69% of Top Websites Fire Trackers Before You Consent
Vaclav Ras
Seven out of ten websites start tracking you before you click "Accept." That is the headline finding from our automated compliance scan of 100 popular websites across five regions — Czech Republic, Slovakia, Germany, Austria, and international (.com) domains.
This is not a theoretical risk. Under GDPR and the ePrivacy Directive, loading analytics or advertising scripts before a user has given explicit consent is a violation. Yet our data shows that this practice remains widespread, even among household-name brands.
Methodology
We scanned each website using an automated headless Chromium browser running from an EU-based server. Every scan started with a clean browser profile — no cookies, no cached data, no prior consent state. The scanner monitored all network requests across four consent phases: before any interaction with the consent banner, after accepting consent, after rejecting consent, and after page reloads in both states.
Each detected third-party vendor was classified by category (analytics, advertising, functional) and its first network request was timestamped relative to the consent interaction. A vendor firing before the user interacted with the consent banner is flagged as a pre-consent violation. Final compliance scores (0–100) and letter grades (A–F) were calculated based on vendor behavior, banner detection, Google Consent Mode implementation, and violation severity.
Overall Results
Out of 100 scanned websites, the average compliance score was 81.5 out of 100. While that sounds reasonable, the grade distribution tells a different story:
| Grade | Sites | Share |
|---|---|---|
| A | 44 | 44% |
| B | 16 | 16% |
| C | 20 | 20% |
| D | 14 | 14% |
| F | 2 | 2% |
Nearly 4 in 10 websites scored a C or worse. The two F-grade sites — eBay.com (25 points) and Welt.de (30.7 points) — showed severe compliance failures with multiple tracking vendors firing without any consent.
Average Score by Region
| Region | Sites | Avg. Score | Violation Rate |
|---|---|---|---|
| Austria (.at) | 20 | 90.3 | 55% |
| Germany (.de) | 19 | 89.7 | 42% |
| International (.com) | 20 | 82.6 | 55% |
| Slovakia (.sk) | 19 | 74.2 | 100% |
| Czech Republic (.cz) | 20 | 70.6 | 100% |
German-speaking markets led in compliance scores, while Central European websites showed universal pre-consent violations despite relatively high Consent Mode adoption.
Pre-Consent Violations
The core finding: 69 out of 100 websites (69%) loaded at least one tracking vendor before the user interacted with the consent banner. In the Czech and Slovak markets, every single scanned website fired trackers before consent.
This does not mean these sites lack consent banners — 90 out of 100 had a detectable cookie banner. It means the banners are decorative: scripts load regardless of whether the user has consented.
Top Vendors Firing Before Consent
| Vendor | Category | Sites |
|---|---|---|
| Google Tag Manager | Functional | 62 |
| Google Analytics 4 | Analytics | 24 |
| Meta Pixel | Advertising | 11 |
| Seznam Sklik | Advertising | 10 |
| Criteo | Advertising | 9 |
| Google Ads | Advertising | 6 |
| Adobe Launch | Functional | 5 |
| Microsoft Clarity | Analytics | 4 |
| Matomo | Analytics | 3 |
| Adobe Analytics | Analytics | 3 |
| Exponea | Analytics | 3 |
| Heureka | Advertising | 3 |
| Pinterest Tag | Advertising | 2 |
| Hotjar | Analytics | 2 |
| TikTok Pixel | Advertising | 2 |
Google Tag Manager appeared on 62 sites before consent — making it the single most common pre-consent script. While GTM itself is a tag container (not a tracker), loading it before consent typically means all tags configured inside it also fire before consent. GA4, the second most frequent offender, appeared on 24 sites.
Advertising trackers are particularly problematic from a legal standpoint: Meta Pixel (11 sites), Seznam Sklik (10 sites), and Criteo (9 sites) all set cookies and send user data to third-party servers without consent.
Cookie Banner Detection
Of the 100 scanned sites, 90 (90%) had a detectable consent banner. The remaining 10 either did not display a banner or used a non-standard implementation that could not be detected programmatically.
Banner detection does not equal compliance. As shown above, the majority of sites with banners still fired trackers before users had a chance to interact with them.
