Danish E-Commerce Awards 2025: Behind the Banners, Privacy Compliance Still Falls Short

For the third consecutive year, I have performed privacy scans on all top 5 nominees across every category in the Danish E-Commerce Awards, and again, the findings raise serious concerns about the actual level of compliance with EU data protection law, particularly the ePrivacy Directive Article 5(3) (Cookiebekendtgørelsen in Denmark).

While more businesses now implement cookie consent banners and claim GDPR compliance, the majority still fail to meet even the basic legal requirements. Misclassified cookies, premature activation of tracking scripts, and widespread use of beacons and third-party cookies, often without valid consent, remain common issues.

Methodology & Limitations

This assessment is based on client-side privacy scans capable of detecting beacons, cookies, and other known tracking technologies. However, server-side tracking mechanisms such as Google Tag Manager Server (sGTM) or proxy-based solutions, now increasingly used to bypass front-end consent enforcement, are not visible to these tools. As such, some websites may appear more compliant than they actually are. Importantly, this visibility gap does not imply legal compliance.

Key Observations by Category

B2C – Under 100M DKK Online Revenue

This category exhibited some of the most problematic privacy practices. All five nominees showed extensive use of tracking beacons and third-party cookies, often well above 20+ scripts per site. Even in cases where third-party cookies were low or absent, the number of tracking requests made through beacons remained high. These tracking technologies were consistently activated on first load, often without valid consent.

B2C – Over 100M DKK Online Revenue

A few of the larger platforms are beginning to show signs of improvement. One in particular has significantly reduced its tracking footprint, loading only a handful of scripts and no third-party cookies. However, most nominees in this category still make extensive use of tracking technologies, including one with over 50 beacons. The gap between the best and worst performers here is notable.

B2B – Under 200M DKK Online Revenue

This segment showed mixed results. A few nominees maintained relatively low levels of tracking, but others reached beacon counts in the 20–40 range. In most cases, cookies and beacons were misclassified, or activated prior to consent. This indicates that while the visibility of tracking may be lower than in B2C, the legal compliance is still insufficient.

B2B – Over 200M DKK Online Revenue

This was the most compliant category overall. Several nominees had minimal client-side tracking, some with no third-party cookies at all, and only a handful of beacon requests. That said, even these small amounts still require proper consent under ePrivacy 5(3), and there’s no indication that such consent was always obtained before activation.

Best eCommerce Tool

This category had some of the highest volumes of third-party tracking, with multiple nominees deploying over 30 beacons and, in some cases, as many as 19 third-party cookies. For businesses providing tools to others, especially analytics and automation platforms, this level of tracking raises serious questions about default settings and whether consent frameworks are respected at all.

Best Omnichannel Business

Tracking levels varied widely in this category. One or two nominees showed relatively low tracking presence, but others had beacon counts over 30, with numerous third-party integrations. Even where a banner was present, tracking frequently occurred regardless of user interaction.

Best Export eCommerce

This category was another mixed bag. Some nominees had moderate tracking levels, but others were again in the high 20s and 30s in terms of beacon activity. The use of third-party cookies was also notable in several cases. Consent implementations were mostly superficial, often failing to block scripts until after opt-in.

Best New eCommerce Business

Newcomers were not exempt from the same issues. Many of these newer platforms still displayed high beacon counts and misused cookie categories, indicating that privacy-by-design is not being implemented at the product development stage. Several nominees appeared to be using third-party tools without proper configuration for consent.

Best eCommerce Case (Vendor + Client)

Some joint cases performed better than expected, particularly those involving mature platform partners with privacy-conscious implementations. Others, however, reflected the same compliance gaps seen in standalone sites. In general, vendors and agencies seem to focus more on functionality and personalization than legal compliance, which continues to be an afterthought.

Special Award – Best Pure eCommerce Business

Again, tracking levels were high across most nominees in this category. A few standouts kept beacon and cookie use to a minimum, but the rest exceeded reasonable thresholds. Even those with “low” numbers still demonstrated violations, either through pre-consent activation or misclassification of tracking as technically necessary.

Good Intentions, Incomplete Implementations

From our ongoing analysis and experience working with clients across sectors, one recurring insight stands out: more than half of the companies we assess genuinely believe they are doing things correctly when it comes to privacy compliance.

They are actively engaging with suppliers, cookie consent solution providers, legal advisors, and digital agencies. Many have invested in Consent Management Platforms (CMPs) and privacy notices. Internally, marketing, compliance, and legal teams often share a common goal: to respect the customer and comply with the law. The intent is sincere, no one is deliberately trying to collect personal data behind the user's back.

Yet despite those good intentions, the outcome is frequently the same: illegal tracking and data collection - not due to intent, but to technical implementations that are misaligned with legal requirements.

Most businesses are simply unaware of the technical limitations of the solutions they rely on. The tools in place often only address third-party cookies, while failing to detect or control more advanced tracking technologies, particularly those embedded deeper in the tech stack.

