Skip to main content
ComplicerAUDIT GRADE
MethodologyUse casesEU AI ActPricingBlogDocsSign inSTART FREE AUDIT
← JOURNAL
GDPR·APR 30, 2026·10 MIN READ

Your Cookie Banner Is Not Enough: How to Scan Storage and Access Technologies

BY COMPLICER TEAM

A cookie banner is not proof of compliance.

It is only a user interface.

The real question is whether the browser behaves correctly before and after the user makes a consent choice.

That distinction became even more important after the UK ICO's April 2026 guidance on Storage and Access Technologies. The guidance makes clear that the relevant compliance scope is not limited to HTTP cookies. It includes cookies, tracking pixels, link decoration, local storage, device fingerprinting, scripts, and tags. The ICO also states that PECR applies where scripts and tags store or access information on a user's device, whether or not they are used together with cookies.

In practical terms:

A website can show a compliant-looking consent banner and still fail because tracking technologies fire before consent.

This article explains how to audit that properly.

1. The problem: banner compliance vs browser compliance

Most compliance checks still focus on the visible banner:

Banner questionWhy it is insufficient
Does the site show a cookie banner?A banner can exist while trackers still fire before consent.
Is there an "Accept" button?Consent must also be freely given, specific, informed, and unambiguous.
Is there a "Reject" button?Reject must actually block non-exempt technologies.
Is there a cookie policy?The policy must match real browser behavior.
Are cookies listed?Modern tracking may use pixels, localStorage, scripts, tags, and fingerprinting instead.

A scientific audit must compare declared behavior with observed behavior.

Declared behavior is what the CMP, privacy policy, or cookie list says.

Observed behavior is what actually happens in the browser: cookies, storage entries, network calls, scripts, tags, and device access.

The gap between those two is where many compliance failures appear.

2. What counts as storage and access technology?

The ICO's SAT guidance is intentionally broad. It covers technologies that store information on a device or access information already stored there. The ICO lists cookies, tracking pixels, link decoration and navigational tracking, local storage, device fingerprinting, scripts, and tags.

That means an audit should not be called a "cookie audit" unless it is only checking cookies.

A modern website audit should cover:

TechnologyWhat to inspect
CookiesName, domain, expiry, SameSite, Secure, HttpOnly, creation timing
localStoragePersistent identifiers, analytics IDs, ad IDs, CMP state
sessionStorageSession identifiers, feature flags, temporary tracking IDs
IndexedDBClient-side databases used by analytics, apps, or third-party SDKs
PixelsImage or script requests used for measurement, attribution, retargeting
ScriptsThird-party JS loaded before consent
TagsGTM, ad tags, analytics tags, conversion tags
Link decorationgclid, fbclid, affiliate IDs, campaign IDs, click IDs
FingerprintingDevice/browser characteristics used to identify or single out users
Network requestsThird-party endpoints contacted before or after consent

The ICO also explains that tags often use other technologies such as cookies, local storage, or fingerprinting techniques to record and track information about a user.

So the scanner must observe chains of behavior, not just isolated files.

3. The legal logic: prior consent and real choice

Under PECR, storing information on or accessing information from a user's terminal equipment generally requires clear and comprehensive information and consent, unless an exception applies. The ICO explains that non-exempt storage and access technologies must not be used before consent is obtained.

The EDPB's consent guidance under GDPR is also relevant because, where consent is required under ePrivacy-style rules, the GDPR standard of consent applies. The EDPB defines consent as freely given, specific, informed, and unambiguous. It also rejects consent by scrolling or continued browsing as valid consent.

For a scanner, this translates into concrete rules:

Legal requirementTechnical test
Prior consentDid non-exempt storage/access happen before a click on "Accept"?
Freely givenWas rejection available without manipulation or obstruction?
SpecificWere analytics, ads, personalization, and other purposes separable?
InformedWere vendors and purposes disclosed before consent?
UnambiguousWas there a clear affirmative action?
WithdrawableCan the user later change or revoke consent?
AccountableCan the organization prove what happened?

