Research
Which EU Countries Take Cookie Compliance Most Seriously?
GDPR Privacy Monitor Research · 2026-04-12 · 5 min read
GDPR is one regulation. One text. Directly applicable in every EU member state without the need for national transposition (unlike the ePrivacy Directive, which does require it, adding another layer of variation). In theory, a website in Hungary faces the same legal obligations as a website in Germany. In practice, the gap between theory and reality is enormous.
When we scanned 97,304 websites across 25 of the 27 EU member states, we found that the share of high-risk websites ranges from 20.9% in Austria to 58.8% in Hungary -- a nearly three-to-one ratio. The same regulation, the same scanning methodology, the same classification criteria, markedly different outcomes. The data suggests that compliance correlates less with what the law says than with how actively it is enforced.
The Full Ranking
The table below shows every country in our study, ranked by the percentage of scanned websites classified as high risk. High risk means the site exhibited significant consent violations: pre-consent tracking, reject-flow failures, missing consent mechanisms alongside active tracking, or combinations thereof. We also show the average risk score (a continuous 0-100 metric) and the banner detection rate -- the percentage of scanned sites where our system identified a consent banner.
| Rank | Country | High-Risk % | Avg Risk Score | Banner Detection Rate |
|---|---|---|---|---|
| 1 | Austria | 20.9% | 31.2 | -- |
| 2 | Germany | 23.7% | 33.9 | 46.1% |
| 3 | Sweden | 33.4% | 49.0 | -- |
| 4 | Finland | 40.3% | 46.4 | 54.6% |
| 5 | Belgium | 42.1% | 47.4 | -- |
| 6 | Denmark | 42.1% | 48.3 | 57.0% |
| 7 | Netherlands | 43.5% | 53.1 | 40.3% |
| 8 | France | 44.1% | 49.7 | -- |
| 9 | Spain | 44.1% | 50.2 | -- |
| 10 | Italy | 44.6% | 51.8 | -- |
| 11 | Greece | 52.5% | 54.9 | -- |
| 12 | Poland | 53.3% | 56.1 | -- |
| 13 | Romania | 53.9% | 56.2 | -- |
| 14 | Czechia | 55.1% | 59.0 | -- |
| 15 | Hungary | 58.8% | 60.1 | -- |
The average risk score provides a more nuanced view than the binary high-risk classification. Notice that the Netherlands has a relatively moderate high-risk rate (43.5%) but a comparatively high average risk score (53.1), suggesting that while fewer Dutch sites cross the high-risk threshold, the ones that do tend to be more severely non-compliant. Sweden shows a similar pattern in reverse: a lower high-risk rate (33.4%) but a relatively high average score (49.0), indicating a broad spread of moderate violations.
Tier 1: The Leaders -- Germany and Austria
Germany (23.7% high risk) and Austria (20.9% high risk) are clear outliers. Their websites are roughly half as likely to be classified as high risk compared to the EU-wide average of 41%. Understanding why requires looking at the enforcement ecosystem in both countries.
Germany: depth and breadth of enforcement
Germany's data protection landscape is unique in Europe. In addition to the federal BfDI (Bundesbeauftragter fur den Datenschutz und die Informationsfreiheit), each of Germany's sixteen states has its own independent data protection authority. This means Germany has seventeen DPAs in total, several of which have been among Europe's most active on consent enforcement.
The Bavarian DPA (BayLDA) conducted a sector-wide audit of cookie consent on websites in 2020-2021, sending formal questionnaires to hundreds of companies and following up with enforcement actions. The Hamburg DPA issued detailed guidance on Google Analytics and consent requirements. Multiple state DPAs have conducted coordinated enforcement campaigns targeting specific violations -- pre-consent tracking, missing reject options, and non-compliant cookie banners.
This enforcement density creates a different risk calculus for German website operators. When your industry peers have received formal inquiries from the DPA, and when enforcement guidance is specific enough to tell you exactly what is and is not acceptable, the cost of non-compliance becomes concrete rather than theoretical.
