Cookie Audit Plugin: How to Choose and Implement Cookie Compliance

If your website sets cookies and you operate in the UK or EU, you are legally required to obtain informed consent before any non-essential cookies fire. That requirement is not new. What has changed is the level of enforcement and the sophistication of audit tools that regulators and privacy researchers now use to check compliance.

A cookie audit plugin does two things: it scans your website to detect every cookie your site sets (including those from third-party scripts), and it presents a consent mechanism that meets the legal standard. Without both, your consent banner is decorative rather than functional.

This guide covers what a cookie audit plugin does, how to choose one, and which options work across WordPress, Drupal, Magento, and other CMS platforms.

What a cookie audit plugin actually does

Most people think of a cookie plugin as the pop-up. The consent banner is the visible part, but it is the audit layer underneath that determines whether your site is actually compliant.

A proper cookie audit plugin does the following:

• Crawls your site and identifies every cookie set, including those added by analytics, advertising, social media embeds, and live chat tools
• Classifies each cookie by category: strictly necessary, functional, analytics, or marketing
• Blocks non-essential cookies from firing until consent is given
• Records consent decisions with timestamps and version identifiers for your audit log
• Updates its cookie database as new versions of third-party scripts introduce new cookies

If your current setup shows a banner but still loads Google Analytics before the user clicks accept, you are not compliant regardless of what the banner says. The audit capability is what separates a genuine compliance tool from a cosmetic one.

The legal standard in the UK

Under PECR (Privacy and Electronic Communications Regulations) and the UK GDPR, non-essential cookies require freely given, specific, informed, and unambiguous consent. Silence, pre-ticked boxes, and continuing to browse do not constitute valid consent.

The ICO has been clear: consent must be as easy to withdraw as to give. That means your cookie settings must be accessible after the initial choice, not buried in a privacy policy link.

The practical minimum for a compliant setup is:

• A consent banner that blocks non-essential cookies on first load
• Separate toggle controls for each cookie category
• A persistent way to change or withdraw consent (typically a floating icon or footer link)
• Consent logging with proof of what the user agreed to and when

Cookie audit plugins for WordPress

WordPress has the widest selection of cookie compliance tools. The quality varies significantly.

CookieYes

CookieYes runs an automatic cookie audit on your domain and populates a cookie policy table from its database of known cookies. The free plan covers up to 500 page scans per month and includes a basic consent log. The paid plans add geo-targeting (so you can show different banners to UK and EU visitors versus US visitors), custom branding, and a deeper audit log suitable for DPA requests.

Setup is via plugin or a JavaScript embed code, which makes it practical for WordPress as well as non-WordPress sites.

Complianz

Complianz takes a configuration-wizard approach. It asks questions about your site's tools and services, then builds a consent setup based on your answers. The cookie audit scans your site and matches cookies against its database. It integrates directly with popular WordPress plugins including WooCommerce, Gravity Forms, and most caching plugins to handle script-blocking at the server level rather than relying solely on JavaScript.

The paid version adds support for multiple legislation types (GDPR, CCPA, PIPEDA) from a single interface, which is useful if you have an international audience.

Borlabs Cookie

Borlabs Cookie is a premium-only plugin (no free tier) that is well regarded for its cookie blocker reliability. It uses a Content Blocker feature that replaces iframes and embeds (YouTube videos, Google Maps, social feeds) with placeholder images until consent is given. This is important because embedding a YouTube video loads Google cookies even before the video is played.

Its cookie audit requires manual categorisation rather than automatic detection, which means more setup time but also more control over how cookies are described to users.

Cookie Notice by dFactory

Cookie Notice is a lightweight option with a free plugin and a paid cloud extension. The free version provides a banner with basic category controls but lacks automatic cookie scanning. If you add the paid extension, you get the WPCS (WordPress Cookie Compliance Suite) which adds automatic detection and a consent log.

It is a reasonable option for smaller sites with a straightforward tech stack where manual categorisation is feasible.

Cookie compliance on Drupal

Drupal does not have a dominant cookie compliance module in the same way WordPress does. The EU Cookie Compliance module (now called Cookie Control) is the most widely used. It integrates with Drupal's JavaScript asset handling to block scripts by category and provides a configurable consent banner.

