The Top Beacons Loading Before Consent and the Legal Risk Most Danish Companies Aren’t Seeing - Yet
We recently completed a scan of 45,000 domains tied to Danish businesses registered in the CVR registry. Out of 36,496 successful scans, the findings are as expected - and deeply alarming - 73.02% of the scanned sites have a high risk.
The overwhelming majority of sites load third-party tracking before user consent, a direct violation of Article 5(3) of the ePrivacy Directive, which forbids any access to or storage of data on the user’s device unless:
- It is strictly technically necessary to deliver a requested service, or
- The user has given prior informed and explicit consent
Top 10 Domains Loading Before Consent
Note: Some services (like Google Analytics, Facebook, and Cookiebot) load multiple domains as part of their standard implementation. This is why they may appear more than once in the list - each domain represents a separate beacon detected during the scan.
Here are the top 10 third-party domains found loading beacons before consent, along with the percentage of total sites out of the 36,496 privacy scans:
- googletagmanager.com – 20,198 sites → 55.3%
- region1.google-analytics.com – 11,193 sites → 30.7%
- consentcdn.cookiebot.com – 7,588 sites → 20.8%
- consent.cookiebot.com – 7,401 sites → 20.3%
- imgsct.cookiebot.com – 7,081 sites → 19.4%
- google-analytics.com – 6,252 sites → 17.1%
- facebook.com – 5,316 sites → 14.6%
- connect.facebook.net – 4,614 sites → 12.6%
- maps.googleapis.com – 3,917 sites → 10.7%
- policy.app.cookieinformation.com – 3,737 sites → 10.2%
Top 10 Tracking Service Providers
Note: Totals reflect sites where a provider's tracking domains were detected, not unique occurrences, as a single site may load multiple beacons from the same provider. This means sites often contribute to multiple counts within a single provider grouping.
Here are the top 10 third-party service providers whose beacons were found loading before consent based on the top 50 most found beacons on the scanned 36,496 websites.
1. Google
- Domains: googletagmanager.com, google-analytics.com, region1.google-analytics.com, region1.analytics.google.com, maps.googleapis.com, pagead2.googlesyndication.com, google.com, play.google.com, youtube.com, googleadservices.com
- Total Domains: 10
2. Cookiebot (Usercentrics)
- Domains: consent.cookiebot.com, consentcdn.cookiebot.com, imgsct.cookiebot.com
- Total Domains: 3
3. Facebook (Meta)
- Domains: facebook.com, connect.facebook.net
- Total Domains: 2
4. Iubenda
- Domains: cdn.iubenda.com, idb.iubenda.com, cs.iubenda.com
- Total Domains: 3
5. LinkedIn (Microsoft)
- Domains: snap.licdn.com, px.ads.linkedin.com
- Total Domains: 2
6. CookieYes
- Domains: cdn-cookieyes.com, log.cookieyes.com
- Total Domains: 2
7. Microsoft / Clarity / Bing
- Domains: clarity.ms, a.clarity.ms, c.clarity.ms, c.bing.com, bat.bing.com
- Total Domains: 5
8. Hotjar
- Domains: static.hotjar.com, script.hotjar.com
- Total Domains: 2
9. Sleeknote
- Domains: sleeknotecustomerscripts.sleeknote.com, sleeknotestaticcontent.sleeknote.com, analytics.sleeknote.com
- Total Domains: 3
10. Squarespace / Wix / Shopify / WordPress (Platform Trackers)
- Domains: panorama.wixapps.net, frog.wix.com, assets.squarespace.com, performance.squarespace.com, monorail-edge.shopifysvc.com, stats.wp.com, pixel.wp.com
- Total Domains: 7
Why This Second List Matters
While the first list highlights which specific domains are most commonly loading before consent, this second list reveals something deeper: the broader ecosystems behind those domains. It shows which companies operate across multiple scripts and services - scaling non-compliant tracking practices across the web. In many cases, a single provider is responsible for multiple beacons found across thousands of websites.
This isn’t a technical misconfiguration. It’s a systemic industry-wide practice - and after the German Regional Court of Leipzig awarded €5,000 in damages for precisely this behavior, it’s now a legal risk Danish companies can no longer ignore.
