What We Learned Scanning the Websites of Europe’s 1,000 Largest Companies

I'm Mike Fong, Senior Solutions Engineer at ObservePoint. I've had the pleasure of working with a huge number of European companies over the years, and one of the most common questions we hear is: how do I compare against my vertical? Against the average? This benchmarking exercise is really our answer to that question at scale.

And that's exactly why I pushed for this report. The goal is to give everyone a benchmark they can take back to their team — anonymized, no confidential data, just a clear picture of where the industry stands so organizations can ask: are we above the curve, or do we have room to improve?

A quick note on methodology: we scanned the homepage and the 10 most prominent linked pages for each of the 1,000 companies — 10,000 pages total. The sample is the Fortune 500 European equivalent (the 500 largest by market cap) plus the next 500 to round out to a statistically useful number.

On the why: over the last six months I've had the chance to meet with roughly 60 chief privacy officers and data protection officers across Europe and the US. The problem is pervasive — more regulations than ever, new privacy laws appearing every few months. Roughly 80% of the world's population is now covered by some form of privacy law comparable to GDPR. The question organizations keep asking is: how is my site actually responding to users? Is it honoring opt-outs? Is consent being respected? That's the question we set out to answer.

Finding 1: 30% of sites load ad trackers before consent.

Of the thousand sites we scanned, 300 were still loading marketing pixels, cookies, and trackers before consent was given — and we excluded consent mode implementations from this count, so these are straightforward cases of marketing pixels that should not be firing. It's worth remembering that GDPR has been in force for eight years. When we did similar research on day one of GDPR, the number was 70%. It has been trending down, which is progress. But 30% is still significant when you consider that the potential fine is 4% of global annual turnover or €20 million, whichever is higher.

The question I'd ask everyone is: if your legal team knocked on your door right now and asked whether you have ad trackers loading without consent, could you give them an informed answer? Not just an answer — an informed one, backed by evidence from something you checked recently. Because even if you checked last week, someone can make a change tomorrow and accidentally trigger a tracker. That's exactly why automated monitoring exists.

Finding 2: 7% of sites load the Facebook pixel on opted-out visitors.

Seventy of the thousand sites we scanned were loading the Facebook pixel even when a visitor had declined tracking. There's no consent mode equivalent for Facebook — it's black and white. At 7% it's relatively low, and most companies are doing a good job controlling it. But the reputational dimension matters here. If an obscure affiliate tracking technology is found on your site without consent, that won't make the news. If Facebook is found tracking your customers before they consent, it will. The potential headline risk is disproportionate to the market share of the platform, and it's worth monitoring closely. Ethan, you wanted to add something here.

One thing that came up in a chat question worth calling out: CIPA — the California Invasion of Privacy Act — which was originally an anti-wiretapping law from the 1960s, is now being used by law firms to file claims against websites that load certain tracking pixels without proper consent. Facebook is one of the most common targets. These firms are using AI to scan websites for non-compliant pixels and sending out demand letters at scale. If you have Facebook on your site and you're not correctly honoring opt-out profiles, the likelihood of receiving one of these letters is very high. The same applies to session recording tools like FullStory or Microsoft Clarity — not inherently problematic, but they need to be tightly managed.

Finding 3: 50% of sites dropped third-party cookies on visitors who had not opted in.

This one is less alarming in isolation because third-party cookies aren't always bad — a PayPal cookie, Klarna, or another payment provider may be essential to your site's functionality. But when a third-party cookie maps to a clear marketing pixel — a Google Analytics domain, a Facebook.com domain — and that visitor hasn't consented, that's the exposure. ObservePoint has a patent-granted feature that identifies not just which third-party cookies are present, but how they're being loaded — which JavaScript file, which line of code, or which server-side request triggered them. That level of traceability is what allows your dev or analytics team to actually go fix the right thing.

Finding 4: 29% of sites using Google Consent Mode are broadcasting incorrect consent signals.

Google Consent Mode is a signal you send to Google alongside your GA4 or Google Marketing pixels that tells Google whether the visitor has consented to tracking. If they've declined, the site should send an anonymous, cookie-less ping — no personalization, no retargeting. What we found is that 29% of the thousand sites we audited were sending the wrong signal: the customer declined cookies, but the site was telling Google that consent had been given. Google was tracking them anyway. I don't believe this is intentional. In most cases it comes down to homebrew consent management platforms that haven't kept up with Google's requirements. If you built your own CMP four years ago and assigned minimal developer time to maintaining it, there's a good chance it doesn't properly implement Google Consent Mode — because consent mode became mandatory two or three years ago and may have simply not been on your developer's radar. Our recommendation is to use a legitimate third-party CMP rather than a custom-built one, precisely because keeping up with changes across all platforms and jurisdictions is a full-time job.

Bonus finding: Default YouTube embeds fire Google Ads remarketing on opted-out visitors.

This wasn't part of our formal research, but it's common enough that it needed to be called out. When you embed a YouTube video using the default embed code, YouTube will track whoever watches it — even when it's on your website, and even when that visitor has declined cookies. Our tag initiator chain view makes this visible: you can trace the Google Ads remarketing pixel directly back to the YouTube player as its source.

The fix is conditional rendering. YouTube gives you two embed options: the standard URL and the privacy-enhanced mode URL (the "no cookie" domain). Your developers can implement logic that loads the standard embed for visitors who have consented to cookies, and the no-cookie embed for those who haven't. The visitor still gets your video content. The Google Ads remarketing pixel is simply not triggered for opted-out visitors. I see this issue with roughly half of the new clients I work with. If you have YouTube videos on your site, please check how they're embedded.

One of our customers — one of the 100 largest companies in the US — came to us after discovering 17,000 unapproved cookies on their website. They initially didn't believe the number was real. Using the initiator chain view, we were able to identify where the cookies were coming from at the source and systematically work through them. Over eight months, they went from 17,000 down to zero.

Finding 5: A third of Europe's largest websites have at least one critical WCAG 2.1 accessibility issue.

This year, for the first time, we were able to include accessibility scanning in this research. The European Accessibility Act came into force on June 28th of last year, and it requires websites to meet WCAG double-A standard — the globally accepted benchmark. A third of the 1,000 sites we scanned have at least one critical accessibility issue. To be clear, that's at least one — in practice it's often many more.

On the penalty side: the EAA carries fines of up to 5% of turnover or a maximum of €1.2 million. In the US, the ADA update that came in around the same time operates differently — claims are pursued through law firms, with fine amounts determined case by case. For multinationals, both frameworks apply, and ObservePoint can help you scan against both programmatically and build the body of evidence you need to respond to any claim.

To wrap up: we've been generating custom report cards for organizations that want to see how they stack up against these benchmarks. We scan somewhere between 100 and 1,000 pages of your website, check them from multiple geographic locations — California, Germany, Brazil, India — and show you the percentage of pages with pre-consent trackers, unique tracker counts, CMP coverage, and more, all benchmarked against the European top 1,000. If you'd like one, request it through the link in the chat and we'll schedule a walkthrough.

These reports are genuinely valuable — they give you a real measure of where you stand against the European benchmark, and we can drill into a specific vertical as a custom piece of work if that's more useful. Really proud of how these have come together.