Research
We Scanned 97,000 EU Websites for GDPR Compliance. Here's What We Found.
GDPR Privacy Monitor Research · 2026-04-10 · 8 min read
Eight years after GDPR entered into force, we decided to stop speculating about consent compliance and measure it. We pointed our scanner at 97,304 websites across 25 of the 27 EU member states and recorded exactly what happens in a real browser before, during, and after consent. Not what the privacy policy promises. Not what the CMP dashboard reports. What actually fires in the browser when a first-time visitor lands on a page.
In our dataset, pre-consent tracking was common: two-thirds of EU websites begin tracking visitors before any consent interaction occurs. More than half display no consent banner at all. And when websites do offer a reject button, it fails to stop tracking 80% of the time. These are not edge cases or technicalities. This is the baseline state of consent compliance across the European Union in 2026.
Methodology: How We Measured This
Before diving into findings, it matters how we collected this data, because methodology determines whether numbers like these are meaningful or misleading.
The website list
We drew our sample from the Tranco Top 1M list, a research-grade domain ranking that combines multiple independent ranking sources. Tranco was specifically designed to resist manipulation and provide stable rankings for web measurement studies, which makes it the standard source for large-scale web research. We filtered for domains associated with 25 of the 27 EU member states based on country-code TLDs and registration data, yielding 114,748 candidate URLs. Of those, 97,304 completed successfully -- the remainder failed due to DNS errors, connection timeouts, or sites that were entirely unreachable.
What the scanner does
Each scan uses our production scanner engine: a Go application driving a full headless Chromium browser via the Chrome DevTools Protocol. This is not a static HTML scraper or a cookie-database lookup. For every website, the scanner:
1. Launches a clean Chromium instance with no stored cookies, no local storage, and no browsing history -- simulating a genuine first-time visitor.
2. Navigates to the target URL and waits for the page to load.
3. Takes a pre-consent snapshot: every cookie set, every network request made, every third-party domain contacted -- all before any consent interaction.
4. Attempts to detect the consent banner using a library covering 45 known CMPs plus generic heuristics.
5. Interacts with the banner (accept or reject) and records the post-interaction state.
6. For reject-flow testing: reloads the page and checks whether rejection was respected or whether cookies respawn.
Every step produces timestamped evidence: full cookie inventories, network request logs, and screenshots. When we say a website "activates tracking before consent," we mean we observed actual HTTP requests to known tracking domains and actual cookies being set in the browser -- not that we inferred it from a script tag in the HTML.
What "pre-consent" means technically
This is the critical concept. Pre-consent behavior is everything that happens between the moment the page starts loading and the moment the user first interacts with a consent mechanism. In practice, this window is typically 2-5 seconds, but on many sites it stretches longer as the page loads additional resources. During this window, the visitor has had no opportunity to accept or refuse anything. Under Article 5(3) of the ePrivacy Directive (as interpreted by the CJEU in Planet49, C-673/17), storing information on a user's device or accessing information already stored requires prior consent -- except for cookies strictly necessary for the service requested by the user. Anything non-essential that fires during this window is, by definition, operating without valid consent.
Finding 1: Pre-Consent Tracking Is the Norm, Not the Exception
The single most important number in this study: 68% of scanned websites activate third-party tracking before the user has given consent. Closely related: 66.6% set cookies before consent.
These are not the same metric. A website can contact a third-party tracking domain (firing a pixel, loading a script) without that domain successfully setting a cookie -- for instance, if the browser blocks third-party cookies. Conversely, a first-party analytics cookie can be set without contacting an external domain. Both behaviors are problematic, but they represent different technical mechanisms and different legal exposures.
The scale of pre-consent activity is substantial:
| Metric | Value |
|---|---|
| Average third-party domains contacted pre-consent | 10.4 |
| Median third-party domains contacted pre-consent | 6 |
| Maximum third-party domains contacted pre-consent | 171 |
The median of 6 is arguably more informative than the mean. Half of all scanned websites contact at least six external domains before the user has any opportunity to consent. These are not content delivery networks or font servers (which we exclude from tracking classification). These are advertising platforms and analytics services.
