Why You Need a Privacy Audit
Before you can fix problems, you need to find them. A privacy audit reveals:
- What data your website collects
- Where that data goes
- Whether your consent mechanisms actually work
The good news? You can catch the most common issues yourself, in just 10 minutes.
The 10-Minute DIY Audit Checklist
Open your website in an Incognito/Private browsing window (this clears existing cookies and gives you a fresh perspective). Then follow these steps:
Step 1: Cookie Banner Test (2 minutes)
What to Check:
| Question | Expected Answer |
|---|---|
| Does the banner appear immediately on page load? | ✓ Yes, before any other content |
| Is there a "Reject All" button? | ✓ Yes, equally prominent as "Accept" |
| Are any consent boxes pre-checked? | ✓ No, all should be unchecked by default |
| Can you close the banner without making a choice? | ✓ No, user must make an explicit decision |
Common Failures:
- Banner only shows a "Got it" button (no real choice)
- "Reject" is hidden in small text or a second screen
- Analytics categories pre-selected
Step 2: Form Audit (3 minutes)
Navigate to your newsletter signup, contact form, or registration page.
What to Check:
| Question | Expected Answer |
|---|---|
| Is there a consent checkbox? | ✓ "I agree to the Privacy Policy" |
| Is the checkbox mandatory for non-essential purposes? | ✓ No, marketing consent should be optional |
| Is there a link to your Privacy Policy? | ✓ Yes, directly linked |
| Does form submission work without checking the box? | Depends on purpose: contact = yes, newsletter = no |
Common Failures:
- Pre-checked "Send me marketing emails" box
- No link to Privacy Policy
- Form data stored in unsecured locations (Google Sheets, Airtable)
Step 3: Network Request Analysis (5 minutes)
This is the most technical—but most revealing—step.
Setup (Chrome Desktop):
- Right-click anywhere on your page → Inspect
- Go to the Network tab
- Clear the list (circle with slash icon)
- Important: Refresh the page WITHOUT interacting with the cookie banner
What to Look For:
Scan the "Domain" column for these common trackers:
| Domain | What It Is | Problem If Seen Before Consent |
|---|---|---|
facebook.com or facebook.net | Facebook Pixel | Tracks users, sets cookies |
google-analytics.com | Google Analytics | Collects behavior data |
doubleclick.net | Google Ads | Advertising network |
linkedin.com | LinkedIn Insight | B2B tracking |
fonts.googleapis.com | Google Fonts | IP address exposed to Google |
youtube.com | YouTube Embed | Sets tracking cookies |
The Test: If you see any of these domains being contacted before you clicked "Accept," your cookie banner is performing what we call "cosmetic compliance"—it looks correct but doesn't actually block anything.
What to Do If You Find Issues
Priority 1: Fix Your Consent Mechanism
Your cookie/consent management platform (CMP) should block tracking scripts until consent is granted. If scripts fire immediately, either:
- Your CMP is misconfigured
- Scripts were added outside the CMP's control (common with Google Tag Manager)
Priority 2: Audit Your Third-Party Integrations
For each external service you use, ask:
- Does it set cookies?
- Does it transfer data outside the EU?
- Is it documented in my Privacy Policy?
Priority 3: Update Your Privacy Policy
If you find integrations not mentioned in your policy, you have a Say-Do Gap. Fix it by either:
- Removing the undisclosed integration
- Updating your policy to include it
Limitations of DIY Audits
This 10-minute check catches the obvious issues. It cannot detect:
- Sub-page behavior: Trackers that only load on checkout or account pages
- Delayed firing: Scripts that only activate after 30 seconds
- Server-side tracking: Data collection that happens without browser requests
- PII in URLs: Email addresses or user IDs exposed in query parameters
When to Use Professional Tools
For a comprehensive audit that covers what you can't see manually, you need automated scanning. SMB Compliance Check's Deep Audit includes:
- Multi-page crawling (not just homepage)
- Cookie and local storage inspection
- Privacy Policy extraction and Say-Do Gap analysis
- Network request capture with third-party classification
- PDF report with specific remediation steps
The result: A complete picture of your compliance posture, not just a surface check.
Key Takeaways
- A basic DIY audit takes 10 minutes and catches major issues.
- Focus on: cookie banner behavior, form consent, and network requests.
- Most failures are "cosmetic compliance"—banners that don't actually block tracking.
- For comprehensive coverage, supplement manual checks with automated scanning.
Ready for a deeper analysis? Run a free compliance scan →