- Denmark: 81/98 non-compliant (82.7%)
- Sweden: 264/288 non-compliant (91.7%)
This is the public sector - the benchmark the rest of us are supposed to follow. Instead, cookies, pixels, and beacons fire on first load. Residents don’t get a real choice; their browsers do the choosing for them.
EU ePrivacy Directive Article 5(3) requires consent before storing or accessing information on a user’s device including reading existing identifiers via cookies, localStorage / sessionStorage / IndexedDB or causing device access through pixels/beacons.
The “strictly necessary” exception is narrow (e.g., essential session continuity or load-balancing) and does not cover analytics, advertising, convenience tags or telemetry for CMP invoicing. If you access the device before consent, you’re outside the law.
“A school lunch page loads - and a tracking pixel fires before the allergy notice even appears.”
How we measured
During Aug-Sep 2025, we examined the homepages of all 98 DK and 288 SE municipalities. We captured evidence of (1) device access (cookies/localStorage and similar), (2) third-party calls (pixels/beacons), and (3) the order in which these fired relative to any consent interface. Our procedure mirrors the EDPS Website Evidence Collector approach: parameterized, automated collection with reproducible outputs.
What the data shows
- Denmark (n=98): 81 non-compliant (68 high risk, 13 medium, 17 low). Aggregate signals observed on homepages: 99 cookies and 359 beacons.
- Sweden (n=288): 264 non-compliant (219 high, 45 medium, 23 low). Aggregate signals: 93 cookies and 1,234 beacons.
- Pattern: tracking technologies often initialize before consent is collected, or banners only block some technologies while others fire.
Now the part that should make everyone uncomfortable:
Sovereignty we say vs. telemetry we ship
Every week, boards and councils debate European independence from U.S. Big Tech. We talk about jurisdiction, cloud strategy, “digital self-determination.” Then we go home and let our municipal websites beam resident data straight into those same ecosystems on page load.
That’s not strategy. That’s muscle memory-default scripts, default tags, default vendor kits. It’s a reflex that says “we’ll fix it later” while every visit leaks a little more telemetry to companies we claim we need independence from. When schools, health pages, and citizen portals do this, it isn’t abstract. It’s children’s devices, patients’ devices, elderly citizens’ devices-turned into data sources before they’ve even seen a meaningful choice.
The hypocrisy undermines trust. You can’t credibly call for digital sovereignty on Monday and outsource telemetry by default on Tuesday. If independence matters in policy, it must matter in code.
“Sovereignty isn’t a press release; it’s what your website does in the first 300 milliseconds.”
Who must act
- Denmark - Datatilsynet (DPA): investigate and enforce where necessary; Digitaliseringsstyrelsen (Agency for Digital Government): issue a hands‑on baseline, architectures, and procurement standards municipalities can follow.
- Sweden - IMY: supervisory authority ensuring GDPR and related rules are followed; Digg - Myndigheten för digital förvaltning (Agency for Digital Government): issue a hands‑on baseline, architectures, and procurement standards municipalities can follow.
“Publish and enforce a block‑by‑default before consent baseline that covers all device access and outbound calls - not just classic cookies.”
What “good” looks like
- Block everything before consent. Cookies, pixels, localStorage, sessionStorage, IndexedDB, fingerprinting, SDKs - nothing fires until the person clearly opts in.
- Keep “strictly necessary” narrow. Core session continuity or uptime only; never a backdoor for analytics or ads.
- Make the choice real. No nudging, no pre‑ticked boxes, no “banner theater.”
- Prove it. Maintain auditable logs showing initialization order and that nothing fired pre‑consent.
- Procure for compliance by design. Reward suppliers who demonstrate pre‑consent blocking across tags/scripts and provide evidence.
Why this matters beyond homepages
If municipalities can’t keep first‑load tracking under control on the simplest public touchpoint, how will we credibly govern AI procurement, health data, education platforms, and cross‑border cloud? Trust dies from small cuts: one pixel here, one SDK there - all before consent. Multiply by millions of sessions.
Denmark and Sweden can lead here. We already lead on digital government. But leadership isn’t what you pledge at conferences; it’s what your homepage does when a resident arrives. Right now, 4 in 5 Danish municipal sites and 9 in 10 Swedish ones fail that basic test. If we truly believe in European independence from Big Tech and foreign clouds, we should start where trust begins: the first visit to a public website.
Digitaliseringsstyrelsen, IMY, municipalities: publish and enforce a national baseline - block-by-default before consent for all device access and outbound calls.
Ronni K. Gothard Christiansen
Technical Privacy Engineer & CEO, AesirX.io