The key point: legal compliance depends on both interface design and technical enforcement.

4. The four consent states every scanner should test

A serious audit should not test only one browser state.

It should run controlled tests across at least four states.

StatePurpose
No choice / pre-consentDetect what happens before the user interacts with the banner.
Reject allVerify that refusal blocks non-exempt technologies.
Accept allEstablish the full tracking baseline after consent.
Withdrawal / change choiceVerify that the user can reverse consent and stop future non-essential tracking.

For advanced audits, add two more:

StatePurpose
Granular consentTest whether analytics, advertising, personalization, and functional categories behave separately.
Return visitVerify that the previously stored consent choice is respected.

This is important because many sites pass the first page-load test but fail after a state change.

Example:

  1. The site loads cleanly before consent.
  2. The user accepts all.
  3. The user later withdraws consent.
  4. The website stops setting new cookies but leaves localStorage tracking IDs active.
  5. Third-party scripts continue firing because tag-manager rules were not updated.

That is not a banner problem. It is a consent-state enforcement problem.

5. What to capture during the scan

A good scanner should produce evidence, not only a pass/fail label.

5.1 Browser storage evidence

Capture storage before and after each consent action.

EvidenceWhy it matters
Cookie nameIdentifies the technology
DomainShows first-party or third-party scope
ExpiryDistinguishes session vs persistent tracking
Creation timingShows whether it appeared before or after consent
Value patternMay reveal identifiers, consent strings, session tokens
localStorage key/valueDetects non-cookie identifiers
sessionStorage key/valueDetects temporary tracking or feature state
IndexedDB namesReveals SDKs, offline storage, analytics databases

The scanner does not always need to expose full values in a public report. For privacy and security, values can be hashed or redacted. But the audit should still record enough evidence to prove that storage existed and when it appeared.

5.2 Network evidence

Network requests are often more important than storage.

A pixel can fire without leaving a persistent cookie. A script can send browser metadata before creating any visible storage entry. A tag can redirect through multiple domains before consent.

Capture:

FieldExample use
URLIdentify endpoint and vendor
DomainClassify first-party vs third-party
Request methodGET, POST, beacon, image, script
Resource typedocument, script, image, fetch, xhr, beacon
TimestampCompare against consent action
InitiatorIdentify which script triggered it
Request payloadDetect event names, campaign IDs, user IDs
Response headersDetect Set-Cookie or tracking redirects

This is where many "cookie-compliant" sites fail: no cookie appears, but tracking requests still happen.

5.3 Script and tag evidence

Scripts and tags are especially important because the ICO explicitly includes them where they store or access device information.

Capture:

EvidenceWhy it matters
Script URLIdentifies third-party libraries
Tag manager containersShows hidden orchestration layer
Script execution timingShows whether code runs before consent
Initiator chainLinks script to later pixels/storage
Vendor relationshipMaps technology to third party or processor
Consent categoryConfirms whether CMP classification is correct

Tag managers are common failure points because teams add new tags without updating CMP rules or legal inventories.

6. How to classify findings scientifically

Do not classify findings only by vendor name.

Classify them by observed behavior, purpose, timing, and consent state.

A useful finding model:

FieldExample
Technology typeCookie, localStorage, pixel, script, tag, fingerprinting signal
VendorGoogle, Meta, Microsoft, TikTok, Hotjar, custom endpoint
PurposeAnalytics, advertising, personalization, security, functional
Consent statePre-consent, reject, accept, withdrawal
TimingBefore consent, after reject, after accept
EvidenceCookie, storage entry, network call, script load, screenshot
Risk levelCritical, high, medium, low
Legal concernPrior consent, transparency, vendor disclosure, dark pattern
Recommended fixBlock tag, reclassify vendor, update CMP, remove pre-consent call

This prevents a common mistake: assuming a vendor is always compliant or non-compliant.

