Most of us click "Accept" on cookie banners every day without a second thought. But have you ever wondered what actually happens behind that button? I guess that's why you're here.
This guide will show you how to view cookies, local storage, and session storage in simple steps. It is written for people with no technical background
Glossary
Before we proceed with the guide, we'll have to know what we're looking at. Here is a quick cookie glossary.
Cookies are notes that makes website remember stuff
First-party cookies are from the website, and third-party cookies are from someone else
Pixels report what you're doing on the website and send it to someone else
Cookies
Cookies are tiny notes a website sticks in your computer, inside the browser. They can hold things like login information to keep you signed in or your preferred language.
There are two types of cookies: First-party cookies and Third-party cookies.
First-party cookies are notes from the website you're actually on. This is how a webshop remembers what you put in a shopping cart.
Third-party cookies are notes from someone else, placed on the website you're visiting. You've probably experienced this: You googled "Best running shoes" a week ago, and all of a sudden, you see ads for running shoes on every website you visit. That's because the website owner, who earns money by placing ads, has installed a third-party cookie by Google.
Third-party cookies can be other things than ads, such as Livechat, support features, and social logins.
Pixels
Pixels are different from cookies. Instead of a note, it functions as an invisible reporter. When you do something on the website you're visiting, it immediately sends a message to someone else (third-party) explaining what you did, or what you saw.
A typical example is Facebook's pixel, which helps the website track how many sales were generated from the website's Facebook ads.
Pixels and other trackers can record data without being stored as cookies. In the eyes of privacy laws like GDPR, there is no difference between them. If they are tracking you to show ads or study your behavior, they must ask for your permission first.
It's very typical for pixels and cookies to work together. The Pixel is the eyes, and the Cookie is the memory.
How to inspect cookies
To see the data for yourself, you need to open your browser's Developer Tools. Don't let the name scare you. You don't need to be a developer to use them.
Step 1
On Chrome/Edge: Right-click anywhere on a page and select Inspect.
On Mac (Safari): You may need to go to Settings > Advanced and check "Show features for web developers" first. Then, right-click and choose Inspect Element.
The Shortcut: Press
F12(Windows) orCmd + Option + I(Mac).
Step 2
Once the Inspect window opens, you’ll see a lot of code. Ignore it. We are looking for the storage room. Look at the top menu bar of the Inspect window:
In Chrome/Edge: Click the Application tab (you might need to click the
>>icon if it's hidden).In Safari/Firefox: Click the Storage tab.
This is your digital filing cabinet. On the left-hand sidebar, you will see several "folders" where the website stores information on your computer:
Cookies: This is the main folder where cookies are contained
Local Storage: This is like a permanent notebook. Even if you close your browser and come back next month, the notes are still here. Sites use this for things like "Dark Mode" or unique tracking IDs.
Session Storage: This is like a sticky note that gets shredded. The moment you close that specific browser tab, the info is deleted instantly.
IndexedDB: A heavy-duty storage locker. Large apps like Gmail or Spotify use this to save data so they can work fast or even offline.
Cache Storage: This folder doesn't store data about you; it stores pieces of the website (logos, fonts, layouts) so the site doesn't have to download them every single time you click a page.
How to read it
When you click on the Cookies folder and select the website name, it will look like a spreadsheet. To understand if you are being tracked, focus on these four columns:
Name: What the cookie is called
Value: This is the actual data stored inside
Domain: Who the cookie is from
Expires: This tells you the "expiration date
If the domain column matches the website you're visiting, it's a First-party Cookie. If it's another domain, it's a third-party cookie. In modern times, you unfortunately cannot rely on this.
However, modern tracking is sneaky. Many websites now use First-Party Masking. They hide or "mask" a tracker to make it look like it belongs to their own website, so your browser won't block it.
In the screenshot below i'm currently on the website Matas.dk. The domain seems to match, but the name of the cookie is _fbp, which is a Marketing cookie by Facebook.
Because these are set via the website's own server rather than a third-party script, they bypass many standard browser blocks. To verify the source of a mysterious cookie name, you can look it up at Cookiedatabase.org.
Check if they're breaking the rules
Once you know how to identify these cookies, you can perform a simple privacy audit. In EU the website is not allowed to track you before you give your explicit consent in a cookie popup.
How to catch a violation:
Open a website in a "Private" or "Incognito" window (so you start with a clean slate).
Open the Inspect > Application > Cookies tab before you click anything on the cookie popup.
Check the list: If you see cookies like
_ga(Google),_fbp(Facebook), or_ttp(TikTok) appearing before you’ve clicked "Accept," the website is likely in violation of privacy laws. They are "firing" the trackers before getting your permission.
As mentioned, not all cookies are for tracking. Some are required just to make the site work.
But if you names like _ga (Google Analytics), _fbp (Facebook), or _ttp (TikTok) Before you've touched the pop-up, the website is likely in violation of EU privacy laws.
What about pixels?
Pixels are the eyes that create the note (the cookie). They don’t always stay in the cookie list because pixels aren't files; they are messages sent across the internet.
If you see a cookie like _fbp appear before you hit accept, it means a Pixel has already "fired" and sent your data away.
