Original research, updated June 2026

Most European webshops track you before you agree

Name: The state of cookie consent on European webshops (2026)
Creator: ConsentChecker

We ran 388 scans on 310 European webshops, loading each one the way an ordinary visitor does. On 76 percent of those scans, tracking fired before anyone clicked accept. Here are the full numbers.

76% of scans leaked tracking before consent

388 scans across 310 webshops

2,515 tracking requests fired before consent

8.6 average trackers per leaking scan

What we measured

Every site in this set was loaded once with an automated browser (Playwright, via the open source consentcrawl engine) from a European IP address, exactly the way a first time visitor arrives. We did not click the cookie banner. We did not accept or reject anything.

We then recorded every third party request that left the browser before any consent choice was made. Requests to the consent banner itself, and strictly necessary infrastructure, are excluded. What remains is tracking that should not have loaded yet under the GDPR.

The set is 388 scans of 310 distinct websites between 12 May and 25 June 2026. It is a running sample of sites people asked us to check, not a random national sample, so read it as a strong directional signal rather than an exact census.

The trackers we saw most often before consent

Counted across the 294 scans that leaked. Percentages are the share of those scans where each tracker fired before consent.

Tracker	Scans	Share of leaking scans
Google Tag Manager / gtag	203	69%
Google Ads	138	47%
Microsoft Clarity	88	30%
HubSpot	84	29%
Microsoft Bing Ads	57	19%
Hotjar	53	18%
Meta Pixel	42	14%
Google Analytics	30	10%
Klaviyo	30	10%
AdRoll	24	8%

Why this matters

A cookie banner is a user interface element. Compliance is about what the browser actually does before a visitor touches that banner. Loading Google Ads, Meta Pixel, analytics or session recording before consent is a GDPR violation, and in the Netherlands the Autoriteit Persoonsgegevens has grown noticeably more active about exactly this.

Most of these leaks are not deliberate. They come from a tag that loads regardless of consent, a consent manager that initialises after the tag manager, or consent defaults that were never set to denied. Ordinary misconfigurations, easy to miss, easy to fix once you can see them.

Check your own site

You can verify your own site in under a minute. Our scanner loads your page like a real visitor and lists exactly which trackers fire before consent, and which vendor each one belongs to. No account, no sales call.

Scan my site

How to cite this

You are welcome to quote these figures with a link back. Suggested citation:

ConsentChecker (2026). The state of cookie consent on European webshops. 388 scans across 310 sites, 76 percent leaked tracking before consent. https://consentchecker.eu/en/research

Working on a story or want the underlying breakdown? Email info@consentchecker.eu.