The same vendor may provide both necessary and non-necessary functions. The same script may support security, analytics, and advertising. The same cookie may be first-party but still used for advertising.

Purpose and timing matter more than labels.

7. Failure taxonomy: what your scanner should detect

Failure 1: Pre-consent tracking

Definition: A non-exempt technology fires before the user gives consent.

Examples:

EvidenceExample
Cookie_ga appears before consent
PixelMeta Pixel request fires on initial page load
localStorageVisitor ID stored before consent
ScriptAdvertising SDK loads before consent
NetworkConversion endpoint called before consent

Severity: High or critical, depending on purpose and data involved.

Failure 2: Reject does not block

Definition: The user clicks "Reject all", but analytics, advertising, or personalization technologies still run.

This is one of the strongest findings because it proves the interface and technical behavior are inconsistent.

Failure 3: Misclassified technology

Definition: A technology is classified as necessary or functional but performs analytics, advertising, personalization, or behavioral measurement.

Example:

CMP categoryObserved behavior
NecessarySends page-view events to analytics endpoint
FunctionalLoads retargeting pixel
PerformanceSends ad conversion event
SecurityStores cross-site visitor identifier

Failure 4: Hidden vendor

Definition: A third-party domain appears in the browser but is missing from the cookie policy, CMP vendor list, or privacy notice.

This creates a transparency problem because users cannot make an informed choice if the real vendors are not disclosed.

Failure 5: LocalStorage bypass

Definition: Cookies are blocked, but persistent identifiers are written to localStorage or another browser storage mechanism.

This is exactly why audits must go beyond cookies.

Failure 6: Link decoration persistence

Definition: Campaign or click identifiers are stored or propagated after landing.

Examples include advertising click IDs, affiliate IDs, campaign IDs, and user journey parameters. Link decoration can be part of attribution and tracking, so it should be inspected under storage/access and transparency rules.

Failure 7: Consent withdrawal failure

Definition: The user changes their choice from accept to reject, but existing tracking remains active or new tracking continues.

This is often missed because many audits test only the first page load.

Failure 8: Deceptive consent design

Definition: The interface manipulates the user into accepting.

The EDPB's deceptive design pattern guidance treats misleading, detrimental, or manipulative interface behavior as relevant to fairness, transparency, accountability, and data protection by design.

Examples:

PatternAudit signal
ObstructionReject requires more clicks than accept
Visual pressureAccept is prominent, reject is hidden
AmbiguityButtons use vague wording like "Continue"
PreselectionOptional categories are enabled by default
False necessityAdvertising tools placed under necessary category

8. A practical scan methodology

Here is a practical step-by-step method for compliance teams and scanner builders.

Step 1: Start from a clean browser profile

Use a fresh context with:

SettingReason
No cookiesPrevent old consent states from hiding failures
No localStorage/sessionStorageDetect new storage creation
Cache disabled or controlledAvoid missing script loads
Stable regionConsent behavior often differs by jurisdiction
Stable device profileMobile and desktop may differ

Run separate tests for desktop and mobile because banners, ad stacks, and video players often differ across devices.

Step 2: Capture initial page state

Before clicking anything:

  1. Take screenshot of banner.
  2. Capture all cookies.
  3. Capture localStorage and sessionStorage.
  4. Capture network requests.
  5. Capture third-party scripts.
  6. Record timestamp.
  7. Detect CMP and consent categories if available.

This is the most important stage. Anything non-exempt that runs here is a likely pre-consent issue.

Step 3: Classify initial findings

For each detected item, classify:

QuestionExample
Is it storage or access?Cookie, localStorage, script, pixel
Is it first-party or third-party?example.com vs advendor.com
What is the likely purpose?Analytics, ads, functional, security
Did it run before consent?Yes/no
Is there a plausible exemption?Strictly necessary, user-requested service, security
Is it disclosed?Vendor/purpose present in banner or policy

Avoid overclaiming. If purpose is uncertain, mark it as unknown vendor/purpose requiring review, not automatically illegal.

