How we measure cookies

Simple version · for product, legal, management Evidence: unsigned

How we measure

We open the website in a real browser, click Accept on the consent banner, and record every cookie that gets set during the visit. We do this five times in a row.

We also pull the cookies our nightly compliance monitoring has recorded for this site over the last 30 days.

Browser · Chromium with stealth disguise, viewport 1920×1080, locale cs-CZ, timezone Europe/Prague
Trials per site · 5 stealth-headless + 1 headed with mouse moves + 1 baseline = 7 total
Consent flow · wait until page finishes loading, then click Accept on Didomi or CPEx
Capture window · 8 seconds after the Accept click — late-loading trackers within this window are caught
Comparison data · production cookies database, last 30 days
Reliable threshold · a cookie counts as "seen by users" if it appeared in at least 3 of 5 trials

Why different scans see different things

Online advertising is auction-based. Every time a page loads, ad networks bid for the slot in real time, and a different bidder usually wins. The winning bidder sets its cookies. The next visit, a different bidder wins, and a different set of cookies appears.

That's why we run five scans — to tell the difference between cookies that always fire on the site and cookies that only show up some of the time. Both still count for compliance: a cookie set even once before consent is a problem.

What the columns mean

Seen by users · = the cookie appears on most visits (3 or more out of 5 scans). = only some visits, depending on which ad bidders win that load.
In monitoring · = our nightly compliance system has this cookie on file. = our system has never recorded it.

The combination that matters: Seen by users + In monitoring = a cookie that every visitor gets, but our compliance system has no record of. That's the gap.

The pre-consent / post-consent tabs

Each tab is filtered by when the cookie was first set, relative to the moment we clicked Accept:

Pre-consent · cookie was set before the user clicked Accept. Non-essential cookies in this tab are the legal problem — under ePrivacy 5(3) they need consent before being set.
Post-consent · cookie was set after the user clicked Accept. Mostly OK, assuming the user actually agreed to what's there.

The time value (e.g. −3.2s) is how many seconds before or after the Accept click the cookie first appeared in any of the five scans.

Need the full version? Open the technical methodology →