scanner crawls a set of pages at one moment in time. It can miss cookies set only after a user logs in, trackers that fire on specific pages it didn't crawl, or scripts injected dynamically after a delay. Most public compliance scanners analyze only a handful of subpages, so a clean result is not a guarantee of full compliance.
This is why the browser test matters alongside the scan. The scan gives you the inventory; the browser test confirms the blocking behavior on the pages you care about most. For full confidence, especially on a large site, a manual review of your consent flow is still the gold standard.
Does GDPR Apply to My Site If I'm Not in the EU?
Yes, if you have visitors from the EU. GDPR applies based on where your visitors are located, not where your business is registered. A site hosted in the US or run from Australia is still subject to GDPR for its European visitors. This is why the location of your business doesn't exempt you, and why so many non-EU site owners are surprised to learn the rules apply to them.
How to Fix a Non-Compliant Site
If your scan or browser test revealed problems, the fix is straightforward. Set up a consent tool that genuinely blocks non-essential scripts until the visitor opts in, configure your tracking tools through it, and add a way for visitors to change their consent later. The step-by-step setup guide walks through the whole process, and it takes under ten minutes for a standard site.
After setup, run the browser test again. You should now see zero tracking requests before consent, and your configured scripts firing only after the visitor accepts. That's the difference between a banner that looks compliant and one that actually is.
Ready to get started? Scan your site free, then set up a compliant banner in minutes with Consentify.