Step 4: Click "Reject all"

After rejection:

  1. Capture storage again.
  2. Capture network activity for a fixed window.
  3. Reload the page.
  4. Capture storage and network again.
  5. Navigate to another page type.
  6. Compare with pre-consent state.

A strong reject test should answer:

QuestionPass condition
Did analytics stop?Yes, unless validly exempt
Did advertising stop?Yes
Did pixels stop?Yes
Did localStorage tracking stop?Yes
Did third-party vendors disappear?Non-essential vendors should disappear
Does rejection persist after reload?Yes

Step 5: Click "Accept all"

This creates the positive baseline.

Capture:

EvidencePurpose
New cookiesShows what consent enables
New localStorage entriesDetects non-cookie tracking
New vendorsBuilds inventory
New scriptsIdentifies tag-manager activation
New network requestsMaps actual data flows
Event payloadsDetects analytics/ad event names

The accept state helps distinguish technologies that are genuinely consent-gated from those that fire regardless of choice.

Step 6: Test granular choices

For example:

User choiceExpected behavior
Analytics on, ads offAnalytics may run; adtech should stay blocked
Ads on, analytics offAdtech may run; analytics should stay blocked
Personalization offPersonalization IDs should not be created
Necessary onlyOnly strictly necessary technologies should run

Many CMPs fail here because categories are visually granular but technically bundled.

Step 7: Test withdrawal

After accepting all:

  1. Open privacy settings.
  2. Change to reject all.
  3. Save choice.
  4. Reload.
  5. Capture storage and network.
  6. Confirm non-essential tools no longer fire.

Withdrawal is important because GDPR consent must be withdrawable, and PECR compliance depends on ongoing control where consent is the basis for storage/access.

Step 8: Compare page types

One page is not enough.

Test at least:

Page typeWhy
HomepageOften has marketing and analytics
Article or blog postOften has ads, embeds, recommendation widgets
Product pageOften has conversion tracking
Checkout or lead formOften has ad attribution and fraud tools
Login pageOften has security scripts
Video pageOften loads player SDKs and ad/video measurement
Search pageOften sends query and behavioral events

A site can pass on the homepage and fail on video, checkout, or article pages.

9. What the report should show

A useful compliance report should be readable by legal, engineering, and marketing.

Executive summary

MetricExample
Overall resultFail
Critical findings3
Pre-consent vendors7
Reject-state violations2
Hidden vendors5
localStorage tracking IDs4
Tested statesPre-consent, reject, accept, withdrawal

Evidence table

FindingEvidenceConsent stateRisk
Advertising pixel fired before consentNetwork request to third-party ad domainPre-consentCritical
Analytics ID stored in localStorage after rejectlocalStorage key detectedRejectHigh
Vendor missing from CMP listThird-party script loadedPre-consentMedium
Reject requires extra stepsScreenshot and click pathBanner UIMedium

Technical appendix

Include:

ArtifactPurpose
ScreenshotsShow what the user saw
HAR/network logShow requests
Storage dumpShow cookies/storage
Consent timelineShow sequence of events
Vendor mapShow third parties
Rule resultsShow pass/fail logic
HashesPreserve evidence integrity

For stronger evidence, generate timestamped reports and hash the raw audit artifacts.

10. How to avoid false positives

A scientific scanner must be careful.

Not every cookie is unlawful. Not every script is tracking. Not every third-party request is advertising. Some storage may be strictly necessary.

Examples of legitimate or lower-risk technologies:

TechnologyPossible reason
Session cookieLogin or cart functionality
CSRF tokenSecurity
Load balancer cookieService delivery
Consent cookieStores the user's choice
Language preferenceUser-requested preference
Fraud prevention signalMay require separate legal analysis

The scanner should flag uncertain cases as review needed rather than pretending legal certainty.

