Most companies today use a CMP. Many display a cookie banner. Most think they’re covered.
But here’s the uncomfortable truth: If your cookies aren’t blocked until after consent, you’re not compliant.
That’s not a legal grey area – it’s a hard requirement under GDPR and the ePrivacy Directive.
And yet right now, the vast majority of websites are still collecting personal data before users have consented.
This isn’t about bad intent. It’s about a common – and costly – misunderstanding: That installing a CMP automatically solves the problem.
But compliance doesn’t come from the banner. It comes from the behavior behind it.
We scanned 4,000 of the most visited websites. Here's what we found
Back in 2024, we analyzed the 1,000 most visited company websites in each of four markets: Denmark, Sweden, Norway, and the UK.
International platforms like Google and Facebook were excluded.
Our goal: Check how many of these websites load non-essential cookies before the user gives consent.
The results:
Cookies prior to user consent
% of websites setting cookies prior to user consent in different markets
That means 3 out of 4 high-traffic company websites were still firing cookies and trackers before the user clicks “Accept.” Often without even realizing it.
Since 1 January 2024, over 3,000 users have run a scan using our Compliance Check tool. And when analyzing the results, the numbers look slightly better.
Among them, 59.08% of websites were still setting cookies before user consent.
Better, but still not great. So what’s going wrong?
Where the assumption breaks: CMP ≠ automatic blocking
The confusion is understandable. Most teams assume that installing a CMP takes care of everything – cookies included.
But the reality is more nuanced.
A cookie banner is the interface. Compliance depends on what actually happens behind the scenes.
If your site loads third-party services like Meta Pixel, Google Analytics, YouTube, or Hotjar before consent, you’re not compliant – even if your CMP is technically active.
What the law actually requires
Under GDPR and the ePrivacy Directive, the requirements for setting cookies are as follows:
- Non-essential cookies (e.g. marketing, statistics) must be blocked until explicit, opt-in consent is given.
- Consent must be freely given, informed, and documented.
- Only strictly necessary cookies are allowed to load before consent.
If you’re collecting any user data before opt-in – through trackers, pixels, or embeds – your site is exposed.
And regulators are enforcing:
- CNIL (French DPA) fined Google €100 million and Amazon €50 million for failing to block cookies properly before consent was given.
- Datatilsynet (Danish DPA) has issued specific guidance requiring prior blocking as part of lawful consent.
- Datatilsynet (Norwegian DPA) has launched audits and emphasized that cookie placement before opt-in violates both GDPR and ePrivacy.
How Cookie Information helps you get this right
Cookie Information CMP is built to meet both legal and technical requirements – including prior cookie blocking.
But like all compliance tools, effectiveness depends on proper setup.
First-party cookies? Blocked by default until user consent is given.
Third-party cookies? You’ll need to configure them to respect consent using our Cookie Control SDK. This ensures external services don’t fire without permission. It’s a quick integration. Fully documented. And fully compliant.
Already a Cookie Information user?
- Follow our step-by-step guide to block third-party cookies.
- If you’re unsure about your setup, you can always reach out to our support at support@cookieinformation.com
How to check if your site is leaking cookies
There are two ways to find out if your setup is exposing you:
- Run a scan with our Compliance Check tool: Fast, free, and only requires your email (so we can send the results to you).
- Manually inspect your site: Follow the short guide below.
Guide: How to check if your CMP blocks third-party cookies before consent
Here’s how you can check if it’s working as it should:
- Open your website in a private or incognito window.
This helps you start with a clean slate – no cookies stored, no previous consents given. - Do not interact with the cookie banner.
Avoid clicking “Accept” or “Reject”. Just let the banner sit there while you check what’s loading. - Open the developer tools in your browser.
Right-click anywhere on the page and choose “Inspect” or press Ctrl+Shift+I (Windows) or Cmd+Option+I (Mac). - Go to the “Application” tab and click on “Cookies” in the left menu.
- Check the list of cookies set.
Look through the list of domains under “Cookies”. If you see cookies from domains other than your own (like Google, Facebook, LinkedIn, or similar), those are third-party cookies. - If third-party cookies appear before you click anything on the banner, your CMP might not be blocking them correctly.
You’ll want to investigate further or talk to your CMP provider.
Optional recommended steps:
- Run the test on all pages where you use tracking scripts.
- Try it on different browsers to catch variations in behavior.
Don’t let assumptions become risk
You’ve invested in a CMP. You’re doing your part. But don’t stop short.
Because until every tracker is blocked by default, you’re not protected.
If your cookies are still loading early, you’re not protecting your users. And you’re not legally covered.
The good news?
The fix is simple – and fully supported by Cookie Information.
Take five minutes. Check your setup. And make sure your CMP is not just present – but working as intended.
TL;DR
- 70–84% of top company websites still set cookies before consent
- Most assume their CMP handles it automatically – but third-party blocking requires setup
- Cookie Information blocks first-party cookies by default
- For third-party services, use the SDK
- Run a scan or check your cookies manually to make sure you’re covered
