The Privacy Audit Checklist Every Webmaster Should Run
Learn how to audit your website's privacy settings with a practical checklist covering cookies, headers, trackers, third-party scripts, and policy compliance.
Privacy issues rarely show up as broken pages. They hide in third-party scripts you forgot you installed, cookies set before consent, headers that leak referrer data, and analytics tools quietly fingerprinting visitors. A real privacy audit means looking at what your site actually does in the browser — not what you assume it does.
Here's a working checklist you can run against any site you own, with the specific things to look for and how to verify them.
1. Inventory Every Third-Party Request
Start with the simplest question: what domains does your site talk to? Open DevTools, go to the Network tab, reload the page, and sort by domain. You're looking for anything that isn't your own.
What to flag
- Analytics — Google Analytics, Plausible, Mixpanel, Hotjar
- Ad networks — DoubleClick, Taboola, Outbrain
- Embeds — YouTube, Vimeo, Twitter, Instagram widgets
- Fonts — fonts.googleapis.com (still common, still leaks IPs)
- CDNs and tag managers — Cloudflare Insights, GTM containers
For each one, ask: do I still need this? Is it firing before consent? Does the provider have a current Data Processing Agreement?
2. Audit Cookies Before and After Consent
The most common privacy failure is setting tracking cookies before the user clicks anything on a consent banner. Test this in a fresh incognito window.
- Open DevTools → Application → Cookies
- Load the homepage with no interaction
- List every cookie set. Note name, domain, expiry, and SameSite attribute
- Now decline all non-essential cookies. Reload. Anything still there that shouldn't be?
- Accept all. Verify that what loads now matches what your privacy policy claims
Cookie red flags
- Third-party cookies set with no consent
_ga,_fbp, or similar analytics cookies present pre-consent- Cookies with expiry over 13 months
- Missing
SecureorSameSiteattributes on session cookies
3. Check Your HTTP Privacy Headers
Headers control how browsers leak (or don't leak) information about your visitors. Several of these directly affect privacy posture:
Referrer-Policy— set tostrict-origin-when-cross-originor stricterPermissions-Policy— explicitly deny camera, microphone, geolocation, and interest-cohort if you don't use themCross-Origin-Opener-Policy— prevents cross-origin window referencesContent-Security-Policy— restricts what third parties can run
You can pull and inspect these manually with curl -I, or run the URL through AXOX Hub's HTTP Header Checker to get a parsed view of everything your server is sending, including missing privacy-relevant headers.
4. Test for Browser Fingerprinting
Even without cookies, sites can identify visitors using canvas rendering, font lists, screen resolution, audio context, and dozens of other signals. If you've installed analytics or fraud-detection tools, there's a good chance one of them is fingerprinting.
How to check
- Open DevTools → Sources and search loaded scripts for
canvas.toDataURL,getClientRects,AudioContext, ornavigator.plugins - Run your URL through the Browser Fingerprint Analyzer on AXOX Hub — it shows which signals your site is exposing and how unique the resulting fingerprint is
- Cross-check the providers responsible. Some (like fraud tools) have legitimate need; others are tracking by default
5. Review Form and Input Handling
Privacy isn't only about tracking — it's about how you handle data users actively give you.
- Are forms submitted over HTTPS only?
- Do you log full request bodies anywhere? (Check your access logs and error trackers like Sentry)
- Are email addresses or names being sent to analytics as event properties?
- Does autocomplete leak sensitive fields into browser sync?
Pay particular attention to third-party form tools (Typeform, HubSpot, Mailchimp embeds). They often process data in jurisdictions your privacy policy doesn't mention.
6. Verify Your Privacy Policy Matches Reality
This is the step most teams skip. Pull up your current privacy policy and check it against what you found in steps 1–5.
Specific things to reconcile
- Does your policy list every third-party service you actually use?
- Are the data categories accurate? (If you collect IP addresses via server logs, say so)
- Are retention periods specified and being followed?
- Is the legal basis (consent, legitimate interest, contract) correctly identified per processing activity?
- If you transfer data outside the EU/UK, are SCCs or adequacy decisions referenced?
If your policy was last updated more than 12 months ago, assume it's out of date.
7. Test Subject Access and Deletion Requests
Privacy regulations require you to handle data subject requests within a defined window (30 days for GDPR). Most sites have never actually tested their process.
- Send a deletion request to your own
privacy@address from a personal email - Time how long it takes someone to respond
- Verify the data was actually removed from your CRM, email lists, analytics, and backups
- Document the workflow so it's repeatable, not improvised
8. Lock Down Server and Log-Level Privacy
Backend privacy gets overlooked because it's invisible to visitors. But access logs, error trackers, and observability tools often capture more PII than your frontend does.
- Truncate IPs in access logs (e.g., zero the last octet)
- Scrub PII from error messages before they hit Sentry, Datadog, or similar
- Set log retention — 30 to 90 days is usually defensible; indefinite is not
- Restrict admin access to logs containing user data on a need-to-know basis
Run This Audit Quarterly
Sites change. A marketing team installs a new chat widget, a developer adds a fingerprinting fraud tool, a CMS upgrade resets cookie defaults. A privacy audit that was clean six months ago will have drifted.
Set a recurring calendar reminder, keep the checklist in your repo, and rerun it after every major site change.
To get started on the technical layers — headers, fingerprinting signals, and third-party leakage — run your domain through the free Browser Fingerprint Analyzer and HTTP Header Checker on AXOX Hub. Both work in seconds, no signup required.
Try the free tool
Open Tool