Automatic Cookie Scanning and Script Publishing Post-Deployment

The Problem: Cookie Drift

Every website deployment is a potential compliance event. A developer adds a new analytics script, marketing installs a retargeting pixel, or a third-party library updates and introduces new cookies. Without automatic scanning, these changes fly under the radar, creating a gap between what your consent banner declares and what your site actually does. This is cookie drift, and it is one of the most common reasons for GDPR enforcement actions.

With EUR 5.88 billion in total GDPR fines since 2018, regulators have demonstrated they take undisclosed cookies seriously. The French CNIL and Austrian DSB have both issued fines specifically for cookies that were not properly disclosed in consent banners.

How Automatic Cookie Scanning Works

An automatic cookie scanner crawls your website as a simulated browser, visiting pages and recording every cookie, localStorage item, and script that runs. The process typically works as follows:

1. URL discovery: The scanner starts with your sitemap or a seed URL and discovers linked pages.
2. Page rendering: Each page is fully rendered in a headless browser (including JavaScript execution).
3. Cookie capture: All first-party and third-party cookies are recorded with their name, domain, path, expiry, type, and size.
4. Script analysis: JavaScript files are fingerprinted and matched against a known database of tracking scripts, analytics tools, and ad networks.
5. Categorization: Detected cookies and scripts are auto-categorized (essential, functional, analytics, marketing) based on the known database.

Authenticated vs. Unauthenticated Scanning

Most scanners only crawl public-facing pages. But what about cookies set behind login walls? Authenticated scanning addresses this by:

• Logging in with test credentials to access member areas, dashboards, and account pages.
• Scanning checkout flows and payment pages that require session state.
• Detecting cookies from personalization engines that only activate for logged-in users.

Post-Deployment Automation

The real power of automatic scanning is integrating it into your deployment pipeline:

• CI/CD integration: Trigger a scan after every deployment to staging or production.
• Change detection: Compare scan results against the previous scan to identify new, modified, or removed cookies.
• Automated alerts: Notify the privacy team when new undisclosed cookies are detected.
• Auto-publishing: If new cookies match known categories, automatically update the consent banner configuration and cookie policy.

Scheduled Scanning

Beyond deployment-triggered scans, schedule regular scans (weekly or bi-weekly) to catch changes introduced by third-party scripts that update independently of your deployment cycle. CDN-loaded scripts, A/B testing tools, and tag manager configurations can all change without a code deployment.

Scanning with Jerisaliant

Jerisaliant offers both on-demand and scheduled automatic scanning with authenticated crawling support. New cookies are auto-categorized using a continuously updated database, changes are highlighted for review, and approved configurations can be auto-published to your live consent banner within minutes.