For enterprise Drupal sites, the preferred approach is often to use a platform-agnostic tool such as CookieYes or Cookiebot via JavaScript embed, rather than a Drupal-specific module. This keeps the compliance layer independent of the CMS version and reduces risk during Drupal major version upgrades.

Cookie compliance on Magento

Magento 2 includes a basic cookie restriction mode built into its configuration, but it only covers Magento's own cookies, not third-party scripts loaded on the frontend. For a full cookie audit on a Magento store, you need either a third-party extension or an external consent management platform injected via Google Tag Manager.

The GTM approach is the most flexible for Magento: it allows you to use any consent management platform while keeping the Magento installation clean. You configure GTM to fire tags only when the relevant consent has been granted, using the Consent Mode v2 API that Google requires for proper integration with Google Analytics 4 and Google Ads.

Cookie compliance on Shopify

Shopify's own cookie banner (introduced in 2023) handles consent for Shopify's native cookies and integrates with Shopify's analytics. It does not cover third-party apps installed from the App Store, which can each set their own cookies.

For a comprehensive audit on Shopify, you need a third-party consent app such as Pandectes GDPR Compliance or Consentmo. Both offer automatic cookie scanning and will block app scripts pending consent. If you use Shopify Markets and sell to EU customers, auto-blocking is essential rather than optional.

Platform-agnostic tools

For organisations running multiple websites on different platforms, a platform-agnostic consent management platform (CMP) keeps compliance consistent across properties. The main options in this category are:

• Cookiebot (Usercentrics): Widely used at enterprise scale. Automatic cookie scanning on a schedule, detailed audit logs, and direct integration with Google Consent Mode v2. Pricing is per domain based on page views.
• OneTrust: The dominant enterprise CMP. Comprehensive audit functionality, automated compliance reporting, and support for multiple regulatory frameworks. Cost reflects its enterprise positioning.
• Axeptio: A French-market tool that has grown across Europe. Known for its less aggressive design approach and strong French language support. Audit functionality is solid at mid-market pricing.

Free versus paid: where the difference matters

Free cookie plugins can achieve basic compliance on simple sites. The limitations become material in four situations:

• Automatic cookie discovery: Free tiers typically limit how frequently your site is scanned. If you add new tools or update plugins regularly, the cookie list can fall behind. Paid plans scan on a schedule or on demand.
• Consent logging for legal proof: If the ICO or a data subject requests evidence of consent, you need a log that shows what version of your policy the user agreed to and when. Most free plans either do not store this or retain it for a very short period.
• Geo-targeting: If you want to show a consent banner to UK and EU visitors while showing a simpler notice to US visitors (where CCPA requirements differ), you need a paid plan on most platforms.
• Google Consent Mode v2: From March 2024, Google requires Consent Mode v2 signals for proper GA4 modelling. Not all free plugins support the full implementation.

Running a cookie audit: practical steps

Whether you use a plugin or commission an audit separately, the process is the same:

1. Crawl the site with cookies disabled to establish a baseline of what loads before consent
2. Accept all cookies and crawl again to see everything that fires
3. Compare the two lists and categorise each cookie: strictly necessary, functional, analytics, or marketing
4. Check that your consent banner's categories match your actual cookie categories
5. Verify that non-essential cookies do not fire before consent is given
6. Check that your consent log is capturing decisions with sufficient detail
7. Review whether any cookies are set by third-party iframes (videos, maps, embeds) before content blocking is triggered

A cookie audit plugin automates steps one to three. Steps four to seven require a manual review, which is why periodic audits matter even if you have a plugin installed.

What to prioritise if you are starting from scratch

For most UK businesses running WordPress, Complianz or CookieYes on a paid plan will cover the technical requirements. If you run Magento or a headless build, the GTM-based approach using Cookiebot or OneTrust is more reliable than CMS-specific extensions.

The single most important thing to check is whether your current setup is actually blocking cookies before consent. A significant number of UK websites display a consent banner while still loading analytics on page load. That is not compliant, and the technical fix is straightforward once the issue is identified.