To see pixel activity in real-time, we have to move from the filing cabinet to the phone lines. Introducing the Network Inspection Tab
Open Inspect/DevTools.
Click the Network tab.
Refresh the page.
You will see a live log of every message the website sends. We’ll go through how to read this "digital conversation" in a moment.
First, we need to clear up why cookie activity is hidden in the network tab.
Hidden activity & Server-side tracking
If you see a tracking cookie (like _fbp) in your Application tab but can't find "Facebook" in the Network tab, you’ve likely found Server-Side Tracking.
This is the "First-Party Masking" mentioned earlier. Instead of your browser talking directly to Facebook, the website acts as a middleman to hide the trail. Facebook calls this the Conversions API (CAPI).
How it works:
The Trigger: You click a "Buy Now" button.
The Hand-off: Your browser sends that data to the website’s own server (e.g.,
api.yourshop.com). This looks "safe" and internal in your Network tab.The Invisible Leap: Once the data hits the website's server, the server sends it to Facebook.
The logic
Your browser logs everything you send, like if you mailed a post it can see you sending a letter to the post office (the website's server), but it has no way of seeing where the post office sends that letter next. Because the second jump happens "server-to-server," it bypasses your browser's visibility and most ad-blockers.
The Network Tab
When inspecting a website on a browsers you'll always find the Network Tab present. This is a log of all the digital conversations between your computer and someone else's server.
When opened, you’ll see a list of files (Images, Scripts, Tracking Pixels). Each row represents one "conversation" between your browser and a server. When you click a row in the network log, you are looking at the "envelope" and the "contents" of that message:
Request (The "Ask"): When your browser sends a message to a server. This could be to load a picture or to report your behavior.
URL: The destination address (e.g.,
https://omhucph.com/api/collect).Method:
GET: Used to retrieve data, like loading a page or an image.
POST: Used to send data externally, like transmitting analytics or tracking IDs.
Headers: Metadata like your browser type and Cookies (your digital ID cards).
Payload (The Body): Optional data sent during a POST request, such as which button you clicked or your screen size.
Response (The "Answer"): When the server replies to confirm it received your message.
Status Code: Tells you if the conversation was successful. 200 means success; 404 means not found; 500 means a server error.
How to Identify Hidden Server-Side Tracking
Server-side tracking is "hidden" because it uses First-Party Masking. Instead of your browser talking directly to Facebook, it talks to the website's own server, which then "whispers" the data to Facebook in the background.
Step 1: Look for generic names.
Server-side requests rarely use the word "Facebook" or "TikTok" in the URL. Instead, look for common, boring names in the Name column:
/collect/track/events/metrics
Step 2: Spot the "Masked" Domain
Check the Domain column.
If you see a request named /collect going to the website’s own domain (e.g., omhucph.com), your browser thinks it is a safe, internal conversation.
Step 3: The cookie
This is how you prove it is a tracker.
Click the suspicious request and go to the Headers or Cookies tab. Look for these specific IDs tucked inside the "Cookie" section:
_fbp: This is a Facebook tracking ID._ttp: This is a TikTok tracking ID._gcl_au: This is a Google Ads tracking ID.
If a request is going to yourwebsite.com/api/collect , but it is carrying your Facebook ID (_fbp), the website is "collecting" your identity to send it to Facebook server-to-server.
In the screenshot below, a website has a TikTok pixel set its cookie before the i've interacted with or accepted the consent banner, meaning tracking started without prior consent.
Check the "Initiator"
In the Network tab, look at the Initiator column. This tells you which script "fired" the request. If a request to an internal domain is initiated by a script called gtm.js (Google Tag Manager) or fbevents.js, it is almost certainly a tracking hand-off.
GDPR, Cookies, and Pixels
The privacy law in the EU is called GDPR. It says a website cannot collect your personal data without a good reason. Because Cookies and Pixels can identify you, they fall under this law.
Almost all cookies and pixels require consent before they are allowed to function. You can check if a website places cookies or pixels before you accept with my Cookie Audit Tool.
An exception to this rule is Strictly Necessary cookies that are essential for the website to function. For example, a cookie that remembers if you're logged in is typically Necessary.
FAQ
Why would a website place a pixel on its website?
A website owner often places tracking pixels from advertising companies such as Facebook, and TikTok to measure how effectively their ads turn into sales.
If users happen to not buy anything, it's tracked, and they'll be able to show more ads to "re-target" visitors who left the site without buying anything.
Why is it called a pixel?
It’s called a pixel because it used to be a literal, invisible 1x1 image (one tiny dot on your screen). Today, most pixels are code instead of images. The name just stuck.
You'll also hear the name Tracking Pixel, which is a pixel that tracks data.
What are local preparation scripts?
Sometimes a script, like a Google Tag Manager "container", creates the cookie value immediately upon page load to "label" you. Still, it waits for a specific trigger to actually send that data.
For example, it creates the cookie value when you land, but it won't "send" the data until you scroll 50% down the page or click a "Buy Now" button.
In this case, the cookie is sitting there waiting like a loaded gun, but the "shot" (the network request) hasn't fired yet.