7 cookie consent mistakes that break GDPR
By Philipp Kant 5 min read
Cookie consent mistakes are the gaps between what a cookie banner promises and what the website’s code actually does: trackers that load before consent, a reject button that changes nothing, tools that run undisclosed. Each one turns the banner into decoration and breaks the GDPR and Germany’s TDDDG. These are the seven we find most often.
Here is the short version. Each row is expanded below.
| # | Mistake | Why it breaks the law |
|---|---|---|
| 1 | Trackers load before consent | No prior consent (§ 25 TDDDG, Planet49) |
| 2 | ”Reject” does not stop tracking | Processing with no legal basis (GDPR Art. 6) |
| 3 | No real reject option | Consent not freely given (GDPR Art. 7) |
| 4 | Analytics with no banner at all | No consent collected (§ 25 TDDDG) |
| 5 | Tools not named in the privacy policy | Transparency failure (GDPR Art. 13) |
| 6 | Data leaves the EU before consent | Unlawful transfer (GDPR Art. 44, Schrems II) |
| 7 | Google Fonts loaded from Google | Undisclosed US transfer (LG München I) |
1. Trackers load before anyone clicks consent
The cardinal mistake, and the most common. Analytics, ad pixels, or a tag manager fire the moment the page loads, before the visitor has agreed to anything. § 25 TDDDG requires consent before any non-essential technology reads or writes to the device, and the European Court of Justice fixed the standard in Planet49: consent is a prior, active choice.
How to check: load the page with developer tools open and do not touch the banner. Any analytics or ad request in the Network tab is a violation. We saw this on a third of the sites in our last field scan.
2. “Reject” does not actually stop the tracking
A site shows a proper banner with a reject button, and tracks everyone who clicks it anyway. The consent tool records the choice, but nothing in the code blocks the scripts. Legally this is the same as having no banner: personal data is processed without a basis (GDPR Article 6).
How to check: click reject, reload, and watch the Network tab. If the same trackers return, your reject is wired to nothing.
3. The banner has no real reject button
A prominent “Accept all” and no equally easy way to refuse. Consent that is not freely given is not valid consent (GDPR Article 7). Hiding reject behind “Manage options” and two more clicks fails the same test. Reject has to be as easy as accept, on the first screen.
How to check: look at the first banner screen. If you can accept in one click but cannot reject in one click, it is a dark pattern.
4. Analytics runs with no banner at all
Some sites skip consent entirely. Analytics, maps, and embedded video load, cookies are set, and the visitor is never asked. This is common on template and website-builder sites where tracking ships switched on by default. No consent collected means no legal basis (§ 25 TDDDG).
How to check: if you have analytics in your reports but no consent banner on the site, you have this problem.
5. Tools fire that are not named in the privacy policy
Article 13 of the GDPR requires you to disclose which third parties receive visitor data. We find this gap even on sites that gate consent correctly: the banner works, but a tool runs that the privacy policy never mentions. Tag managers and product-analytics tools are the usual omissions.
How to check: list every tool that loads after you accept, then search your privacy policy for each one. Any tool not named is an Article 13 gap.
6. Personal data leaves the EU before consent
IP addresses and device data sent to US services count as an international transfer under GDPR Article 44, and after Schrems II that transfer needs its own safeguards. When a US tool loads before consent, the transfer happens before the visitor could agree to it. reCAPTCHA and US-hosted analytics are frequent culprits.
How to check: in the Network tab, look for requests to US-based services firing before consent. Pure code CDNs are lower risk; analytics, ads, and captchas are not.
7. Google Fonts and Maps load straight from Google
Embedding Google Fonts, Maps, or reCAPTCHA directly from Google sends the visitor’s IP address to Google on page load. A German court (LG München I) awarded damages over dynamically embedded Google Fonts for exactly this reason. Self-host fonts, and load maps or captcha only after consent.
How to check: look for requests to fonts.googleapis.com or maps.googleapis.com before consent. If they are there, the fix is self-hosting or consent-gating.
How to find all seven on your own site
Each check above is a manual version you can run in your browser’s developer tools. To do it in one pass, our free Cookie Scanner drives a headless browser through all three phases (before consent, after reject, after accept), names every tracker and cookie, checks each tool against your privacy policy, and flags US transfers. The output is a report, not a score you have to interpret.
For what a compliant banner actually requires, see Is your cookie banner actually GDPR-compliant?, and to compare the tools that find these gaps, the best free cookie scanners, ranked. If these gaps are part of a broader cleanup of how your site and systems are set up, that is the work we do, often for the German SMBs where this comes up most.
FAQ
What is the most common cookie consent mistake? Tracking before consent. On the German business sites in our last scan, a third were loading Google Analytics or Tag Manager on page load, before the banner was touched.
Does clicking reject stop all cookies? It should, but often it does not. Many consent tools are installed without wiring the reject choice to actually block the scripts. Always test it: reject, reload, and watch what comes back.
Can these mistakes actually be fined? Yes. Supervisory authorities can act on them, and in Germany undisclosed tools and embedded Google Fonts have already led to warnings and damages. The risk is not only the fine, it is the cost of fixing this under pressure instead of ahead of time.
How do I check my own site? Run each check in this post in your browser’s developer tools, or use the Cookie Scanner to do all of them at once.
Is this legal advice? No. We are a technical partner, not a law firm. We give you the technical evidence; a lawyer tells you what it means for your situation.
Find out which of the seven are on your site before a competitor or a Datenschutz lawyer does. Run the Cookie Scanner, or tell us what you are dealing with.