What we found
Of 23 well-known EU websites we scanned, 2 blocked the automated scanner and were excluded, leaving 21 we could analyze. On 20 of those 21, non-essential cookies or trackers fired on the very first page load - before any banner interaction, before any "Accept". The median offending site loaded 11 to 12 such items before consent; the heaviest loaded 73.
| Measure | Result |
|---|---|
| Sites scanned (completed) | 23 |
| Bot-blocked the scanner (excluded) | 2 |
| Analyzable | 21 |
| Fired non-essential cookies/trackers before consent | 20 (95%) |
| High risk (heavy or marketing trackers pre-consent) | 8 (38%) |
| At risk (some non-essential pre-consent) | 12 (57%) |
| Compliant (nothing non-essential pre-consent) | 1 (5%) |
| Set third-party items pre-consent | 9 (43%) |
| Pre-consent items per offending site | median ~11-12, max 73 |
We report aggregates only and do not name individual sites. Anyone can reproduce a single result with the free scanner below - it shows the same before/after-consent breakdown.
Switch in minutes - it’s freeNo credit card · Unlimited sites and page-views
Start for freeHow we tested
We loaded each homepage in a real headless browser with the free KookiOk cookie scanner, recorded every cookie and tracker that fired on first paint (before any consent choice), then simulated accepting and recorded again. Each item is flagged as fired-before-consent or not.
The sample was a convenience sample of 23 well-known EU consumer websites across eight countries (Germany, Czechia, the Netherlands, France, Spain, Italy, Poland and Belgium) and several sectors - news and publishing, e-commerce, classifieds and portals. It deliberately skews toward larger, ad-funded sites, so it is a signal about widely used EU sites, not a representative measure of all EU businesses or SMEs.
A site counts as tracking before consent if at least one non-essential cookie or tracker fired before any consent interaction. Two sites detected and blocked the scanner; we exclude them because their behaviour cannot be measured reliably. The numbers are a snapshot taken on 23 June 2026; sites change their banners often.
Snapshot scanned 23 June 2026 with the free KookiOk cookie scanner. Convenience sample of well-known EU sites - not a random or SME-representative sample - so read it as a signal, not a national statistic.
Why loading trackers before consent breaks the rules
Under the GDPR and the ePrivacy Directive, only strictly necessary cookies may load before the visitor agrees. Everything else - analytics, advertising, social widgets, fingerprinting - has to wait for opt-in. The EDPB's Guidelines 05/2020 add that rejecting must be as easy as accepting, and that scrolling or continuing to browse is not valid consent.
Pre-consent tracking is exactly what regulators act on. France's CNIL and other EU data-protection authorities have issued repeated, multi-million-euro fines for cookies dropped before consent and for banners that make rejection harder than acceptance.
In most cases it is not malice - it is an implementation gap. The site has a banner, but the tags fire on page load anyway because nothing actually blocks them until the visitor clicks. That is the difference between a banner that looks compliant and one that is.
How to check - and fix - your own site
Run your own site through the free cookie scanner (no signup). If it shows tags firing before consent, you need prior-consent blocking: a banner that keeps non-essential scripts inert until the visitor opts in, rather than one that just sits on top of trackers that already ran.
KookiOk does this for free, with no page-view or site limits - see how it compares to other cookie consent tools. The point of this study is the problem, though, not the pitch: whatever tool you use, the test is simple - does anything non-essential load before the choice is made?
Frequently asked questions
Do most websites track you before you consent?
In our June 2026 scan of 21 popular EU websites, 95% loaded non-essential cookies or trackers before the visitor made any consent choice. It is a small convenience sample, but it matches what regulators keep finding: many sites have a banner that does not actually block anything until you click.
Is it illegal to load cookies before consent in the EU?
For non-essential cookies, yes. The GDPR and the ePrivacy Directive require prior consent before analytics, advertising or other non-essential cookies load. Only strictly necessary cookies are exempt. Regulators such as the CNIL have fined sites for pre-consent tracking.
How do I stop my site from tracking before consent?
You need prior-consent blocking: a consent banner that keeps non-essential scripts and storage inert until the visitor opts in, instead of letting them run on page load. Scan your site first to see what fires before consent, then block those tags until consent.
How did you measure this?
We loaded each homepage in a real headless browser with the free KookiOk cookie scanner, recorded everything that fired before any consent interaction, then simulated accepting and recorded again. It is a convenience sample of 23 well-known EU sites (21 analyzable, 2 bot-blocked), scanned on 23 June 2026.
