ConsentStack Research
The State of Cookie Compliance
We ran 229 live websites through our free compliance scanner and watched what actually happened before, during, and after the consent choice. Most sites had no banner at all. Almost none were fully clean.
By Ben Churchill · Published July 2026 · Behavioral research, not legal advice
Between June 21, 2026 and July 14, 2026, 229 live websites were checked with ConsentStack's free compliance scanner. The scanner loads a site twice, once as an EU visitor and once as a US visitor, and records every request that fires on page load and after the visitor clicks Accept and Reject. This is what it saw.
One thing up front, because it shapes everything below. These are sites whose owners chose to run a scan. They are not a random sample of the web, and they skew toward US, tech, and marketing-heavy businesses. Read the numbers as sites that checked themselves, not the web. Every figure carries the exact count it is based on.
On this page
Who we scanned, and who we did not
The corpus is 229 unique websites, one scan per site (the most recent), production sites only. 97% of the scans were started from a US network, and the most common domains were .com, .ai, .co, and .io, with a heavy business-software presence. That is the population that tends to both evaluate a consent tool and run a dense marketing stack, which is worth remembering when the leak rates look high.
Because the sample chose itself, treat this as a health check of sites motivated enough to look, not a census of the internet. A later version of this study will scan a neutral control list the same way and publish both side by side.
Installing a consent tool is not the same as being compliant
Only 75 of the 229 sites (33%) ran any consent tool at all. Among those 75, 84% still failed the EU test, almost always for the same reason: a tag was placed above the consent gate and fired a third-party request before the banner was answered.
That is a deployment problem, not a verdict on any particular product. A tool that blocks correctly when you click Reject can still let a tag fire on page load if the tag sits in the wrong place. We are not publishing per-vendor pass rates here, because with no named tool appearing on more than about ten sites, and failures driven by how each was installed, a branded scoreboard would be anecdote dressed as data. A separate study will re-scan each vendor's own reference setup, fairly and at a larger scale, before naming names.
Tracking usually fires before anyone chooses
Between 78% and 83% of sites, which is 179 to 189 of the 229 (the range comes from two ways of counting the same thing, the scanner's own findings versus re-deriving from the raw per-tracker flags), fired a third-party request that needs consent before the visitor gave it. Here is the standard behind that number, and we hold it on purpose.
We count any third-party request made before consent as a problem, even when the tag is set up for Google Consent Mode and sends a cookieless "denied" ping. The reason is simple: the request still travels to the third party, and it carries the visitor's IP address. Under EU law an IP address is personal data (the EU Court of Justice said so in the Breyer case), so data has already left before anyone agreed. The cookieless "denied" state changes what the third party may store; it does not stop the connection. Some vendors argue a denied ping is fine. We disagree, and enforcement is moving in our direction: the European regulators' Google Analytics decisions focused on visitor data reaching the third party at all, and the pixel-wiretap lawsuits are built on the theory that the connection itself is the interception.
These are the trackers most often firing before consent. Google Tag Manager tops the list, but a container load is a weaker example than an actual measurement or advertising call, so the sharpest cases are Google Analytics and the Meta Pixel just below it.
- Google Tag Managerb156 sites · 68%
- Google Analytics98 sites · 43%
- Meta Pixel76 sites · 33%
- Google Ad Manager76 sites · 33%
- LinkedIn Insight Tag59 sites · 26%
- HubSpot Forms44 sites · 19%
- HubSpot Marketing43 sites · 19%
- HubSpot Analytics40 sites · 17%
- Microsoft Clarity37 sites · 16%
- Google Ads28 sites · 12%
- Share of 229 scanned sites.
b Google Tag Manager is a container rather than a tracker in itself. Its load is still a third-party request to Google that carries the visitor's IP, but read the analytics and advertising rows below it as the sharper examples.
The banner is often theater, and Reject does not always work
A banner is only worth something if clicking Reject actually stops the tracking. Of the 70 banner sites where the scanner could reach and click Reject, 31 (44%) kept a genuine third-party tracker firing afterward. The two most common were Microsoft Clarity, which records sessions, and the Meta Pixel, which sits at the center of the pixel and wiretap lawsuits.
- Microsoft Clarity12 sites · 17%
- Meta Pixel11 sites · 16%
- HubSpot Marketing Hub6 sites · 9%
- PostHog5 sites · 7%
- Share of 70 sites where Reject was clickable.
Charted are the trackers seen leaking on five or more sites. A smaller tail (X Ads, Reddit Pixel, and Intercom) kept firing on a few sites each.
We publish the conservative count. The scanner flagged 35 sites leaking after Reject; we set four of those aside because the request that fired was a vendor's own consent or functional endpoint that needs a closer look before we call it tracking. The 31 above are the unambiguous cases.
How we tested
Every result here is behavioral. The scanner describes what fired and when, not what a court would decide. For each site it opens a fresh browser, loads the page as an EU visitor and again as a US visitor, and records the third-party requests on page load and after clicking Accept and Reject. A region is marked non-compliant when there is no banner in front of trackers that need consent, when a tracker fires before the banner is answered, or when Reject does not stop tracking.
The exact rules that decide each verdict are written out on this page, not hidden in a black box, and we are publishing the scanner's verdict-rule code alongside the recurring version of this study so anyone can check how a site is scored. A few things worth stating plainly: the scan runs from a European vantage and a US vantage, and the US vantage is not pinned to California, so the US findings describe what a US visitor experiences and are not a formal CCPA compliance rate (a site that shows its notice only to California visitors could look banner-less from our vantage); the scanner does not send Global Privacy Control signals, so that opt-out channel is out of scope here; and banner detection can miss an unusual custom or shadow-DOM banner, which would show up as a false "no banner." Before this study is cited widely we are hand-checking a random sample of the no-banner and reject-leak verdicts against the saved request logs and will publish that count here, and the recurring version will add a neutral control list scanned the same way.
Every figure on this page names its exact count and denominator, so you can check the arithmetic yourself. If you want the method in one line: we tested 229 self-selected sites the way a visitor experiences them, and reported the aggregates.
What this means for your site
A banner that shows up is not the same as a banner that works. If you are not sure which one you have, the same scanner behind this study will check your site in a minute or two and show you exactly which trackers fire before consent and which keep firing after Reject. No signup, no email.
Questions and answers
Limitations
- Self-selected sample. Sites whose owners chose to run a free scan, skewed US and tech. Generalize only to sites that get scanned.
- Small overall, tiny per tool. 229 sites in total, at most about ten sites per named consent tool. Aggregate patterns are strong; per-vendor numbers are not published.
- A snapshot, not a trend. about three and a half weeks of scans. The recurring version will track change over time.
- Behavioral, not legal. The scanner cannot see the legal bases a site may claim, private processor agreements, or server-side consent. It reports what happened. For cookies and device access, EU law requires consent before they load regardless of the basis claimed (the EU Court of Justice Planet49 ruling and European Data Protection Board guidance), which is why the pre-consent findings are on solid ground.
- US and GPC scope. The US vantage is not California-pinned and Global Privacy Control is not tested, so US findings are behavioral, not a CCPA rate.
This is a behavioral research study, not legal advice, and no individual site was reviewed by a lawyer. Legal statements are attributed to primary sources such as the EU Court of Justice, the European Data Protection Board, and state regulators. For your own obligations, talk to qualified counsel.
See where your site leaks consent
Run a free compliance scan against EU and US rules. No signup required.
100+ happy customers
Find out where your site stands
Run the same scanner behind this study against your own site. See which trackers fire before consent and which ignore Reject, in a minute or two, with no signup.