There is also a cultural dimension. Germany's data protection consciousness runs deeper than the GDPR. The 1983 Volkszahlung (census) ruling by the Federal Constitutional Court established informational self-determination as a constitutional right decades before the GDPR existed. This created a societal expectation around data protection that influences both corporate behavior and consumer expectations in ways that are harder to quantify but clearly reflected in the data.
Austria: early post-Schrems II enforcement
Austria's DSB (Datenschutzbehorde) earned international attention by issuing one of the first enforcement decisions in the Schrems II aftermath, finding that a website's use of Google Analytics violated GDPR because the data transfers to the US lacked adequate safeguards. This decision -- later echoed by the French CNIL and Italian Garante -- sent a clear signal to Austrian website operators that consent and tracking were active enforcement priorities.
Austria's 20.9% high-risk rate, the lowest in our study, suggests this signal was received. When a DPA demonstrates through specific, publicized decisions that consent violations will be pursued, the compliance rate responds. Austria is one of the clearest examples in our data of enforcement correlating with measurable behavioral change, though other factors -- market structure, cultural attitudes -- likely also contribute.
Tier 2: The Nordic Middle Ground -- Sweden, Finland, Denmark
Sweden (33.4%), Finland (40.3%), and Denmark (42.1%) occupy a middle band that is better than the EU average but significantly behind the German-Austrian leaders.
The Nordic countries share strong cultural values around privacy and institutional trust, but their DPAs have generally taken a less aggressive enforcement posture on consent specifically. The Swedish IMY (Integritetsskyddsmyndigheten) has issued notable decisions -- including a significant fine against Google for right-to-be-forgotten failures -- but its consent-specific enforcement has been more limited. Finland's tietosuojavaltuutettu and Denmark's Datatilsynet have similarly focused on data breach notification and sectoral guidance rather than wide-scale cookie consent campaigns.
Sweden's 33.4% high-risk rate is nevertheless notably better than the Western European average, suggesting that cultural attitudes toward privacy may partially compensate for less frequent enforcement. Nordic internet users are, broadly, more privacy-aware, which may create market pressure for better consent implementations even in the absence of regulatory pressure.
The banner detection rates are instructive here. Denmark shows a 57.0% banner detection rate -- the highest for any country where we have this data point -- and Finland shows 54.6%. This means Nordic sites are more likely to deploy a consent banner, even if the implementation behind that banner is not always fully compliant. It suggests awareness of the obligation even where execution falls short.
Tier 3: Western Europe -- France, Netherlands, Belgium, Spain, Italy
Five Western European countries cluster tightly between 42.1% and 44.6% high risk: Belgium (42.1%), Netherlands (43.5%), France (44.1%), Spain (44.1%), and Italy (44.6%). This cluster sits close to the EU-wide average of 41% and may represent a compliance baseline -- the level you get when enforcement exists but is not frequent or targeted enough to move the needle substantially.
France: the paradox of high-profile enforcement
France is notable because the CNIL is arguably the most internationally visible DPA in Europe. It has issued record fines against Google (150 million euros for consent violations in 2022), Amazon (35 million euros), and Microsoft (60 million euros). It published detailed guidelines on cookies and consent in 2020 and gave French websites a six-month grace period to comply. It conducted coordinated enforcement waves targeting sites that failed to implement reject options.
Yet France sits at 44.1% high risk -- squarely average for Western Europe. How can the most active enforcer produce only average compliance?
The answer likely lies in the structure of the French web. France has a large, diverse digital economy with hundreds of thousands of websites operated by small and medium businesses, local government entities, and organizations that may not closely follow CNIL enforcement news. The CNIL's high-profile actions against technology giants generate international headlines but may not change behavior among the thousands of small-business sites using default WordPress installations with unconfigured consent plugins. Enforcement that targets the head of the distribution does not necessarily move the tail.
This is an important insight for all DPAs: headline fines deter large companies but may not shift the aggregate compliance rate, which is dominated by the long tail of small and medium sites. Broad behavioral change requires either mass enforcement (impractical with current DPA resources) or tools that make compliance the default rather than the exception.