Breaking down the pre-consent activity by cookie category reveals what this tracking is actually for:
| Cookie Category | Sites Affected | % of All Sites |
|---|---|---|
| Analytics cookies set pre-consent | 30,239 | 31.1% |
| Marketing cookies set pre-consent | 17,793 | 18.3% |
| Pre-consent trackers active (any type) | 42,904 | 44.1% |
Nearly one in three EU websites sets analytics cookies before consent. Nearly one in five sets marketing cookies. The legal position on these is unambiguous: the EDPB has repeatedly confirmed that analytics and marketing cookies require consent under Article 5(3) ePrivacy. The CJEU's Planet49 ruling made clear that consent must be an active, affirmative act -- and it cannot be affirmative if it has not happened yet.
The practical implication is that by the time a visitor sees a cookie banner and considers whether to accept or reject, their browser has already been fingerprinted, their visit has already been logged by analytics platforms, and in many cases their browsing profile has already been updated by advertising networks. The consent choice, when it arrives, is partially retroactive -- and retroactive consent is not consent at all.
Finding 2: The Consent Banner Gap
More than half the websites we scanned -- 53,508 out of 97,304, or 55% -- displayed no consent banner that our detection system could identify.
This number requires careful interpretation. Not every website without a banner is necessarily violating the law. A website that sets no non-essential cookies and contacts no third-party tracking services may legitimately operate without a consent mechanism. The ePrivacy exemption for "strictly necessary" cookies means that a site using only session cookies for login or shopping-cart functionality has no consent obligation for those specific cookies.
But that is not what we observe. Of the 53,508 sites with no detectable banner, 18,026 are actively setting non-essential cookies and contacting third-party tracking domains. These sites have no consent mechanism and are tracking visitors from the first page load. We are not aware of a valid legal basis for this under either GDPR or the ePrivacy Directive.
The remaining sites without banners fall into several categories: sites that genuinely set no non-essential cookies (and therefore may not need a banner), sites using consent mechanisms our detection system could not identify, and sites that are simply non-functional or minimal-content domains. Our 45-CMP detection library plus generic heuristics covers the vast majority of known consent solutions, but custom implementations in uncommon frameworks or languages may be missed.
Still, the 18,026 figure is the floor, not the ceiling, for banner-less sites with tracking. These are sites where we have positive evidence of both tracking activity and banner absence.
Finding 3: Reject Buttons Fail 80% of the Time
We dedicated a separate post to this finding, but it deserves substantial coverage here because it strikes at the heart of the consent model.
Of the 28,891 websites where we detected and successfully interacted with a reject button, 80.4% continued tracking after the user clicked reject. Only 5,650 sites (19.6%) passed the reject-flow test -- meaning tracking actually stopped and stayed stopped.
The failures break down into overlapping categories:
| Failure Type | Sites Affected |
|---|---|
| Non-essential cookies still present after reject | 10,848 |
| Tracking services still active after reject | 14,547 |
| Consent respawn detected (cookies return after reload) | 1,642 |
| Individual cookies that respawned | 4,932 |
Consent respawn is a pattern we identified during this research. The user clicks reject, the CMP removes cookies, and then on the next page load those cookies reappear. On 1,642 sites, we observed 4,932 individual cookies exhibiting this behavior. The mechanism varies -- third-party scripts that re-fire regardless of consent state, tag managers that do not propagate rejection to all integrated services, server-side Set-Cookie headers that ignore client-side consent decisions -- but the effect is the same. The reject button becomes a temporary pause, not a permanent choice.
Under GDPR Article 7(3), withdrawal of consent must be as easy as giving it, and the controller must act on that withdrawal. A reject button that does not actually stop tracking fails this requirement regardless of the technical cause.
Finding 4: Country-by-Country Comparison
GDPR is a single regulation, but compliance is not uniform. The percentage of high-risk websites varies by nearly three to one across EU member states.
| Country | High-Risk % | Avg Risk Score |
|---|---|---|
| Hungary | 58.8% | 60.1 |
| Czechia | 55.1% | 59.0 |
| Romania | 53.9% | 56.2 |
| Poland | 53.3% | 56.1 |
| Greece | 52.5% | 54.9 |
| Italy | 44.6% | 51.8 |
| Spain | 44.1% | 50.2 |
| France | 44.1% | 49.7 |
| Netherlands | 43.5% | 53.1 |
| Belgium | 42.1% | 47.4 |
| Denmark | 42.1% | 48.3 |
| Finland | 40.3% | 46.4 |
| Sweden | 33.4% | 49.0 |
| Germany | 23.7% | 33.9 |
| Austria | 20.9% | 31.2 |
The pattern is consistent with differences in enforcement activity. Germany and Austria -- home to the BfDI, sixteen state-level DPAs, and the DSB respectively -- have been among the most active European authorities in targeting consent and cookie violations specifically. The DSB issued one of the first post-Schrems II enforcement decisions. German state DPAs have conducted sector-wide cookie audits and issued prescriptive guidance on what constitutes valid consent.
