Research

ConsentStack Research

The State of Cookie Compliance

We ran 229 live websites through our free compliance scanner and watched what actually happened before, during, and after the consent choice. Most sites had no banner at all. Almost none were fully clean.

By Ben Churchill · Published July 2026 · Behavioral research, not legal advice

67%showed no consent banner at all154 of 229 sites
3.7%were fully clean under an EU consent test8 of 217 with a conclusive verdict
13%passed under both EU and US visitor tests29 of 229 sites
44%of banner sites still leaked after Reject31 of 70 where Reject was clickable

Between June 21, 2026 and July 14, 2026, 229 live websites were checked with ConsentStack's free compliance scanner. The scanner loads a site twice, once as an EU visitor and once as a US visitor, and records every request that fires on page load and after the visitor clicks Accept and Reject. This is what it saw.

One thing up front, because it shapes everything below. These are sites whose owners chose to run a scan. They are not a random sample of the web, and they skew toward US, tech, and marketing-heavy businesses. Read the numbers as sites that checked themselves, not the web. Every figure carries the exact count it is based on.

Who we scanned, and who we did not

The corpus is 229 unique websites, one scan per site (the most recent), production sites only. 97% of the scans were started from a US network, and the most common domains were .com, .ai, .co, and .io, with a heavy business-software presence. That is the population that tends to both evaluate a consent tool and run a dense marketing stack, which is worth remembering when the leak rates look high.

Because the sample chose itself, treat this as a health check of sites motivated enough to look, not a census of the internet. A later version of this study will scan a neutral control list the same way and publish both side by side.

Most sites have no consent banner at all

The single biggest finding is also the simplest. 154 of 229 sites (67%) showed no recognizable consent banner. And 124 of those sites, which is 54% of all 229, were running analytics or marketing trackers that need consent, with nothing in front of them. Over half the sample has no consent mechanism guarding tracking that calls for one.

A fair caveat on that headline: 8 of the 154 were bot-walled scans where no banner could be observed either way. Among the 221 sites the scanner could fully load, 146 (66%) confirmed no banner. The figure barely moves, which is why it is worth stating.

Here is how all 229 sites split when tested as an EU visitor. The chart groups every site by what the scanner saw, so the sites that are fine (including the ones that correctly show no banner because they run only essential scripts) sit on the passing side.

How 229 sites split under an EU-visitor test
  • No banner shown, but running trackers that need consenta125 · 55%Fails
  • Has a consent tool, Reject works, but a tracker fires before the visitor answers33 · 14%Fails
  • Has a consent tool, but it leaks or gives no way to reject29 · 13%Fails
  • No banner, and none required (no trackers that need consent)22 · 10%Passes
  • Blocked or scan-limited (no conclusive verdict)12 · 5%Unclear
  • Has a consent tool that passes the test8 · 3%Passes
Fails an EU-visitor testPassesNo conclusive verdictShare of 229 scanned sites.

a Counted from what the EU visitor saw. The site-level count is 124 (54%), differing by one site that showed a banner only to the US visitor. Overall, 30 sites earned a passing EU verdict, 187 failed, and 12 could not be scored. Only 8 of the passing sites were clean of every flagged issue under the stricter zero-issues test, which is the 3.7% figure in the summary above.

Installing a consent tool is not the same as being compliant

Only 75 of the 229 sites (33%) ran any consent tool at all. Among those 75, 84% still failed the EU test, almost always for the same reason: a tag was placed above the consent gate and fired a third-party request before the banner was answered.

That is a deployment problem, not a verdict on any particular product. A tool that blocks correctly when you click Reject can still let a tag fire on page load if the tag sits in the wrong place. We are not publishing per-vendor pass rates here, because with no named tool appearing on more than about ten sites, and failures driven by how each was installed, a branded scoreboard would be anecdote dressed as data. A separate study will re-scan each vendor's own reference setup, fairly and at a larger scale, before naming names.

