809955 sites analysed

EU Privacy & Cookie Compliance Report

Pre-consent data transfers, cookie consent, CMP adoption across 809955 EU websites — measured, not estimated.

56%

Cookie banner detected

28%

Reject option available

16%

High-risk pre-consent

56%

EU-headquartered hosting

In this report

Cookie Compliance CMP Market Share Pre-Consent Transfers Data Residency & Schrems II

Cookie Compliance

288043 sites scanned · ePrivacy / TTDSG

Cookie consent requires a valid legal basis under ePrivacy Directive 2002/58/EC Art. 5(3) and GDPR Art. 6/7. In Germany, TTDSG § 25 transposes these requirements. A compliant banner must offer equally prominent accept and reject options, and no tracking cookies may be set before consent.

56%

Banner detected

28%

Reject option

Consent withdraw

13%

Google Consent Mode

12%

GCM v2 compliant

13%

GCM default denied

IAB TCF detected

TCF preset consent

Google Consent Mode Analysis

Of sites using Google Consent Mode, 91% have upgraded to v2 (mandatory since March 2024). GCM v2 with default 'denied' is Google's recommended approach for GDPR-aligned use of Analytics and Ads — tags defer data collection until user consent.

13%

use GCM

91%

of those: v2

13%

default denied

Note: GCM controls tag behavior but not resource loading. The gtag.js script itself still transfers the user's IP address. For full Art. 44 compliance, use server-side GTM on a first-party domain.

2.2

Avg cookies / site

1.5

Avg third-party scripts

2.2

Avg pre-consent

4.9

Avg issues

CMP Market Share

29262 sites with detected CMP

Consent Management Platforms (CMPs) implement the cookie consent requirements of ePrivacy Directive 2002/58/EC and GDPR. A CMP's quality directly affects legal compliance — misconfigured banners are a leading cause of GDPR enforcement actions.

Consent Management Platform distribution across 29262 sites with detected CMP

Complianz

25.7% (7513)

Cookiebot

19.5% (5696)

Riadaljana

9.0% (2639)

Google Popup

8.9% (2596)

OneTrust

5.6% (1641)

Complianz Banner

4.6% (1359)

Klaro

3.7% (1072)

CookieScript

3.4% (992)

Didomi

2.5% (732)

Funding Choices

2.5% (724)

Usercentrics

2.3% (663)

Consentmanager

1.8% (529)

CookieConsent

1.8% (516)

Cookie Consent (Osano)

1.5% (430)

Hanseaticbusinessschool

1.5% (426)

Cookiebar

1.4% (412)

Borlabscookiebox

1.3% (391)

Real Cookie Banner

1.3% (366)

Tarteaucitron Js

1.0% (297)

TCF CMP #258

0.9% (268)

Data Residency & Schrems II

421407 sites with hosting data

GDPR Art. 28 requires processor agreements specifying data location. Art. 44-49 govern international transfers — the CLOUD Act gives US authorities access to data held by US companies regardless of server location. Schrems II (CJEU C-311/18) invalidated Privacy Shield and requires supplementary measures for US transfers.

72%

Hosted in EU/EEA

28%

Hosted outside EU

63%

Hosted domestically

Top hosting countries

41.1%

21.2%

11.5%

4.9%

3.1%

2.8%

2.0%

1.6%

1.5%

1.4%

Top hosting providers

IONOS-AS This is the joint network for IONOS, Fasthosts, Arsys, 1&1 Mail and Media and 1&1 Telecom. Formerly known as 1&1 Internet SE. 41881 9.9%

CLOUDFLARENET - Cloudflare, Inc. 39587 9.4%

HETZNER-AS 28986 6.9%

AMAZON-02 - Amazon.com, Inc. 25559 6.1%

OVH 24022 5.7%

STRATO STRATO AG 21424 5.1%

NMM-AS D - 02742 Friedersdorf Hauptstrasse 68 16142 3.8%

WIX_COM 13611 3.2%

GOOGLE-CLOUD-PLATFORM - Google LLC 10661 2.5%

MITTWALD-AS Mittwald CM Service GmbH und Co. KG 7700 1.8%

Company headquarters

56%

EU-headquartered provider

44%

Non-EU provider (CLOUD Act / Schrems II)

Cloudflare (US) 43166 10.2%

IONOS (1&1) (DE) 41881 9.9%

Hetzner (DE) 29098 6.9%

Amazon Web Services (US) 27105 6.4%

OVHcloud (FR) 24023 5.7%

Strato (DE) 21427 5.1%

Google Cloud (US) 18000 4.3%

Wix (IL) 13607 3.2%

GoDaddy (US) 8697 2.1%

Mittwald (DE) 7662 1.8%

Server location via IP geolocation (MaxMind GeoLite2). Company HQ from ASN registry. A site may be physically hosted in the EU but use a US-headquartered provider subject to the CLOUD Act — per Schrems II (CJEU C-311/18), this requires SCCs with supplementary measures. · GDPR Art. 44-49

Methodology

How this data was collected and what it represents.

All data is collected through automated, non-intrusive scans of publicly accessible websites. No login credentials are used, no forms are submitted, and no private data is accessed.

Cookie consent mechanisms are tested using a headless browser (Playwright). We load each site without interacting with any consent banner and record all cookies set, third-party requests made, and resources loaded before any user interaction — capturing the pre-consent state.

CMP detection identifies the Consent Management Platform in use (e.g., Cookiebot, OneTrust, Usercentrics) via script signatures, DOM elements, and API endpoints. Google Consent Mode and IAB TCF framework support are detected through JavaScript API probing.

Pre-consent data transfers are classified by risk level based on the receiving company's jurisdiction, data processing scope, and whether an EU-based alternative exists. High-risk transfers involve US-based services without adequate safeguards.

Hosting data is determined via IP geolocation (MaxMind GeoLite2) for server location and ASN registry lookups for provider company headquarters.

No individual sites are named. All statistics are aggregated and anonymised. Regulatory references indicate which requirements relate to each finding — they do not assert non-compliance of any specific organisation.

Where does your website stand?

Run a free privacy scan and see how your cookie consent, pre-consent transfers, and hosting compliance compare — in 30 seconds, no account needed.

Scan your website now Full security report

Based on automated scans of 809955 European websites. Updated continuously.