Skip to content

7 cookie consent mistakes that break GDPR

By Philipp Kant 5 min read

Cookie consent mistakes are the gaps between what a cookie banner promises and what the website’s code actually does: trackers that load before consent, a reject button that changes nothing, tools that run undisclosed. Each one turns the banner into decoration and breaks the GDPR and Germany’s TDDDG. These are the seven we find most often.

Here is the short version. Each row is expanded below.

#MistakeWhy it breaks the law
1Trackers load before consentNo prior consent (§ 25 TDDDG, Planet49)
2”Reject” does not stop trackingProcessing with no legal basis (GDPR Art. 6)
3No real reject optionConsent not freely given (GDPR Art. 7)
4Analytics with no banner at allNo consent collected (§ 25 TDDDG)
5Tools not named in the privacy policyTransparency failure (GDPR Art. 13)
6Data leaves the EU before consentUnlawful transfer (GDPR Art. 44, Schrems II)
7Google Fonts loaded from GoogleUndisclosed US transfer (LG München I)

The cardinal mistake, and the most common. Analytics, ad pixels, or a tag manager fire the moment the page loads, before the visitor has agreed to anything. § 25 TDDDG requires consent before any non-essential technology reads or writes to the device, and the European Court of Justice fixed the standard in Planet49: consent is a prior, active choice.

How to check: load the page with developer tools open and do not touch the banner. Any analytics or ad request in the Network tab is a violation. We saw this on a third of the sites in our last field scan.

2. “Reject” does not actually stop the tracking

A site shows a proper banner with a reject button, and tracks everyone who clicks it anyway. The consent tool records the choice, but nothing in the code blocks the scripts. Legally this is the same as having no banner: personal data is processed without a basis (GDPR Article 6).

How to check: click reject, reload, and watch the Network tab. If the same trackers return, your reject is wired to nothing.

3. The banner has no real reject button

A prominent “Accept all” and no equally easy way to refuse. Consent that is not freely given is not valid consent (GDPR Article 7). Hiding reject behind “Manage options” and two more clicks fails the same test. Reject has to be as easy as accept, on the first screen.

How to check: look at the first banner screen. If you can accept in one click but cannot reject in one click, it is a dark pattern.

4. Analytics runs with no banner at all

Some sites skip consent entirely. Analytics, maps, and embedded video load, cookies are set, and the visitor is never asked. This is common on template and website-builder sites where tracking ships switched on by default. No consent collected means no legal basis (§ 25 TDDDG).

How to check: if you have analytics in your reports but no consent banner on the site, you have this problem.

5. Tools fire that are not named in the privacy policy

Article 13 of the GDPR requires you to disclose which third parties receive visitor data. We find this gap even on sites that gate consent correctly: the banner works, but a tool runs that the privacy policy never mentions. Tag managers and product-analytics tools are the usual omissions.

How to check: list every tool that loads after you accept, then search your privacy policy for each one. Any tool not named is an Article 13 gap.

IP addresses and device data sent to US services count as an international transfer under GDPR Article 44, and after Schrems II that transfer needs its own safeguards. When a US tool loads before consent, the transfer happens before the visitor could agree to it. reCAPTCHA and US-hosted analytics are frequent culprits.

How to check: in the Network tab, look for requests to US-based services firing before consent. Pure code CDNs are lower risk; analytics, ads, and captchas are not.

7. Google Fonts and Maps load straight from Google

Embedding Google Fonts, Maps, or reCAPTCHA directly from Google sends the visitor’s IP address to Google on page load. A German court (LG München I) awarded damages over dynamically embedded Google Fonts for exactly this reason. Self-host fonts, and load maps or captcha only after consent.

How to check: look for requests to fonts.googleapis.com or maps.googleapis.com before consent. If they are there, the fix is self-hosting or consent-gating.

How to find all seven on your own site

Each check above is a manual version you can run in your browser’s developer tools. To do it in one pass, our free Cookie Scanner drives a headless browser through all three phases (before consent, after reject, after accept), names every tracker and cookie, checks each tool against your privacy policy, and flags US transfers. The output is a report, not a score you have to interpret.

For what a compliant banner actually requires, see Is your cookie banner actually GDPR-compliant?, and to compare the tools that find these gaps, the best free cookie scanners, ranked. If these gaps are part of a broader cleanup of how your site and systems are set up, that is the work we do, often for the German SMBs where this comes up most.

FAQ

What is the most common cookie consent mistake? Tracking before consent. On the German business sites in our last scan, a third were loading Google Analytics or Tag Manager on page load, before the banner was touched.

Does clicking reject stop all cookies? It should, but often it does not. Many consent tools are installed without wiring the reject choice to actually block the scripts. Always test it: reject, reload, and watch what comes back.

Can these mistakes actually be fined? Yes. Supervisory authorities can act on them, and in Germany undisclosed tools and embedded Google Fonts have already led to warnings and damages. The risk is not only the fine, it is the cost of fixing this under pressure instead of ahead of time.

How do I check my own site? Run each check in this post in your browser’s developer tools, or use the Cookie Scanner to do all of them at once.

Is this legal advice? No. We are a technical partner, not a law firm. We give you the technical evidence; a lawyer tells you what it means for your situation.

Find out which of the seven are on your site before a competitor or a Datenschutz lawyer does. Run the Cookie Scanner, or tell us what you are dealing with.

Have something in mind?

Send a short email describing the problem and what success looks like. We read every one and reply within a few days.