45672 sites analysed

EU Privacy & Cookie Compliance Report

Pre-consent data transfers, cookie consent, CMP adoption across 45802 EU websites — measured, not estimated.

51%

Cookie banner detected

28%

Reject option available

19%

High-risk pre-consent

40%

EU-headquartered hosting

In this report

Cookie Compliance CMP Market Share Pre-Consent Transfers Data Residency & Schrems II

Cookie Compliance

42642 sites scanned · ePrivacy / TTDSG

Cookie consent requires a valid legal basis under ePrivacy Directive 2002/58/EC Art. 5(3) and GDPR Art. 6/7. In Germany, TTDSG § 25 transposes these requirements. A compliant banner must offer equally prominent accept and reject options, and no tracking cookies may be set before consent.

51%

Banner detected

28%

Reject option

Consent withdraw

21%

Google Consent Mode

19%

GCM v2 compliant

20%

GCM default denied

IAB TCF detected

TCF preset consent

Google Consent Mode Analysis

Of sites using Google Consent Mode, 92% have upgraded to v2 (mandatory since March 2024). GCM v2 with default 'denied' is Google's recommended approach for GDPR-compliant use of Analytics and Ads — tags defer data collection until user consent.

21%

use GCM

92%

of those: v2

20%

default denied

Note: GCM controls tag behavior but not resource loading. The gtag.js script itself still transfers the user's IP address. For full Art. 44 compliance, use server-side GTM on a first-party domain.

3.9

Avg cookies / site

2.8

Avg third-party scripts

3.9

Avg pre-consent

6.7

Avg issues

CMP Market Share

1264 sites with detected CMP

Consent Management Platforms (CMPs) implement the cookie consent requirements of ePrivacy Directive 2002/58/EC and GDPR. A CMP's quality directly affects legal compliance — misconfigured banners are a leading cause of GDPR enforcement actions.

Consent Management Platform distribution across 1264 sites with detected CMP

Cookiebot

47.9% (606)

OneTrust

19.5% (246)

CookieConsent

5.1% (65)

Cookie Bar Wp

3.6% (46)

Usercentrics

2.8% (36)

TCF CMP #NaN

2.6% (33)

Cookie Consent (Osano)

2.5% (31)

Quantcast

2.4% (30)

iubenda

2.4% (30)

Klaro

2.1% (27)

TCF CMP #7

1.9% (24)

Consentmanager

1.8% (23)

Cookie Information

1.0% (13)

Sourcepoint

0.9% (12)

Didomi

0.9% (11)

Complianz

0.7% (9)

TCF CMP #2

0.5% (6)

CookieFirst

0.5% (6)

TrustArc

0.4% (5)

TCF CMP #332

0.4% (5)

Data Residency & Schrems II

42463 sites with hosting data

GDPR Art. 28 requires processor agreements specifying data location. Art. 44-49 govern international transfers — the CLOUD Act gives US authorities access to data held by US companies regardless of server location. Schrems II (CJEU C-311/18) invalidated Privacy Shield and requires supplementary measures for US transfers.

62%

Hosted in EU/EEA

40%

Hosted outside EU

46%

Hosted domestically

Top hosting countries

33.9%

13.8%

5.6%

4.1%

2.9%

2.8%

2.7%

2.6%

2.5%

2.4%

Top hosting providers

CLOUDFLARENET - Cloudflare, Inc. 6334 14.9%

AMAZON-02 - Amazon.com, Inc. 3917 9.2%

HETZNER-AS 1960 4.6%

MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation 1352 3.2%

OVH 1317 3.1%

GOOGLE-CLOUD-PLATFORM - Google LLC 857 2.0%

IONOS-AS This is the joint network for IONOS, Fasthosts, Arsys, 1&1 Mail and Media and 1&1 Telecom. Formerly known as 1&1 Internet SE. 741 1.7%

FASTLY - Fastly, Inc. 593 1.4%

AKAMAI-ASN1 545 1.3%

COMBELL-AS 540 1.3%

Company headquarters

40%

EU-headquartered provider

60%

Non-EU provider (CLOUD Act / Schrems II)

Cloudflare (US) 6719 15.8%

Amazon Web Services (US) 4069 9.6%

Hetzner (DE) 1964 4.6%

Google Cloud (US) 1390 3.3%

Microsoft Azure (US) 1344 3.2%

OVHcloud (FR) 1317 3.1%

Akamai (US) 757 1.8%

IONOS (1&1) (DE) 741 1.7%

Fastly (US) 592 1.4%

Combell (BE) 540 1.3%

Server location via IP geolocation (MaxMind GeoLite2). Company HQ from ASN registry. A site may be physically hosted in the EU but use a US-headquartered provider subject to the CLOUD Act — per Schrems II (CJEU C-311/18), this requires SCCs with supplementary measures. · GDPR Art. 44–49

Methodology

How this data was collected and what it represents.

All data is collected through automated, non-intrusive scans of publicly accessible websites. No login credentials are used, no forms are submitted, and no private data is accessed.

Cookie consent mechanisms are tested using a headless browser (Playwright). We load each site without interacting with any consent banner and record all cookies set, third-party requests made, and resources loaded before any user interaction — capturing the pre-consent state.

CMP detection identifies the Consent Management Platform in use (e.g., Cookiebot, OneTrust, Usercentrics) via script signatures, DOM elements, and API endpoints. Google Consent Mode and IAB TCF framework support are detected through JavaScript API probing.

Pre-consent data transfers are classified by risk level based on the receiving company's jurisdiction, data processing scope, and whether an EU-based alternative exists. High-risk transfers involve US-based services without adequate safeguards.

Hosting data is determined via IP geolocation (MaxMind GeoLite2) for server location and ASN registry lookups for provider company headquarters.

No individual sites are named. All statistics are aggregated and anonymised. Regulatory references indicate which requirements relate to each finding — they do not assert non-compliance of any specific organisation.

Where does your website stand?

Run a free privacy scan and see how your cookie consent, pre-consent transfers, and hosting compliance compare — in 30 seconds, no account needed.

Scan your website now Full security report

Based on automated scans of 45672 European websites. Updated continuously.