Netherlands: low banner rate, moderate risk
The Netherlands shows an interesting pattern: a 43.5% high-risk rate (moderate) but only a 40.3% banner detection rate -- the lowest among countries where we have this data. This means Dutch sites are less likely to deploy a consent banner but, among those that do, the implementation quality may be somewhat better. It may also reflect a Dutch web ecosystem that includes many sites with minimal tracking (no banner needed) alongside sites that track heavily without bothering with a banner.
The Dutch AP (Autoriteit Persoonsgegevens) has been active on GDPR enforcement generally but has issued fewer consent-specific decisions compared to the German DPAs or the CNIL. The AP's enforcement priorities have centered on government data processing, healthcare data, and large-scale surveillance, with consent violations receiving relatively less attention.
Tier 4: Eastern and Southern Europe -- Greece, Poland, Romania, Czechia, Hungary
The bottom of the ranking is dominated by Central and Eastern European countries, with high-risk rates ranging from 52.5% (Greece) to 58.8% (Hungary). In these countries, more than half of scanned websites present a high-risk compliance profile.
| Country | High-Risk % | Avg Risk Score |
|---|---|---|
| Greece | 52.5% | 54.9 |
| Poland | 53.3% | 56.1 |
| Romania | 53.9% | 56.2 |
| Czechia | 55.1% | 59.0 |
| Hungary | 58.8% | 60.1 |
The common thread is not a lack of legal obligation -- GDPR applies identically -- but a pattern of under-resourced DPAs with fewer enforcement actions targeting consent specifically. Hungary's NAIH, Poland's UODO, Romania's ANSPDCP, and Czechia's UOOU have all focused their limited enforcement budgets on areas like data breach notification, subject access requests, and high-profile complaints rather than proactive cookie consent audits.
This is rational behavior for under-resourced regulators. When you have a small team and a large economy to supervise, you prioritize complaints over proactive enforcement, and complaints about cookie consent are relatively rare compared to complaints about data breaches or subject access refusals. The result is that consent violations go largely un-policed, and website operators face no meaningful risk of enforcement.
This data does not reflect on these DPAs' competence or dedication. Several Central and Eastern European DPAs operate with staff-to-population ratios that are a fraction of what German state DPAs enjoy. The Hungarian NAIH, for instance, supervises a country of 10 million people. Bavaria's BayLDA, supervising a population of similar size within one German state, has historically had more resources and a more focused mandate.
The takeaway is structural: uniform regulation without uniform enforcement produces non-uniform compliance. This is a key finding in the country-level data.
The Enforcement Correlation
If you plot DPA enforcement intensity against compliance rates (in narrative, as we do not publish a chart here), the relationship is apparent. The countries with the most enforcement actions specifically targeting consent -- Germany, Austria -- have the lowest high-risk rates. Countries with headline-grabbing but concentrated enforcement (France) show average compliance. Countries with minimal consent-specific enforcement show the highest violation rates.
This correlation does not prove causation -- cultural factors, market structure, and the maturity of the local technology sector all play roles. But the strength of the pattern across 25 countries is consistent with enforcement as a significant factor, even if cultural and structural differences also play a role.
Some notable enforcement actions that appear to have moved the needle:
- Germany (2020-2022): Multiple state DPAs conducted coordinated cookie consent audits, sending formal letters to hundreds of websites. The BayLDA published an FAQ on consent that became a de facto compliance standard.
- Austria (2022): The DSB's Google Analytics decision was widely covered in Austrian tech and business media, prompting a visible wave of GA-to-Matomo migrations.
- France (2021-2022): The CNIL's cookie enforcement wave targeted 100+ websites for non-compliant consent implementations, though the impact appears concentrated among larger operators.
- Italy (2022): The Garante issued updated cookie guidelines that prompted compliance activity among larger Italian websites, though the 44.6% high-risk rate suggests the effect did not propagate widely.
Banner Detection Rates by Country
The banner detection rate -- the percentage of sites where our scanner identified a consent mechanism -- varies significantly across countries:
| Country | Banner Detection Rate |
|---|---|
| Denmark | 57.0% |
| Finland | 54.6% |
| Germany | 46.1% |
| Netherlands | 40.3% |
Denmark leads with 57.0%, suggesting that Danish websites are most likely to deploy some form of consent mechanism even if their overall compliance quality (42.1% high risk) is middling. Germany's 46.1% is lower than one might expect given its low violation rate, but this is consistent: German sites that do track are more likely to do so with proper consent, while German sites that do not track may reasonably operate without a banner.