The banner is often theater, and Reject does not always work

A banner is only worth something if clicking Reject actually stops the tracking. Of the 70 banner sites where the scanner could reach and click Reject, 31 (44%) kept a genuine third-party tracker firing afterward. The two most common were Microsoft Clarity, which records sessions, and the Meta Pixel, which sits at the center of the pixel and wiretap lawsuits.

Trackers still firing after the visitor clicked Reject
  • Microsoft Clarity12 sites · 17%
  • Meta Pixel11 sites · 16%
  • HubSpot Marketing Hub6 sites · 9%
  • PostHog5 sites · 7%
  • Share of 70 sites where Reject was clickable.

Charted are the trackers seen leaking on five or more sites. A smaller tail (X Ads, Reddit Pixel, and Intercom) kept firing on a few sites each.

We publish the conservative count. The scanner flagged 35 sites leaking after Reject; we set four of those aside because the request that fired was a vendor's own consent or functional endpoint that needs a closer look before we call it tracking. The 31 above are the unambiguous cases.

How we tested

Every result here is behavioral. The scanner describes what fired and when, not what a court would decide. For each site it opens a fresh browser, loads the page as an EU visitor and again as a US visitor, and records the third-party requests on page load and after clicking Accept and Reject. A region is marked non-compliant when there is no banner in front of trackers that need consent, when a tracker fires before the banner is answered, or when Reject does not stop tracking.

The exact rules that decide each verdict are written out on this page, not hidden in a black box, and we are publishing the scanner's verdict-rule code alongside the recurring version of this study so anyone can check how a site is scored. A few things worth stating plainly: the scan runs from a European vantage and a US vantage, and the US vantage is not pinned to California, so the US findings describe what a US visitor experiences and are not a formal CCPA compliance rate (a site that shows its notice only to California visitors could look banner-less from our vantage); the scanner does not send Global Privacy Control signals, so that opt-out channel is out of scope here; and banner detection can miss an unusual custom or shadow-DOM banner, which would show up as a false "no banner." Before this study is cited widely we are hand-checking a random sample of the no-banner and reject-leak verdicts against the saved request logs and will publish that count here, and the recurring version will add a neutral control list scanned the same way.

Every figure on this page names its exact count and denominator, so you can check the arithmetic yourself. If you want the method in one line: we tested 229 self-selected sites the way a visitor experiences them, and reported the aggregates.

What this means for your site

A banner that shows up is not the same as a banner that works. If you are not sure which one you have, the same scanner behind this study will check your site in a minute or two and show you exactly which trackers fire before consent and which keep firing after Reject. No signup, no email.

Questions and answers

Limitations

  • Self-selected sample. Sites whose owners chose to run a free scan, skewed US and tech. Generalize only to sites that get scanned.
  • Small overall, tiny per tool. 229 sites in total, at most about ten sites per named consent tool. Aggregate patterns are strong; per-vendor numbers are not published.
  • A snapshot, not a trend. about three and a half weeks of scans. The recurring version will track change over time.
  • Behavioral, not legal. The scanner cannot see the legal bases a site may claim, private processor agreements, or server-side consent. It reports what happened. For cookies and device access, EU law requires consent before they load regardless of the basis claimed (the EU Court of Justice Planet49 ruling and European Data Protection Board guidance), which is why the pre-consent findings are on solid ground.
  • US and GPC scope. The US vantage is not California-pinned and Global Privacy Control is not tested, so US findings are behavioral, not a CCPA rate.

This is a behavioral research study, not legal advice, and no individual site was reviewed by a lawyer. Legal statements are attributed to primary sources such as the EU Court of Justice, the European Data Protection Board, and state regulators. For your own obligations, talk to qualified counsel.

See where your site leaks consent

Run a free compliance scan against EU and US rules. No signup required.

1,076 sites scanned and counting

100+ happy customers

AN
ML
LP
DM
JT

Find out where your site stands

Run the same scanner behind this study against your own site. See which trackers fire before consent and which ignore Reject, in a minute or two, with no signup.

Get started free