A good report separates:

LabelMeaning
Confirmed violationStrong evidence of non-exempt tracking before/after reject
Likely violationStrong technical signal, purpose needs confirmation
Review neededUnknown vendor or ambiguous purpose
InformationalStorage/access present but likely necessary
PassNo relevant issue detected

This distinction increases trust.

11. Remediation: how to fix common issues

Problem: Tags fire before consent

Fix:

  1. Move tags behind CMP consent checks.
  2. Configure tag-manager triggers by consent category.
  3. Block default firing until consent is known.
  4. Test in clean browser state.
  5. Retest reject and withdrawal.

Problem: localStorage identifiers appear before consent

Fix:

  1. Identify the script creating the key.
  2. Classify its purpose.
  3. Delay script execution until consent.
  4. Remove or rotate identifiers after withdrawal.
  5. Add storage checks to regression tests.

Problem: Vendor list is incomplete

Fix:

  1. Export all third-party domains from scans.
  2. Map domains to vendors.
  3. Update CMP/vendor disclosure.
  4. Remove unused vendors.
  5. Repeat scan after deployment.

Problem: Reject button exists but tracking continues

Fix:

  1. Validate CMP event callbacks.
  2. Check tag-manager consent mode.
  3. Confirm categories are not bundled.
  4. Test after reload and page navigation.
  5. Add automated reject-state monitoring.

Problem: Consent banner uses dark patterns

Fix:

  1. Make accept and reject equally accessible.
  2. Remove preselected optional choices.
  3. Use clear labels.
  4. Avoid misleading category names.
  5. Provide easy privacy settings access.

12. A simple scanner checklist

Use this checklist for each audited URL.

CheckPass/fail
Fresh browser scan completed
Screenshot captured before consent
Cookies captured before consent
localStorage captured before consent
sessionStorage captured before consent
Network requests captured before consent
Third-party scripts detected
Pixels detected
Link decoration inspected
Reject all tested
Accept all tested
Withdrawal tested
Granular categories tested
Vendors mapped
Purposes classified
CMP disclosure compared with observed behavior
Findings risk-rated
Evidence archived

Conclusion

A cookie banner is only the surface layer of compliance.

The real compliance question is whether non-exempt storage and access technologies are technically controlled across real user choices.

A modern scanner must therefore test:

  1. cookies,
  2. localStorage,
  3. sessionStorage,
  4. pixels,
  5. scripts,
  6. tags,
  7. link decoration,
  8. fingerprinting signals,
  9. network requests,
  10. consent state transitions.

The ICO's 2026 SAT guidance makes this broader audit model difficult to ignore. PECR is not limited to cookies, and neither should your compliance testing be.

The practical standard for 2026 is:

Do not trust the banner. Test the browser.

Sources

  1. ICO, Guidance on the use of storage and access technologies.
  2. ICO, About this guidance: what does it cover?
  3. ICO, What are storage and access technologies?
  4. EDPB, Guidelines 05/2020 on consent under Regulation 2016/679.
  5. EDPB, Guidelines 03/2022 on deceptive design patterns in social media platform interfaces.
NEXT STEP

Ready to automate your compliance?

Complicer scans your website, identifies compliance issues, and generates evidence packages — all in under 5 minutes.

START FREE AUDIT →
ComplicerAUDIT GRADE

Outcome-driven GDPR compliance — banners that actually work, evidence you can show your auditor.

GDPR-ALIGNED · SHA-256 · Ed25519 · EU-W1
PRODUCT
Free scanUse casesMethodologyEU AI ActPricingDocsBlog
COMPANY
ContactSecurity
LEGAL
PrivacyTermsComplaint
EVIDENCE CHAIN INTACT · SHA-256 · Ed25519 · RFC 3161-READY© 2026 COMPLICER