Most GDPR website reviews fail at one simple point: They check what the website says, but not what the website actually does. A privacy policy may look fine. A cookie banner may appear on page load. A consent management platform may be configured. But when a real user visits the site, what happens in the browser? That is the part developers, privacy teams, and compliance reviewers need to inspect carefully. A proper GDPR website audit should review runtime behavior: Which scripts load? Which cookies are set? Which third-party requests fire? What happens before consent? What changes after “Reject All”? What changes after “Accept All”? Are tracking pixels active before user choice? Are identifiers being sent in URLs, headers, or payloads? Is there technical evidence that consent choices are actually enforced? This article is a practical developer-focused walkthrough of what to check. This is not legal advice.…