Consentify Blog

GDPR Compliance Statistics 2026: We Scanned 1,430 Websites

TL;DR We ran our GDPR scanner on 1,430 real websites between April and July 2026. On 82% we found no detectable consent tool, and 35% fired a high-risk tracker like Google Analytics or Meta Pixel before any consent. Here are the full GDPR compliance statistics, with the caveats.

We wanted to know how many real websites actually respect the rules they claim to follow. So between April and July 2026, we ran our free GDPR scanner on 1,430 domains and logged what loaded before anyone clicked a thing.

The short version: most sites we looked at track visitors, and a large share do it with no consent step at all. Here are the numbers, with the caveats, so you can judge for yourself.

What did we actually measure?

Our scanner loads a site the way a first-time visitor would, with no clicks and no consent given. It then records which known trackers fire, which cookies get set, how many third-party domains receive a request, and whether it can detect a consent management platform (CMP). A tracker counts as active when it sent data or set a cookie on load.

Two honest caveats. First, this is not a random sample of the web. People scan a site because they suspect a problem, so the group skews toward sites with something to find. Second, our scanner recognizes CMPs by their known scripts and the standard __tcfapi signal. A custom-coded banner or an obscure plugin that does neither will not be detected, so our no-CMP figure is a ceiling, not an exact count.

How many sites had no detectable consent tool?

On 82% of the 1,430 sites, we could not detect any consent management platform. Only 262 sites ran a CMP we recognized. Some of the rest almost certainly use a custom or self-hosted banner we cannot see, so treat this as an upper bound. Still, it points to a lot of sites with no visible consent layer.

A missing CMP is only a problem if the site actually tracks people. Plenty of the sites we scanned were simple brochure pages with nothing to gate. That is why the next number matters more.

How many sites fire trackers before you consent?

This is the hard finding, and it does not depend on CMP detection. On 693 of the 1,430 sites (49%), a high-risk tracker fired on page load, before any interaction. On 502 sites (35%), that happened with no consent tool we could detect at all. When a tracker sends data on load, the timing is the violation, banner or not.

This lines up with wider research. One roundup of consent studies found that even among sites that do have a CMP, more than half still set trackers before the user agreed. A banner that loads after the tracker is decoration.

The GDPR rules on cookies are clear on the order of operations. Non-essential trackers should not run until the visitor has made a real choice. The EDPB's 2023 guidance widened this to cover pixels and fingerprinting too, not just cookies.

Which trackers show up most often?

Google runs the board. Google Analytics appeared on 36% of sites, Google Tag Manager on 30%, and Google Ads on 29%. The next most common was Meta Pixel at 8%. No other single tracker cracked 4%.

The most common trackers we found, by share of sites:

  • Google Analytics: 36% (high risk)
  • Google Tag Manager: 30% (medium risk)
  • Google Ads: 29% (high risk)
  • Meta Pixel: 8% (high risk)
  • Amazon Publisher Services and Matomo: 4% each
  • Comscore, LinkedIn Insight, Microsoft Clarity, Microsoft Ads: around 3% each

Google alone explains most of the risk

When we look at trackers firing actively before consent, the top three are all Google or Meta. Google Analytics fired early on 498 sites. Google Ads did it on 395. Meta Pixel on 96. These are the tags most sites forget to gate, partly because they get pasted in during setup and never touched again.

If you use Google tags, the fix is not just a banner. You also need Google Consent Mode v2 wired to that banner, so consent state actually reaches Google. A CMP without Consent Mode still leaks signals to Google on EU traffic.

What kinds of trackers are these?

Analytics and advertising dominate. Analytics trackers showed up on 702 sites and advertising trackers on 491. Marketing tools and social widgets trailed far behind at 59 and 57 sites. So the typical risk is not some exotic script. It is the same analytics and ad tags nearly everyone installs.

That is good news in a way. If you handle Google Analytics, Google Ads, and Meta Pixel correctly, you have covered the vast majority of the risk we saw in the data.

How many trackers does the average site load?

The average site in our scan loaded 1.6 trackers, and the median was 1. That sounds low until you remember 599 sites loaded zero. Among sites that track at all, the load climbs fast, and the heaviest site we scanned ran 16 separate trackers on a single page.

The spread of tracker counts across all 1,430 sites:

  • 0 trackers: 599 sites
  • 1 to 2 trackers: 496 sites
  • 3 to 5 trackers: 255 sites
  • 6 to 10 trackers: 71 sites
  • 11 or more: 9 sites

Which consent tools do the compliant sites use?

Among the 262 sites where we did detect a CMP, two names led by a wide margin: OneTrust on 107 sites and Cookiebot on 64. Sourcepoint, CookieYes, and TrustArc followed in the teens. So the paid enterprise tools own the visible consent market, even though a small, well-configured banner does the same job.

That gap is the whole reason we built Consentify. If you are weighing options, our Cookiebot alternative comparison breaks down where a lighter tool fits better, especially for smaller sites that do not need enterprise pricing.

What this means for your website

The pattern across 1,430 sites is consistent. Most sites track visitors, the trackers are almost always Google or Meta, and they very often fire before any consent. The banner, when it exists, frequently loads too late to matter.

You cannot fix what you cannot see, so start by scanning your own site. It takes under a minute and shows exactly which trackers fire before consent, which is the number that actually gets sites in trouble.

Want to see where your site lands? Run a free GDPR scan, then fix it with Consentify: one domain free, no watermark, no time limit.

Start your cookie banner for free

Get your own customizable, GDPR-ready banner in minutes with Consentify.

Get Started Free

Frequently asked questions

How many websites are GDPR compliant?

In our scan of 1,430 sites, 35% fired a high-risk tracker like Google Analytics or Meta Pixel before any consent, which is a clear GDPR problem. Wider studies suggest only around 15% of sites meet the basic bar for a compliant cookie banner.

Does a missing cookie banner always mean a site breaks GDPR?

No. A site with no trackers has nothing to consent to, so it may be fine. The violation happens when non-essential trackers load before the visitor agrees. That timing, not the banner alone, is what breaks the rules.

Can a scanner detect every cookie banner?

Not reliably. Scanners recognize known consent platforms by their scripts and the standard TCF signal. A custom-coded banner or an unusual plugin can be missed, so a no-CMP result is a strong hint, not absolute proof that a site lacks consent.

What is the fastest way to check my own site?

Run a free GDPR scan of your domain. It loads your site with no consent given and lists every tracker that fires, so you can see in under a minute which scripts need to be gated behind your cookie banner.

Written by Consentify
Helping you stay GDPR compliant, one banner at a time.