Each week, more businesses implement “cookie banners” thinking they’ve done what’s required for privacy compliance. But there’s a growing misunderstanding in the industry - one that creates real legal risk:
Consent banners alone do not make your website compliant.
Why? Because it's not just about cookies. It’s about all tracking technologies.
That includes:
- Beacons
- Pixels
- JavaScript-based tracking
- SDKs
- Server-side tracking
- Tag management systems (TMS)
Every one of these methods can collect personal data, and many are activated before a user has given valid consent.
The Legal Foundation: ePrivacy Directive and National Laws
Article 5(3) of the ePrivacy Directive (as implemented in national laws like the UK's PECR, Norway’s Ekomloven, Vietnam's PDPL and other countries with clear consent requirements) requires that storing or accessing information on a user’s device may only take place with the user’s prior consent, unless it's strictly necessary for the service the user has requested.
Consent under both the ePrivacy Directive and GDPR must be:
- Freely given
- Specific
- Informed
- Unambiguous
This means any tracking technology - whether it places a cookie or not - cannot be activated before consent has been obtained.
And yet, server-side tagging and tag management systems like Google Tag Manager are regularly implemented in a way that pre-loads third-party trackers or sends data to external vendors before the user has had the opportunity to understand or agree to that processing.
If the user isn’t aware, and hasn’t agreed to the full scope of tracking, consent is invalid.
Server-Side Tagging and Google Tag Manager: Compliance Concerns
Server-side tracking and tag management systems are often presented as privacy-preserving alternatives. But the reality is more nuanced:
These solutions still process and route personal data - often to third parties such as Google, Facebook, or other advertising networks.
In many cases, data is collected and transmitted regardless of user consent, simply because scripts are embedded server-side or controlled from a centralized tag manager. Without proper control and enforcement mechanisms, these tools can become invisible vectors of non-compliant tracking.
One key example is Google Tag Manager (GTM). When GTM is loaded, it immediately results in the transfer of the user's IP address and potentially exposes the entire DOM and Data Layer to Google. This constitutes personal data processing under both the ePrivacy Directive (ePD) and GDPR as well as other legal foundations.
“As such, GTM cannot be legally loaded before consent is obtained - because it enables the access and transfer of data not strictly necessary for delivering the service the user requested.”
It’s also worth emphasizing:
“Moving GTM (or any tracking logic) to a first-party environment does not eliminate the requirement for consent.”
Under Article 5(3) of the ePrivacy Directive (PECR, Ekomloven, PDPL, etc.), any collection or access to information from a user’s device - first-party or third-party - that is not strictly technically necessary, requires prior consent. This includes analytics, personalization, marketing, and performance tracking.
Using these tools does not bypass the need for explicit, informed, prior consent. If tracking or data transmission happens before that, it is a clear breach of the ePrivacy Directive.
Read more:
Real-World Enforcement: Bonnier AB Case
This is not theoretical - regulators are now enforcing this aggressively.
In November 2023, Bonnier News AB was fined 13 million SEK by the Swedish Authority for Privacy Protection (IMY) and ruled by Forvaltningsretten in Stockholm February 2025. Why?
- They collected consent for the use of cookies for certain purposes.
- But once data was collected, it was shared with multiple third parties.
- That data was used for additional purposes beyond those explicitly consented to.
The IMY made it clear: consent must match the actual processing. If consent is obtained for one purpose and data is later shared or reused for others, it is a violation of GDPR and ePrivacy.
This case highlights the growing risk of mismatched consent - something that’s especially common when using tag managers, complex marketing stacks, or third-party tracking solutions.
Enforcement is Scaling: Automated Monitoring is Here
The regulatory landscape is rapidly shifting:
- The UK ICO has started systematically monitoring the top 1,000 websites in the country.
- The Dutch DPA is doing the same for the top 10,000 websites in the Netherlands.
- Other DPAs are expected to follow suit, adopting automated, ongoing scanning of public websites.
This is significant. Unlike the GDPR, where compliance is often assessed via internal documentation and process audits, ePrivacy Directive compliance is technical - and binary:
You are either compliant, or you are not.
- Tracking occurs before consent? You're in breach.
- Data is shared without the proper legal basis? You're in breach.
- Your consent banner doesn’t reflect actual tracking behavior? You're in breach.
There is no in-between.
Continuous Monitoring Is Now Essential
At AesirX, we anticipated this shift and built our Privacy Monitoring Service accordingly.
We provide:
- Continuous scanning of your website to identify unauthorized trackers
- Detection of server-side and tag-managed tracking that bypasses consent
- Real-time alerts when new technologies are embedded that may put you at risk
Your website is constantly changing - marketing teams deploy new tools, developers push updates, vendors introduce tracking scripts via integrations. Without continuous oversight, your site can become non-compliant overnight.
Privacy is not a one-time project. It’s an ongoing responsibility.
Key Takeaways for Compliance
- If your compliance strategy starts and ends with a cookie banner, it’s insufficient.
- If your server-side tagging or tag manager loads third-party scripts before consent, it’s unlawful.
- If your actual data processing exceeds the scope of what users consented to, it's a violation.
Today’s regulatory landscape demands transparency, technical accuracy, and continuous monitoring.
That’s not just best practice - it’s now a requirement.
If you want to discuss how AesirX can help keep your site compliant as technology changes, feel free to connect.
Ronni K. Gothard Christiansen
Technical Compliance Engineer & CEO, AesirX.io