At the other end, Hungary, Czechia, Romania, and Poland have DPAs that are typically under-resourced relative to the size of their digital economies and have historically focused enforcement on data breaches and subject access requests rather than cookie consent. This is not a criticism of those authorities -- they operate with the budgets they are given -- but it is a clear demonstration that enforcement drives compliance. The same legal text, applied with different enforcement intensity, produces markedly different outcomes.
France is instructive. The CNIL has been one of Europe's most visible enforcement bodies, issuing record fines against major technology companies. Yet French websites sit at 44.1% high risk, close to the EU average. The explanation likely lies in the CNIL's enforcement strategy: high-profile actions against large platforms generate headlines but do not directly change the behavior of thousands of small and medium businesses that make up the long tail of the web. Broad behavioral change requires either sector-wide enforcement campaigns (as Germany has pursued) or a general increase in perceived enforcement risk.
We cover the country data in greater depth in our country comparison post.
Finding 5: CMP Market Share and What It Tells Us
Among the 43,796 websites (45%) that did present a detectable consent banner, we identified 45 distinct consent management platforms. The market is concentrated at the top but fragmented in the long tail.
| CMP | Sites | Market Share |
|---|---|---|
| Cookiebot | 6,481 | 14.8% |
| OneTrust | 3,101 | 7.1% |
| Usercentrics | 1,820 | 4.2% |
| Complianz | 1,590 | 3.6% |
| Didomi | 1,472 | 3.4% |
| iubenda | 1,250 | 2.9% |
| Generic / unidentified | 15,179 | 34.7% |
The largest single category is "Generic / unidentified" at 34.7%. These are sites using consent solutions that did not match any of the 45 CMP signatures in our detection library. They include custom-built cookie bars, WordPress plugins not widely recognized, regional CMP providers, and implementations so minimal that they consist of a single dismissible div with a "Got it" button. The compliance quality of this category is, on average, significantly lower than that of established CMPs, though we have not yet published per-CMP compliance rates.
The banner interaction data reveals another concern. Of the 43,796 banners detected:
| Banner Feature | Prevalence |
|---|---|
| Reject option in first layer | 56.3% |
| No reject option visible | 19.6% |
| Uncertain (ambiguous UI) | 24.1% |
Nearly one in five consent banners offers no visible way to reject non-essential cookies without navigating to a second layer of settings. The EDPB's Guidelines 05/2020 on consent state that refusing consent should require no more effort than giving it. A design that requires additional clicks to refuse but offers one-click acceptance is, under these guidelines, a dark pattern that undermines the validity of consent.
We also detected specific dark-pattern implementations: 3,454 sites (7.9% of those with banners) placed the reject option only in a second layer, 84 sites employed cookie walls (blocking content until consent is given), and 137 sites exhibited bot consent evasion -- deliberately hiding the banner from automated scanners while showing it to human visitors.
Finding 6: Cookie Lifetime Abuse
The CNIL recommends a maximum cookie lifetime of 13 months, a standard that several other national DPAs have adopted or referenced. This is not a hard legal limit in the text of the GDPR, but it reflects an interpretation of the storage limitation principle (Article 5(1)(e)) as applied to tracking identifiers.
Our scan found 26,250 websites (27%) with at least one cookie exceeding the 13-month threshold, comprising 58,127 individual cookies in total.
The most common offender is the `_ga` cookie used by Google Analytics, which is set with a default lifetime of two years. This means that even websites with otherwise functional consent mechanisms are often in violation simply because they have not overridden the default GA cookie expiry. It is a configuration issue, not a technical limitation -- Google Analytics allows custom cookie lifetimes -- but the default is non-compliant with CNIL and similar national DPA guidance, and most site operators never change it.
Long-lived cookies create a compounding privacy risk. A two-year cookie is not just "a bit longer than 13 months." It means a user who visits a site once, consents, and never returns can still be identified and tracked by that site's analytics for two years. If the user later revokes consent or the legal basis changes, the cookie persists as a ghost identifier until it expires.