The types of tracking commonly missed or misclassified include, but are not limited to:

• Beacons and invisible tracking pixels
  
  
• LocalStorage and sessionStorage
  
  
• Fingerprinting technologies
  
  
• Scripts and tags loaded indirectly via other tools
  
  
• Server-side Google Tag Manager (sGTM) and proxy-based tracking
  
  

Technologies like server-side GTM are increasingly used to bypass client-side consent mechanisms, allowing tracking data to be collected and transmitted without the user’s knowledge or browser visibility. While often deployed to improve site speed and data control, these tools also introduce significant legal risk, particularly when used without implementing equivalent consent controls server-side.

In most cases, CMPs are unaware of what happens after the consent layer. The result: consent is collected, but not respected.

Core Compliance Failures

1. Misuse of “Strictly Necessary”
   Many nominees incorrectly label tracking technologies as “strictly necessary” to justify bypassing consent. Under the law, this exemption is only valid when the data processing is necessary for the provision of a service explicitly requested by the user. It does not apply to analytics, personalization, marketing, or the needs of the eCommerce owner or third-party vendors.
   
   
2. Premature Activation of Trackers
   Almost all nominees triggered trackers before receiving valid consent. This is a direct violation of ePrivacy Directive Article 5(3), which requires that storage or access of any information on the user’s device may only take place after consent has been freely given, specific, informed, and unambiguous.
   
   
3. Consent Mechanisms Are Deceptive or Dysfunctional
   While CMPs are present on most sites, they are often implemented incorrectly, either triggering scripts before interaction, using dark patterns, or failing to block non-essential cookies until after affirmative user action. For example, third-party analytics scripts are often loaded as part of a ‘performance’ or ‘technical necessary’ category set to 'on' by default, or fired via tag manager before any consent interaction occurs.
   
   
4. Over-Reliance on Visual Compliance
   The presence of a banner or policy is often used as a proxy for actual compliance, but a closer technical look tells a very different story. In most cases, data collection happens regardless of what the user selects.

Cross-Border Data Transfers

This year’s analysis did not include a full review of data sharing practices with cross-border implications. However, it should be noted that nearly every single nominee is transmitting behavioral and personal data,  including IP addresses, to U.S.-based SaaS and Big Tech providers.

Given the current legal uncertainty surrounding EU–U.S. data transfers,  and the potential disruption if such transfers are no longer deemed legally valid,  this raises significant compliance and operational risks.

If the legal basis for these cross-border transfers were to collapse, as it nearly did under Schrems II, the continuous export of Danish citizens’ purchase behavior and personal identifiers to U.S. entities could become a serious liability, both for the companies involved and for the privacy rights of the individuals affected.

It’s important to emphasize that these transfers are likely not intentional violations. In our experience, the companies nominated do not wish to expose their customers’ data unlawfully, and are often unaware of the full extent of cross-border sharing happening through embedded third-party services and platforms.

Nonetheless, this is an area that deserves urgent attention, especially in light of evolving regulatory scrutiny and the broader push toward digital sovereignty and data minimization.

Final Thoughts

The recurring pattern is clear: visual compliance has improved, but substantive compliance remains lacking. The presence of consent banners and privacy policies is no longer sufficient. Without properly configured mechanisms that prevent tracking until valid consent is obtained, and without eliminating the misuse of technical necessity, many of these platforms remain in breach of both the GDPR and the ePrivacy Directive.

The good news is that a few platforms are starting to get it right, or at least reduce their tracking footprint significantly. But the overall trend across the Danish eCommerce landscape suggests that privacy is still treated as a layer added late in the process, not as a core design principle.

Until this changes, compliance risks will remain high, and user trust will continue to erode.

Need Help Achieving Real Compliance?

As technical compliance experts, we specialize in helping organizations move beyond surface-level consent solutions and toward actual legal compliance, both in Denmark and internationally.

Our First-Party Consent Management Platform is built to handle all types of tracking technologies, not just cookies, aligned with the full scope of the ePrivacy Directive, GDPR, and other global privacy laws.

We also support Global Privacy Control (GPC), a legally recognized opt-out signal under the California Consumer Privacy Act (CCPA). This means that if a user’s browser or plugin sends a GPC signal, it will automatically register as a valid withdrawal of consent, as required by law in California, where several of this year’s Danish eCommerce nominees also serve customers.

Whether you're operating locally or serving global markets, privacy compliance must follow the user - not just the domain or data center. If you're ready to go beyond basic banner setups and implement a technically sound, future-proof compliance framework, we're here to help.

We offer full-site tracking audits and implementation support tailored to your market and risk exposure. If you're ready to take the next step - Let’s talk.

Ronni K. Gothard Christiansen
CEO & Technical Compliance Expert, AesirX.io 

Appendix: Full Tracking & Data Collection Scan Results

Full breakdown of all nominees and their respective beacon and third-party cookie counts, as referenced above including each category's naming in Danish.

The link on the company name links to the full Privacy Scan & Report and the amount of Beacons and Cookies found are mentioned after.

Any loading of beacons or third-party cookies before valid, informed, and explicit consent constitutes a violation of GDPR and the ePrivacy Directive Article 5(3).

Note: The following scan results reflect only client-side detectable tracking (beacons and third-party cookies). Actual tracking may be higher where server-side methods are in use.