The cookie compliance paradox: why millions of EU websites still violate placement rules
- about 3 hours ago
- 4 min read
Despite EU laws requiring user consent before placing non-essential cookies, millions of European business websites violate these rules. A Dataprovider analysis of over 14 million domains found that 56% place cookies by default, and 9% install tracking cookies without consent. Even among sites using compliance tools, 15% still breach regulations. The widespread use of banners masks systemic implementation failures, with enforcement remaining rare despite the scale of violations.
The banner everyone clicks through
You see the cookie banner. You click "Accept All" without reading. You move on with your
day. This ritual happens billions of times across European websites, yet our latest analysis
reveals a troubling reality: the vast majority of these banners exist to comply with a law that
millions of websites actively violate.
The European cookie law, in effect since 2011, established clear rules for the 27 EU member
states. Websites must obtain explicit user consent before placing non-essential cookies for
advertising, analytics, or profiling. The intent was simple - protect user privacy by giving
people control over their digital footprint. The implementation, however, tells a different
story.
Using Dataprovider's monthly web crawling infrastructure, we analyzed cookie placement
behavior across 14.2 million domains operated by companies in EU member states. What we
discovered challenges the assumption that cookie compliance software and regulatory
frameworks have solved the privacy problem.
The scale of European business websites
Our analysis identified 14,242,935 domains belonging to companies across the 27 EU
member states. These aren't just any websites - these are business domains where
Dataprovider successfully identified the operating company and its name, representing the
commercial web presence of European enterprises.
The distribution reveals the economic weight of major European markets:
Germany dominates with nearly one-third of all identified business domains, followed by
France, the Netherlands, and Italy. The remaining 17 countries account for roughly 25% of
the total, reflecting both population sizes and digital economy maturity across the union.
The baseline: cookie placement across EU websites
Of these 14.2 million business domains, our crawler detected cookie placement on 8,044,023
websites representing 56% of all identified business sites. The methodology here matters:
Dataprovider renders each website using a headless browser that cannot click "Accept" on
cookie banners like a human would. Any cookie our crawler receives represents what
websites place by default before user interaction.
Off course not all cookie placement constitutes a violation. Functional cookies necessary for
website operation are permitted without user approval. However, the scale of cookie
placement provides important context for understanding compliance behavior across the EU.
The geographic distribution of cookie placement reveals significant variations:
Slovenia leads with a 76% cookie placement rate, while Lithuania and Belgium both exceed
70%. Germany maintains the lowest rate at 43%, with Austria at 52%. These figures reflect
the proportion of business websites placing cookies by default, though not all necessarily
violate consent requirements. The variation across member states likely reflects differences in
website complexity, business models and technical implementation approaches rather than
compliance culture alone.
The tracking cookie problem
Not all cookies require consent. Functional cookies necessary for website operation are
permitted without user approval. Statistical cookies occupy a gray area, with requirements
varying by jurisdiction based on what data is collected, shared, and tracked.
To focus on clear violations, we examined placement of tracking cookies from major
platforms: Meta, Microsoft, LinkedIn, TikTok, Vimeo, HubSpot and Shopify. These cookies
unambiguously require prior consent under EU law. Our findings: 1,281,670 company
websites place these tracking cookies without obtaining user permission.
This represents 9% of all EU business websites and 16% of websites that place any cookies.
These are definitive violations. Marketing and analytics cookies from major platforms that EU
law explicitly requires consent to deploy. The country-by-country breakdown reveals
consistent patterns:
France leads in absolute numbers with nearly 184,000 violations, followed by Germany with
164,000 and Italy with 160,000. However, violation rates relative to total domains tell a
different story. Lithuania shows the highest violation rate at 16% of its business domains
placing unauthorized tracking cookies followed by Romania at 15.8% and Bulgaria at 15.2%.
Germany's violation rate remains the lowest at 4.0%.
The enforcement gap becomes visible here. France issued a €150 million fine to Shein for
cookie violations in 2024, yet French websites show the highest absolute violation count in
our data. Spain fined SEAT €20,000 for improper cookie placement, while the Netherlands
penalized Coolblue €40,000 for pre-checked cookie consent boxes. These enforcement
actions, while notable, represent a tiny fraction of the violations our data reveals.
The compliance software paradox
Perhaps the most striking finding emerges when examining websites using cookie compliance
software. Among EU business domains 2,700,425 websites implement specialized
compliance tools representing 19% of all business sites. The top platforms include:
These tools exist specifically to help websites comply with cookie regulations. They provide
banner interfaces, consent management and technical controls to prevent cookie placement
before user approval. Yet when we examined websites using these compliance tools we found
413,739 still placing non-essential cookies without consent.
This represents 15% of all websites with compliance software meaning one in seven sites that
invested in compliance tools still violates placement rules. The software exists, the banner
displays, yet the technical implementation fails to prevent unauthorized cookie placement.
What the numbers reveal
The data reveals a system where regulatory requirements exist, compliance tools
proliferate yet violations persist. Installing compliance software doesn't guarantee
correct configuration.
Websites must properly categorize cookies and ensure banners appear before non-
essential placement with technical errors occurring at any step. Third-party marketing
and analytics scripts often fire automatically before consent mechanisms activate,
while testing gaps emerge when websites only test with accepted cookies rather than
declined scenarios.
With millions of potential violations and rare enforcement actions, the regulatory intent
of protecting user privacy through informed consent gets lost in implementation
complexity. Internet users face the daily ritual of clicking through cookie banners that
few genuinely appreciate, knowing that many cookies get placed anyway regardless of
their choice. For now, we navigate this imperfect system and live with its frustrations.
Perhaps future regulations will bring meaningful change, either eliminating these
banners entirely or ensuring their implementation actually works as intended.