Consent management: phases of a consent audit and their benefits

In today’s digital landscape, managing user consent is essential for meeting legal requirements and building user trust. A consent audit is a systematic process that helps companies keep their data protection practices up to date, review them, and optimize them.

In this article, you’ll learn:

• the phases that make up a consent audit, as conducted at FELD M
• the key reasons and benefits of regularly reviewing the technologies used in your applications
• which requirements play a role
• how to act on the results of an audit 

What is a consent audit and what is its purpose?

Digital services are usually developed continuously. New features and services are added, and the processes of interacting components are not always transparently planned. For this reason, risk mitigation and compliance are not self-contained projects but require a fresh, holistic external view from time to time.

At the same time, laws and regulations are constantly evolving. This creates new best practices and sometimes entirely new compliance requirements, in order to keep offering webshops or web applications in compliance with data protection laws—while making use of all legal opportunities to process user data.

To prevent new gaps from arising, we recommend re-auditing your websites and apps regularly. A six- or twelve-month cycle is ideal. This helps avoid large discrepancies between desired and actual setups and allows you to close gaps quickly. At the same time, the effort for follow-up audits remains manageable (assuming proper documentation of the initial audit).

Benefits of an audit

• Transparency on active technologies: An audit provides an overview of the technologies currently implemented on the website/app
  -> People responsible for taking over historically grown digital platforms often don’t know exactly what has been built in.
  -> External parties such as agencies or freelancers were often involved in the development.
  -> Especially an initial audit often uncovers previously unknown or overlooked technologies that the company had not (or no longer) accounted for.
• Legal certainty: Companies can ensure that data processing is brought into compliance.
• Informed decisions: The inventory makes it possible to critically examine whether certain services are still needed at all. Technologies that offer little or no added value can be identified and, if necessary, phased out.
• Optimizing performance and UX: Cleaning up your technology stack not only reduces legal risks, but also improves loading times, user experience, and search engine rankings.

Implementing a consent audit in 4 phases

At FELD M, we have had very good experience implementing consent audits step by step. Clear processes and defined responsibilities help bring all stakeholders into the audit.

We define the phases as follows:

1. Recording the current state

The first step is to document the current state of implemented technologies. It’s important to clarify the scope and get an overview of relevant domains and subdomains. This includes listing all cookies set and third-party requests. Ideally, this phase also checks whether cookies and requests are tied to consent and, if so, to which types. A mapping should also be carried out to see which cookies and requests can be attributed to overarching services. For example: Google Fonts requests triggered by embedding Google Maps.

Crawlers can support this data collection, but they may miss parts depending on the setup or fail to capture login-protected areas. It is therefore crucial to verify crawler results with human validation, using spot checks across all relevant domains and subdomains, including key pages like product detail pages, search results, or checkout pages in an e-commerce context.

2. Comparing with existing information

Next, the identified requests and cookies must be compared against what is stated in the consent banners and the privacy policy. It’s essential to check whether consent is correctly obtained for all services or whether missing consent can be justified (e.g., via exceptions in the TDDDG or other GDPR legal bases).

If cookies or services are found that are not yet documented in banners or policies, further investigation is needed. Cookie databases like Cookiepedia can help; otherwise, a deeper analysis of the scripts responsible for triggering requests or setting cookies is required.

3. Reviewing the consent solution

At this stage, the consent solution itself is thoroughly tested. It must be checked whether granting and withdrawing consent, as well as objecting to legitimate interests, works technically as intended. In addition, the texts and design elements of the consent solution should be reviewed for clarity and user-friendliness to ensure that no so-called dark patterns are used.

4. Closing the gap

By comparing the desired vs. actual state, gaps often emerge—frequently revealing services not covered in the consent management.

Reasons for this vary. Websites are often developed externally, where agencies or third-party developers may not pay enough attention to data protection. Adjustments to third-party scripts may introduce new services without the company being aware. Missing internal processes—e.g., when to involve the data protection officer in tool integrations—can also create gaps.

To close these gaps, various measures can be taken:

• Tool-Check: Review whether a tool is actually used, since a “just in case” approach can be misleading and harm load times and user experience.
• Check the legal basis: Is consent really required for the tool? Sometimes a different GDPR legal basis (e.g., legitimate interest) may apply. In all cases, this should be made transparent in the consent banner and privacy policy.
• CMP connection: Connect tools to the Consent Management Platform so that requests and cookies are only triggered after consent has been given. 
• Use alternatives: Replace tools with other solutions or load resources directly from your own server, such as fonts locally instead of via Google Fonts.

Are you ready to leverage the benefits of a consent audit for your business?

In our consent management projects, every engagement starts with a careful review of the existing setup. This often lays the groundwork for improving internal processes or building a broader data governance strategy — as we did with our client SBB. You can find the case study here.

FELD M is happy to support your auditing process. Our Privacy and consent team specialists are available to advise you.