Additional Findings
Several other findings from the study merit brief mention:
Fingerprinting. We detected browser fingerprinting signals (canvas fingerprinting, WebGL fingerprinting, audio context fingerprinting) on 4,114 websites (4.2%). Fingerprinting is particularly concerning because it cannot be cleared by deleting cookies -- it uses inherent browser and device characteristics as identifiers. The ePrivacy Directive treats fingerprinting as equivalent to cookie-based tracking for consent purposes. Google Consent Mode mismatches. Among sites implementing Google Consent Mode, 28.4% were detected as using it, while 13.7% of sites using Google services showed no Consent Mode implementation. More concerning, 11.9% showed mismatches -- the consent state reported to Google's API did not match the actual tracking behavior observed in the browser. This means the CMP tells Google that consent was denied, but tracking requests continue firing. Accessibility. Consent banners are legally required UI elements, and if they are inaccessible, a segment of users cannot exercise their rights. Among detected banners: 25% had touch targets below recommended minimum sizes, 15.2% had low-contrast text, and 3.4% were not keyboard accessible. A banner that cannot be operated by keyboard effectively denies consent choice to users who rely on assistive technology -- a violation that intersects with both GDPR and accessibility regulations.Overall Risk Distribution
Pulling it all together, the aggregate risk classification of the 97,304 scanned sites:
| Risk Level | Percentage |
|---|---|
| High risk | 41.0% |
| Low risk | 27.6% |
| Medium risk | 16.8% |
| Inconclusive | 14.9% |
The 14.9% inconclusive rate reflects sites where the scanner could not reach a reliable determination -- typically due to bot detection, complex single-page-application architectures, or timing-dependent behavior. We report these as inconclusive rather than forcing them into a pass/fail classification.
What This Means for Website Owners
If you operate a website serving EU visitors, four actions address the most common and highest-risk findings:
1. Audit what loads before consent. Open your site in a private browser window, open developer tools, and watch the Network and Application tabs before you interact with any banner. If you see requests to analytics or advertising domains, or cookies from those services appearing, your pre-consent behavior is non-compliant. The fix is typically tag manager configuration: ensure non-essential scripts are blocked until affirmative consent is recorded. 2. Test your reject flow end-to-end. Click reject on your own banner, then check whether non-essential cookies are gone. Then reload the page and check again. If cookies reappear, you have a consent respawn problem that requires investigating which scripts bypass your consent mechanism. Our data shows this affects a surprisingly large number of sites, even those using reputable CMPs. 3. Check your cookie lifetimes. If you use Google Analytics with default settings, your `_ga` cookie has a two-year lifetime. Change it to 13 months or less. Review all cookies your site sets and ensure none exceed the recommended 13-month maximum. This is a quick configuration fix that eliminates a common compliance finding. 4. Ensure your banner is accessible and offers first-layer reject. If your reject option requires navigating to a second settings page while "Accept All" is one click, your consent mechanism may not meet EDPB guidelines. Review the banner for keyboard accessibility, touch target sizing, and contrast ratios.Limitations
What this study can and cannot tell you:
What it measures well: Pre-consent behavior, cookie inventories, network requests to known tracking domains, banner presence and structure, reject-flow outcomes, and cookie lifetimes. These are objective, evidence-based measurements recorded from real browser behavior. What it measures imperfectly: CMP detection is not 100% comprehensive. Sites using consent solutions not in our 45-CMP library may be miscategorized as having no banner. GeoIP-dependent banners may display differently based on the scanner's network location. Single-page applications that manage consent in client-side state without DOM changes are harder to assess. Some sites detect automated browsers and alter their behavior accordingly (we found 137 doing this deliberately). What it does not measure: Legitimate interest claims (which require legal rather than technical assessment), the quality of privacy policies, whether consent records are properly stored, or whether data processing activities are proportionate. These are important compliance dimensions that are not observable from browser behavior alone.The 14.9% inconclusive rate covers sites where we could not reach a reliable technical determination.
Check your own website. Run a free scan at gdprprivacymonitor.eu and see exactly what happens before, during, and after consent on your site. The scanner produces the same evidence shown in this study -- pre-consent snapshots, cookie inventories, reject-flow results, and risk classification -- for any URL you submit.