Websites change constantly — new pages, updated integrations, additional marketing tools. Each change can introduce new cookies or trackers that affect your GDPR and cookie compliance posture. This guide provides a structured checklist for conducting periodic reviews to keep your Secure Privacy consent management configuration up to date and audit-ready.
Who Is This For?
This checklist is designed for privacy officers, compliance managers, and web teams responsible for maintaining cookie consent compliance under GDPR, CCPA, or similar regulations using the Secure Privacy CMP platform.
Cookie Compliance Review Checklist at a Glance
Area | What to Check | Recommended Frequency |
|---|---|---|
Website cookie scan | Overall compliance score, new cookies | Weekly or after site changes |
Cookie classification tab | Cookie categories, service mappings | Monthly |
Google Consent Mode | Consent type mappings, default states | Quarterly |
GDPR cookie banner language | Text accuracy, translations | Quarterly |
DSAR settings | Notification emails, response tracking | Quarterly |
Privacy and cookie policies | Accuracy with current data practices | Semi-annually |
1. Website Cookie Scan Report
The Scan Report page is your starting point for every compliance review. Open it and check:
Overall compliance score — Has it changed since the last review?
Detected services — Are there new third-party services you did not expect?
Cookie inventory — Do detected cookies match the services actually deployed on your site?
Gaps — Are any cookies unaccounted for or unclassified?
If your score has dropped or new items have appeared, investigate before moving on to the next step.
Tip: Run a manual cookie scan after any significant site change — such as adding a new analytics provider, marketing pixel, or third-party widget — to catch compliance issues early.
2. Cookie Classification and Service Mapping
Open the Classification tab in Secure Privacy and look for:
Unclassified cookies — Assign the correct consent category (e.g. analytics, marketing, functional) to each one
Incorrect service mappings — Make sure cookies are attributed to the right third-party services
Missing entries — If you know a service is active but its cookies are not listed, add them via the Custom Cookies tab
Accurate cookie classification is essential for GDPR compliance — it determines which cookies are blocked before consent and which are allowed as strictly necessary.
3. Google Consent Mode Configuration Review
If you use Google Tag Manager, Google Analytics, or Google Ads, review your Google Consent Mode configuration to ensure signals are firing correctly:
Verify consent type mappings are correct for each tag
Check default consent states for each region or jurisdiction
Confirm that Advanced Consent Mode is working as expected (use the GTM debug panel to verify)
Important: Consult your marketing and legal teams before changing default consent states, especially when switching between Basic and Advanced Consent Mode.
4. GDPR Cookie Banner and Preference Center Language
Review the text displayed in your GDPR cookie banner and privacy preference center to ensure it remains compliant and up to date:
Is all text accurate and current?
Are translations correct if multi-language banners are enabled?
Are button labels compliant? (Under GDPR, "Reject All" must be equally prominent as "Accept All")
Test the full user consent flow in each supported language to catch rendering issues
5. DSAR Email Notifications and Response Tracking
Your Data Protection Officer or compliance team must receive email notifications when visitors exercise their data subject rights. Review your DSAR setup by checking:
Confirm the correct email address is configured to receive DSAR notifications
Test the flow by submitting a test data subject request on your site
Verify that response deadlines (typically 30 days under GDPR) are being tracked in the dashboard
6. Privacy Policy and Cookie Policy Updates
Work with your legal team to keep both policies current and aligned with your actual data practices:
Review the privacy policy for accuracy against current data collection and processing activities
Update the cookie policy to reflect the latest scan results and cookie inventory
Ensure both policies reference all third-party services detected on your site
Update data retention information if retention periods have changed
Building a Cookie Compliance Review Schedule
The most effective approach is to tie compliance reviews to your existing development and business workflows:
After deployments — Run a cookie scan whenever you push changes to production
Monthly — Block 30 minutes on the first Monday of each month for a cookie classification review
Quarterly — Schedule a deeper review covering Consent Mode, banner language, and DSAR settings
Semi-annually — Coordinate with legal for a full privacy and cookie policy review
Frequently Asked Questions
How often should I scan my website for new cookies?
Run a scan at least weekly, and always after deploying site changes such as adding analytics tools, marketing pixels, or third-party integrations. New services can introduce undisclosed cookies that affect your GDPR compliance score.
What happens if cookies are unclassified in Secure Privacy?
Unclassified cookies may not be correctly blocked before user consent, which can result in a compliance violation. Assign a consent category to every detected cookie in the Classification tab as part of your monthly review.
Do I need to update my cookie banner after a website change?
Not necessarily after every change, but if you've added new services or changed the purpose of data collection, your cookie banner text and cookie policy should be updated to accurately reflect this.
What is the deadline to respond to a DSAR under GDPR?
Under GDPR, you must respond to a Data Subject Access Request (DSAR) within 30 days of receipt. Secure Privacy's dashboard helps track open requests and upcoming deadlines.
Need Help with Your Compliance Review?
If you have questions or need assistance with any part of your cookie compliance review, contact Secure Privacy support at [email protected].