Cookie Scanner: How to Find Out What Your Website Really Tracks

"We know which cookies we set." I hear this statement often — and it's almost never true. In every second cookie audit I uncover tracking tools that neither the web agency nor the managing director knew about. Here I explain why manual inventory almost always goes wrong, how an automated scanner works, and when which approach pays off.

Why manual inventory is almost always wrong

Most website operators think: "We use Google Analytics and a newsletter service. Nothing else." In reality:

• Embed tools (YouTube, Vimeo, Calendly) set their own cookies that are often forgotten
• CDN providers (Cloudflare, jsDelivr) can set cookies that don't belong to the actual website
• CMS plugins (especially with WordPress) often bring their own cookies that the admin doesn't know about
• Dynamic tag loading via Tag Manager can load tools configured in the backend that the frontend team isn't aware of
• Third-party scripts (live chat, heatmaps, A/B test tools) often bring multiple cookies per tool

Reality: anyone thinking they have 5 cookies usually has 15. Estimating 15 means having 30.

How an automated scanner works

A modern cookie scanner works in several steps:

1. Start headless browser (typically Chromium via Playwright or Puppeteer)
2. Visit website like a normal visitor
3. Read cookies after first page load
4. Simulate interactions — close cookie banner, click links, fill forms
5. Read cookies again — many cookies are only set after interaction
6. Visit subpages — go through sitemap or internal links
7. Capture local storage and session storage — these are also tracking mechanisms
8. Identify tracking pixels — images sending HTTP requests to third-party servers
9. Generate report — cookie list with provider, purpose (if known from library), retention period

The Aiara scanner goes deeper still: it identifies dynamically loaded tracking scripts, checks FADP-relevant data exports, and matches results against a cookie database to automatically classify (necessary / statistics / marketing).

Manual quick inventory with DevTools

If you want to do a quick inventory of your own website:

1. Open incognito mode in Chrome (prevents old cookies from skewing the picture)
2. Open DevTools with F12 or Cmd+Option+I
3. Application Tab → Cookies → Your Domain
4. Look at first-party cookies — set by your own website
5. Switch to third-party domains in the cookie list — Google, Meta, etc.
6. Network Tab → Filter "Doc" and "Script" → see which third-party scripts load
7. Local storage and session storage also check in Application Tab

This inventory finds about 60-70% of all cookies on a website. The rest is only discovered by an automatic scan that traverses subpages, logins and forms.

What tracking does without cookies

A trap many overlook: not every tracking needs a cookie. Common cookie-less tracking mechanisms:

• Local storage — like a cookie but technically different, often not in cookie lists
• Session storage — temporary, but treated as personal data under some FADP definitions
• Tracking pixels — tiny images sending an HTTP request with tracking parameters to third-party servers
• Server-side tracking — data sent directly from the server to Google/Meta, the browser sees nothing
• Fingerprinting — identification via browser properties (fonts, plugins, screen size) without cookie

A good scanner captures at least the first three categories. Server-side tracking and fingerprinting are only detectable through code review.

Most common cookies on Swiss websites — and what they're for

A short overview of the top 15:

Cookie	Provider	Purpose	Category
_ga	Google Analytics	User identification	Statistics
_gid	Google Analytics	Session ID	Statistics
_gcl_au	Google Ads	Conversion tracking	Marketing
_fbp	Meta Pixel	Conversion tracking	Marketing
__hstc	HubSpot	User tracking	Marketing
hubspotutk	HubSpot	Cookie consent	Marketing
hjSession*	Hotjar	Session recording	Statistics
YSC	YouTube Embed	Video statistics	Statistics
VISITOR_INFO1_LIVE	YouTube Embed	User preference	Statistics
__cf_bm	Cloudflare	Bot protection	Necessary
PHPSESSID	Web server	Session	Necessary
_csrf	Web framework	CSRF protection	Necessary
consent_v1	Aiara Banner	Consent storage	Necessary
_calendly_session	Calendly	Appointment booking	Functional
__stripe_mid	Stripe	Payment security	Necessary

These 15 cookies cover about 80% of all Swiss SME websites. The rest is industry-specific tools.

Aiara scanner — what it concretely does

The Aiara scanner visits a website with headless Chromium, clicks through up to 600 subpages, simulates various user interactions, and produces a cookie list with:

• Cookie name and provider
• Likely category (based on cookie database)
• Retention period (from HTTP headers)
• First-party vs. third-party
• Data export country (based on provider database)
• FADP compliance hints (e.g. "marketing cookie loaded without consent")

The results are directly transferred to the cookie banner and privacy policy. On changes — such as new tool integration by the marketing team — the scanner reports automatically.

Who needs an automated scanner?

As a rule of thumb:

• Pure business card websites (static, no marketing) → manual DevTools check is enough
• SMEs with standard marketing stack (Google Analytics, newsletter) → quarterly scan
• E-commerce, multi-tool marketing stacks → continuous scan recommended
• Web agencies with many customers → automated solution mandatory, otherwise not scalable

The effort for a clean monthly scan is significantly smaller than that of a single FDPIC investigation — and the probability of finding a hidden tracking pixel is high.