816013 sites analysed

EU Privacy & Cookie Compliance Report

Pre-consent data transfers, cookie consent, CMP adoption across 816013 EU websites — measured, not estimated.

45%

Cookie banner detected

21%

Reject option available

16%

High-risk pre-consent

55%

EU-headquartered hosting

In this report

Cookie Compliance CMP Market Share Pre-Consent Transfers Data Residency & Schrems II

Cookie Compliance

702465 sites scanned · ePrivacy / TTDSG

Cookie consent requires a valid legal basis under ePrivacy Directive 2002/58/EC Art. 5(3) and GDPR Art. 6/7. In Germany, TTDSG § 25 transposes these requirements. A compliant banner must offer equally prominent accept and reject options, and no tracking cookies may be set before consent.

45%

Banner detected

21%

Reject option

Consent withdraw

11%

Google Consent Mode

11%

GCM v2 compliant

11%

GCM default denied

IAB TCF detected

TCF preset consent

Google Consent Mode Analysis

Of sites using Google Consent Mode, 93% have upgraded to v2 (mandatory since March 2024). GCM v2 with default 'denied' is Google's recommended approach for GDPR-aligned use of Analytics and Ads — tags defer data collection until user consent.

11%

use GCM

93%

of those: v2

11%

default denied

Note: GCM controls tag behavior but not resource loading. The gtag.js script itself still transfers the user's IP address. For full Art. 44 compliance, use server-side GTM on a first-party domain.

2.2

Avg cookies / site

1.1

Avg third-party scripts

2.2

Avg pre-consent

4.7

Avg issues

CMP Market Share

20719 sites with detected CMP

Consent Management Platforms (CMPs) implement the cookie consent requirements of ePrivacy Directive 2002/58/EC and GDPR. A CMP's quality directly affects legal compliance — misconfigured banners are a leading cause of GDPR enforcement actions.

Consent Management Platform distribution across 20719 sites with detected CMP

Complianz

34.1% (7063)

Cookiebot

27.2% (5637)

OneTrust

9.5% (1969)

CookieScript

6.7% (1382)

Funding Choices

3.6% (755)

Didomi

3.2% (658)

Klaro

2.9% (603)

Automattic, Inc.

2.5% (526)

iubenda

2.0% (424)

TCF CMP #258

1.7% (344)

Consentmanager

1.3% (271)

Usercentrics

1.3% (270)

SIRDATA

1.0% (217)

AppConsent by SFBX®

1.0% (213)

TCF CMP #2

0.6% (117)

TCF CMP #NaN

0.3% (68)

TCF CMP #5

0.3% (55)

CookieYes Limited

0.3% (53)

TCF CMP #401

0.2% (47)

TCF CMP #7

0.2% (47)

Data Residency & Schrems II

855847 sites with hosting data

GDPR Art. 28 requires processor agreements specifying data location. Art. 44-49 govern international transfers — the CLOUD Act gives US authorities access to data held by US companies regardless of server location. Schrems II (CJEU C-311/18) invalidated Privacy Shield and requires supplementary measures for US transfers.

73%

Hosted in EU/EEA

27%

Hosted outside EU

59%

Hosted domestically

Top hosting countries

29.6%

20.6%

9.8%

6.3%

4.5%

3.7%

2.3%

2.2%

Top hosting providers

CLOUDFLARENET - Cloudflare, Inc. 77835 9.1%

IONOS-AS This is the joint network for IONOS, Fasthosts, Arsys, 1&1 Mail and Media and 1&1 Telecom. Formerly known as 1&1 Internet SE. 65088 7.6%

AMAZON-02 - Amazon.com, Inc. 51317 6.0%

HETZNER-AS 49870 5.8%

OVH 45060 5.3%

STRATO STRATO AG 28534 3.3%

WIX_COM 26550 3.1%

NMM-AS D - 02742 Friedersdorf Hauptstrasse 68 21356 2.5%

GOOGLE-CLOUD-PLATFORM - Google LLC 21217 2.5%

GOOGLE - Google LLC 16405 1.9%

Company headquarters

55%

EU-headquartered provider

45%

Non-EU provider (CLOUD Act / Schrems II)

Cloudflare (US) 85062 9.9%

IONOS (1&1) (DE) 65088 7.6%

Amazon Web Services (US) 55268 6.5%

Hetzner (DE) 50058 5.8%

OVHcloud (FR) 45061 5.3%

Google Cloud (US) 37622 4.4%

Strato (DE) 28540 3.3%

Wix (IL) 26547 3.1%

Aruba S.p.A. (IT) 14326 1.7%

GoDaddy (US) 12780 1.5%

Server location via IP geolocation (MaxMind GeoLite2). Company HQ from ASN registry. A site may be physically hosted in the EU but use a US-headquartered provider subject to the CLOUD Act — per Schrems II (CJEU C-311/18), this requires SCCs with supplementary measures. · GDPR Art. 44-49

Methodology

How this data was collected and what it represents.

All data is collected through automated, non-intrusive scans of publicly accessible websites. No login credentials are used, no forms are submitted, and no private data is accessed.

Cookie consent mechanisms are tested using a headless browser (Playwright). We load each site without interacting with any consent banner and record all cookies set, third-party requests made, and resources loaded before any user interaction — capturing the pre-consent state.

CMP detection identifies the Consent Management Platform in use (e.g., Cookiebot, OneTrust, Usercentrics) via script signatures, DOM elements, and API endpoints. Google Consent Mode and IAB TCF framework support are detected through JavaScript API probing.

Pre-consent data transfers are classified by risk level based on the receiving company's jurisdiction, data processing scope, and whether an EU-based alternative exists. High-risk transfers involve US-based services without adequate safeguards.

Hosting data is determined via IP geolocation (MaxMind GeoLite2) for server location and ASN registry lookups for provider company headquarters.

No individual sites are named. All statistics are aggregated and anonymised. Regulatory references indicate which requirements relate to each finding — they do not assert non-compliance of any specific organisation.

Where does your website stand?

Run a free privacy scan and see how your cookie consent, pre-consent transfers, and hosting compliance compare — in 30 seconds, no account needed.

Scan your website now Full security report

Based on automated scans of 816013 European websites. Updated continuously.