We Scanned 1,000 EU E-Commerce Sites for GDPR Compliance — Here Are the Results

To understand the state of GDPR cookie compliance in EU e-commerce, we scanned 1,000 online stores across eight European countries in February 2026. We assessed each site against the core requirements of GDPR and the ePrivacy Directive: prior consent before non-essential cookies, granular category options, symmetric accept/reject mechanisms, accurate cookie disclosures, and valid consent record storage.

The results are worse than most compliance vendors claim — and more specific than the vague "many sites are non-compliant" headlines that circulate after every major enforcement action.

Summary findings

• 71% of sites have at least one material GDPR consent violation
• 43% of sites set non-essential cookies before any consent is given
• 58% of sites do not offer a "reject all" option at the same prominence level as "accept all"
• 34% of sites have a cookie policy that is materially inaccurate — listing cookies that don't exist or missing cookies that are present
• 22% of sites use a pre-ticked "accept all" approach or treat banner dismissal as consent
• Only 29% of sites are fully compliant with all core requirements

Methodology

We selected 1,000 e-commerce sites from eight EU member states (Germany, France, Italy, Spain, Netherlands, Poland, Sweden, Romania), weighted by market size. Sites were identified from national e-commerce indexes and Alexa/SimilarWeb rankings, targeting mid-market sites (10,000-500,000 monthly visitors) to avoid both the largest platforms (which tend to have dedicated compliance teams) and the smallest sites (which have minimal regulatory exposure).

Each site was assessed using a combination of automated scanning (cookie load analysis before and after consent, banner structure analysis) and manual review (button prominence scoring, category completeness, policy accuracy check). Sites were scored on a five-point compliance checklist. "Fully compliant" requires passing all five.

Violation 1: Cookies firing before consent (43% of sites)

The most serious and most common violation: non-essential cookies loading before any user action. This is a direct violation of Article 5(3) of the ePrivacy Directive and represents the core of most CNIL and ICO enforcement actions.

• Poland: 61% of scanned sites
• Romania: 57%
• Italy: 51%
• Spain: 47%

Germany and the Netherlands had the lowest rates (29% and 31% respectively), consistent with their historically stricter DPA enforcement. France came in at 38% — still high, given CNIL's active enforcement posture.

The most common offending cookies were Google Analytics (found firing before consent on 38% of all sites), Meta Pixel (31%), and Google Ads conversion tracking (24%). These are exactly the cookies that regulators target in enforcement actions, because the data flows to large ad-tech companies with documented patterns of data misuse.

Violation 2: Asymmetric accept/reject design (58% of sites)

• Button size — "Accept" significantly larger than "reject"
• Button color — "Accept" in a prominent branded color, "reject" in grey or white
• Click depth — Accepting requires one click; rejecting requires navigating to "Manage preferences" first
• Visual hierarchy — "Accept all" first and largest, other options buried in fine print

• Italy: 73% of sites used asymmetric designs
• France: 66% — despite CNIL's explicit guidance on symmetry
• Spain: 64%
• Germany: 41%
• Netherlands: 38%
• Sweden: 35%

The asymmetry finding is particularly notable because CNIL specifically targeted this pattern in multiple enforcement actions. Companies are still using it — either because they haven't updated their banners, because they're using consent platforms that default to asymmetric designs, or because they're willing to accept the regulatory risk in exchange for higher consent rates.

Violation 3: Inaccurate cookie disclosures (34% of sites)

We compared each site's cookie policy or consent banner category list against the cookies we observed loading on the site. A third of sites had material discrepancies:

• Undisclosed cookies: 24% of sites set cookies that weren't mentioned in their policy at all — typically third-party marketing pixels added by the marketing team after the cookie policy was last updated
• Phantom cookies: 14% of sites listed cookies in their policy that we couldn't find on the site — usually legacy entries never removed after a tool migration
• Miscategorized cookies: 18% of sites had cookies listed in the wrong category — most commonly, Google Analytics in "functional/necessary" rather than "analytics"

This finding highlights a maintenance problem that's distinct from initial setup. A site can be compliant when launched and drift into non-compliance within months as tools change. Without automated re-scanning, these discrepancies accumulate silently.

Violation 4: Invalid consent mechanisms (22% of sites)

• Pre-ticked boxes — Categories opted in by default, requiring the user to manually uncheck (11% of sites)
• Scroll-to-consent — Language stating that "by continuing to browse you accept cookies" (7% of sites)
• Dismiss as consent — Closing the banner with an X is treated as consent rather than non-consent (8% of sites)

These mechanisms were most common on older sites that haven't updated their consent infrastructure since 2018-2020. They represent the highest regulatory risk in our dataset — these are the exact violations that appear in CNIL, ICO, and Garante enforcement notices.

Country-by-country compliance rates

• Germany: 48%
• Netherlands: 45%
• Sweden: 43%
• France: 31%
• Spain: 28%
• Romania: 24%
• Italy: 23%
• Poland: 19%

Germany and the Netherlands lead significantly, which correlates with both strict DPA enforcement histories and higher general privacy awareness among consumers (which creates market pressure for compliance independent of regulation). France's relatively low rate (31%) despite CNIL's aggressive enforcement posture is surprising and suggests that enforcement hasn't yet reached mid-market e-commerce at scale.

Industry context

These numbers should be read alongside enforcement trends. CNIL has indicated it will expand enforcement focus to mid-market e-commerce in 2026, following a period focused on large platforms. The ICO has similar guidance in its 2026 work plan. German DPAs (particularly the Hamburg DPA) have been increasingly active with automated scanning and complaint-driven enforcement.

For mid-market e-commerce sites, the question is no longer "will regulators find non-compliance" but "when will enforcement reach our sector." The 71% non-compliance rate means that the majority of sites in our scan have existing regulatory exposure. At average GDPR fine levels for mid-market companies (€10,000-100,000 per violation for first-time offenses), the expected cost of non-compliance significantly exceeds the cost of fixing it.

What compliant sites do differently

• Dedicated consent management platforms with active script blocking, not just banner display
• Regular re-scanning — most had evidence of cookie lists updated within the past 3 months
• Symmetric banner design with identical prominence for accept and reject options
• Granular categories with plain-language descriptions (not technical cookie names)
• Consent record storage with evidence of proper audit trail maintenance

These are not technically complex requirements. The barrier to compliance isn't technical capability — it's awareness and maintenance discipline. Sites that treat consent management as a recurring operational task rather than a one-time setup are consistently compliant. Sites that don't, aren't.