The Netherlands' 40.3% is the lowest figure we have, which aligns with the Dutch pattern noted above: fewer banners overall, but not necessarily worse compliance among those that deploy them.
These rates also reflect methodological reality. A site that sets no non-essential cookies and contacts no third-party tracking domains genuinely does not need a consent banner under the ePrivacy exemption for strictly necessary cookies. Some variation in banner rates is therefore expected and legitimate.
What This Means for Cross-Border Businesses
If you operate a website or digital service that serves users across multiple EU countries, this data has direct practical implications.
Your compliance risk is determined by your highest-enforcement market. If your site serves German users, the bar is effectively set by German DPA expectations, regardless of where your company is headquartered. Under GDPR's one-stop-shop mechanism, your lead supervisory authority may be in your home country, but any DPA can take action on complaints from its own residents. A Hungarian website serving German visitors can face scrutiny from German DPAs. Benchmarking against your own country's average is insufficient. If you are a Polish website operator and 53.3% of your peers are high risk, being "average" still means you are non-compliant by the letter of the GDPR. The regulation does not adjust its requirements by country. Only enforcement probability varies -- and enforcement trends move in one direction. DPAs that have not yet prioritized consent are likely to do so as European-level coordination increases. The EDPB is pushing for convergence. The European Data Protection Board's cookie-specific guidelines, taskforce activities, and consistency opinions are designed to reduce the enforcement gap between member states. The EDPB's consent banner taskforce report in 2023 identified common violations and called for coordinated enforcement, and several previously less active DPAs have signaled increased attention to consent in response. Low enforcement in any given market is unlikely to remain the status quo indefinitely.The GDPR Harmonization Problem
The country-level data in this study is, in some respects, a challenge to GDPR's harmonization goal. The regulation was supposed to create a single standard across the EU, replacing the patchwork of national data protection laws. In terms of the legal text, it succeeded. In terms of compliance reality, it has not yet.
A website in Austria is three times less likely to be high risk than a website in Hungary. A French user clicking "Reject" faces the same 80.4% failure rate as a Polish user. The consent banner is more likely to appear in Denmark than in the Netherlands. None of these differences have a legal basis -- they are all consequences of differential enforcement.
This raises a difficult question: can a regulatory framework that depends on national enforcement authorities, with vastly different resources and priorities, deliver uniform protection? The data suggests the answer is currently no. The gap between Germany/Austria and Hungary/Czechia is not closing -- and it will not close without either significant rebalancing of DPA resources or a shift to EU-level enforcement for common, technically measurable violations like pre-consent tracking.
Cookie consent is, ironically, one of the easiest GDPR obligations to verify at scale. Unlike assessing the lawfulness of a data processing activity or the adequacy of a privacy impact assessment, checking whether a website sets tracking cookies before consent is an objective, automatable measurement. If the EU cannot achieve enforcement convergence on this most measurable of violations, the prospects for convergence on harder questions are dim.
Methodology Note
Website selection was drawn from the Tranco Top 1M list, filtered by country association. Country attribution used country-code TLDs as the primary signal, supplemented by registration and hosting data where TLDs were ambiguous (e.g., `.com` domains). Sites with unclear country affiliation were excluded from the country-level analysis but included in the EU-wide aggregate figures.
Every site was scanned using identical criteria: pre-consent behavior, banner detection, reject-flow testing (where a reject button was identified), cookie lifetime analysis, and accessibility evaluation. The scanner made no adjustments for country of origin -- a Hungarian site was evaluated with the same methodology and thresholds as a German one.
Sample sizes vary by country, reflecting the distribution of EU websites in the Tranco list. Countries with larger digital economies (Germany, France, Netherlands) contribute more sites. All percentages are calculated against the per-country sample, not the EU-wide total.
See where your website stands. Run a free scan at gdprprivacymonitor.eu to get the same compliance assessment we applied to every site in this study -- with full evidence, risk scoring, and actionable findings.