A Note on How This Data Was Collected
To be clear, this analysis was based on a non-intrusive web scan of publicly accessible websites registered to Danish businesses through the public CVR registry. While over 45,000 domains were sourced from the registry, many were inactive or incorrectly registered - a common issue, as the CVR system does not validate the accuracy of reported domains. This resulted in 36,496 successful scans of operational websites.
We did not collect any personal data, and no interaction with the sites beyond loading their front pages occurred. The scan simply recorded which third-party domains were contacted during the initial page load - simulating a regular user visit without clicking or accepting cookies.
Why does this matter? Because if our privacy scanner can detect these third-party beacons before any consent is given, then so can a regulator, a privacy activist, or a plaintiff in court.
And as the German courts are showing - that’s more than enough to trigger liability.
The Technologies Most at Risk: GTM, Analytics, Facebook
At the center of this are the tools most companies use by default:
Google Tag Manager
While flexible and powerful, GTM is not compliant by default. It loads immediately on page load, even before a CMP initializes. From that point on, it opens a channel for third-party script execution - including tracking tags, telemetry, and fingerprinting code - all before consent is collected.
The Hannover ruling from March 2025 confirmed what privacy professionals already knew: Google Tag Manager and Consent Mode 2.0 violate both the GDPR and ePrivacy rules because data is still sent to third-party domains before the user agrees to anything.
Google Analytics
GA(4) continues to collect signals before consent in most deployments. Even when Consent Mode is configured, identifiers like IP addresses and user agent strings are transmitted to Google domains.
Facebook/Meta Tracking
Facebook Pixel and the Conversions API were specifically cited in the Leipzig ruling. They operate across sites and apps, compiling identifiers like hashed emails, device info, and click paths - often without the user knowing or consenting.
The ruling made it clear: Even if the user isn’t logged in to Facebook, their data is being processed unlawfully if consent hasn't been obtained before the tracking starts.
Cookie Consent as a Service: Designed to Violate
This brings us to a larger problem: Cookie Consent-as-a-Service platforms (CCasS) like Cookiebot, CookieYes, and Cookie Information.
These tools are supposed to help with compliance - yet they are:
- Hosted on third-party domains
- Loading scripts, stylesheets, and tracking pixels before the user sees the consent banner
- Logging user interactions and telemetry from the outset
- Running 3rd party analytics on the consent interface itself
This isn’t accidental. These platforms are often built with SaaS-level analytics for their own dashboards and customer reporting. Many inject marketing trackers by default.
There’s No “Technical Necessity” Here
And here’s the key legal point: technical necessity under Article 5(3) must be judged from the perspective of the data subject, not the vendor or site operator.
It may be convenient for the CMP provider to preload their scripts from their CDN. But that does not make it “necessary” for the user’s request to view a website. If the same consent interface can be delivered by first-party scripts running on the same server, without any tracking or external calls, then third-party loading is not legally justified.
And yes - it can. That’s exactly how AesirX CMP works. It’s deployed locally, blocks all scripts before consent, and doesn’t transmit any data off-site to manage consent choices.
So what should companies take away from this data - and the legal rulings coming out of Germany?
What This Means for Danish (and European) Companies
If you're running Google Tag Manager, Facebook Pixel, or a third-party consent platform - you are almost certainly processing data unlawfully before consent. And if a user challenges it, as in the German case, your legal exposure starts at €5,000 in damages per violation - plus reputational damage.
The fix is simple, but urgent, apply our RBAS model:
- Replace CCaaS tools with first-party consent managers - especially those loading pixel trackers by design
- Block all third-party tech by default until informed and explicit consent is recorded
- Audit your GTM containers, tags, and triggers - do NOT load your CMP from GTM
- Stop relying on Consent Mode or hashed identifiers as legal cover
It’s no longer enough to assume that consent banners are doing their job - or that default setups from popular tools are compliant.
Regulators are watching. Courts are acting. And your customers expect more.
It’s time to align privacy with your core web architecture - not as an afterthought, but as a foundation of digital trust.
The time to act was yesterday. The opportunity to fix it is now.
Ronni K. Gothard Christiansen
Technical Privacy Engineer & CEO, AesirX.io
If you’d like help reviewing your site or understanding the risks, we offer a technical web-facing Privacy Review that gives you an actionable plan on what's wrong, and how to resolve it.
https://aesirx.io/services/privacy-review