Google Consent Mode v2
Adoption of Google Consent Mode v2 was high: 96 out of 100 sites (96%) had it implemented. This is likely driven by Google's enforcement deadlines, which required Consent Mode for continued use of Google Ads and GA4 features in the EEA.
However, Consent Mode adoption did not correlate with actual compliance. The Czech Republic had 100% Consent Mode adoption but also 100% pre-consent violation rates. This suggests that many implementations are incomplete — the default consent state may not be set to "denied," or the tag configuration does not respect consent signals.
| Region | Consent Mode Adoption | Violation Rate |
|---|---|---|
| Czech Republic | 100% (20/20) | 100% |
| Austria | 100% (20/20) | 55% |
| International (.com) | 95% (19/20) | 55% |
| Slovakia | 100% (19/19) | 100% |
| Germany | 89% (17/19) | 42% |
Violation Severity
Across all 100 sites, we recorded 134 total violations: 26 critical and 108 warnings. Critical violations typically involved tracking scripts loading entirely without consent, while warnings indicated issues like missing Consent Mode default states or incomplete consent signal handling.
Best and Worst Performers
Top 5 (score 100, grade A):
- Česká spořitelna (csas.cz) — Czech Republic
- GMX.at — Austria
- Profesia.sk — Slovakia
- Česká televize (ceskatelevize.cz) — Czech Republic
- Tripadvisor.com — International
These sites demonstrated full compliance: no pre-consent tracking, proper banner implementation, and correct Consent Mode configuration.
Bottom 5:
| Site | Region | Score | Grade |
|---|---|---|---|
| eBay.com | International | 25 | F |
| Welt.de | Germany | 30.7 | F |
| Expedia.com | International | 40 | D |
| Airbnb.com | International | 40 | D |
| iDNES.cz | Czech Republic | 51 | D |
Regional Insights
Czech Republic — All 20 top Czech websites fired at least one tracker before consent, despite universal Consent Mode adoption and banner presence (19/20). The average score of 70.6 was the lowest among all regions. The Czech market appears to treat consent banners as a formality rather than a functional gate.
Slovakia — A pattern similar to the Czech Republic: 100% violation rate with an average score of 74.2. All 19 scanned Slovak sites loaded tracking scripts before consent. Despite this, Profesia.sk stood out as a perfect scorer, proving compliance is achievable.
Germany — The best-performing region by violation rate (42%), though Welt.de dragged down the average with an F grade. German sites benefit from stricter regulatory enforcement and higher awareness of GDPR requirements.
Austria — High average scores (90.3) paired with a 55% violation rate. Austrian sites generally implemented consent mechanisms correctly, though more than half still had at least one vendor slipping through before consent.
International (.com) — A mixed bag. Tripadvisor scored a perfect 100, while eBay (25) and Expedia (40) ranked among the worst performers overall. Large international platforms often have complex tag management setups that make consistent consent gating harder to enforce.
Recommendations
If your website appears in this study — or uses similar tracking setups — here is what to check:
- Audit your tag firing order. Open DevTools, clear cookies, and reload. If you see network requests to analytics or advertising endpoints before interacting with the banner, you have a violation.
- Set Consent Mode defaults to "denied." Many implementations miss this step. Without explicit default denial, tags fire in their default (consent-granted) state.
- Do not load GTM before consent unless your GTM container is configured to respect consent signals. A tag container that fires all tags on page load defeats the purpose of a consent banner.
- Test the reject flow. Many sites only test the "accept" path. Verify that rejecting consent actually blocks tracking requests — both on the initial page and after reload.
- Automate compliance monitoring. Manual checks catch issues once. Automated scans catch regressions every time a tag or CMP configuration changes.
About This Study
This analysis was conducted using AnalyticsProof, an automated compliance monitoring platform. The data comes from our public leaderboard, which scans 100 websites across five regions on a regular schedule.
You can run a free scan of your own website at analyticsproof.com or explore the full leaderboard results at analyticsproof.com/leaderboard.
Stay Updated
Get the latest articles on analytics compliance delivered to your inbox.