And What That Means for Your Legal Risk in 2025
Over the past months, we’ve scanned over 36,000 business websites in Denmark to evaluate compliance with Article 5(3) of the ePrivacy Directive – particularly focusing on whether tracking technologies are deployed before users give consent.
The results were unequivocal and alarming.
A significant majority of third-party Consent Management Platforms (CMPs) loaded pixel trackers, telemetry scripts, or analytics tools before users had the opportunity to accept cookies.
This isn’t a matter of interpretation or implementation nuances. It’s a direct and fundamental violation of the law, and it stems from the design choices embedded in most CMPs.
What Article 5(3) of the ePrivacy Directive Requires
The directive leaves no room for doubt:
“Storing information or gaining access to information already stored in the terminal equipment of a subscriber or user is only allowed on the basis of consent, unless strictly necessary for the service explicitly requested by the user.”
- ePrivacy Directive, Article 5(3)
- Confirmed by EDPB Guidelines 02/2023, paragraph 42
This legal obligation applies not only to cookies but to all technologies that access user devices – including local storage, JavaScript, pixel trackers, and telemetry. Consent must be obtained prior to any such access, except where the technology is strictly necessary for the user-requested service.
CMPs Are Not Automatically Exempt
A common misconception is that CMPs themselves are exempt from consent requirements. This is only true if the CMP performs no other functions beyond recording the user’s choice and does not itself load tracking components.
However, our scans revealed that most CMPs in use today:
- Load third-party pixel trackers for analytics or conversion tracking
- Include telemetry for heatmaps, UI performance, or A/B testing
- Record page views for billing or vendor analytics
- Are delivered through third-party CDNs or loaded via Google Tag Manager (GTM)
These practices are not strictly necessary. Therefore, they are not exempt and constitute violations of Article 5(3).
The Pixel Tracker Problem
Pixel trackers, analytics tools, and any form of telemetry that accesses device information fall under the scope of the ePrivacy Directive. They must not be activated before consent is given.
Even if used for internal performance metrics or vendor reporting-if the tool accesses user data or devices prior to consent, it is non-compliant.
Regulatory bodies and legal rulings have been clear on this point:
- EDPB Guidelines 02/2023 emphasize purpose and data access-not tool labels
- CNIL, the Austrian DSB, and German courts have enforced against tools like Meta Pixel, Google Tag Manager, and Google Analytics when used without valid consent
- WP29 Opinion 04/2012 defines “technical necessity” narrowly
CMPs, like any other vendor, do not get to self-define what constitutes ‘strict necessity’ - this is a legal threshold, not a design choice. If they insert tracking scripts before consent, they fail their core purpose.
Findings from the AesirX Scan of 36,500 Danish Domains
In our Danish nationwide privacy scan:
- Over 73% of websites deployed tracking technologies before consent
- Most of these used third-party CMPs
- Every one of those CMPs, in the top 50 found beacons, was found to load one or more of the following before consent: pixel trackers, analytics scripts, or telemetry tools
In many cases, these CMPs were loaded via GTM or third-party CDNs. Consent Mode 2.0 was often triggered automatically before any user interaction.
These implementations were not compliant by design.
Why CMP Architecture Matters
Vendors may argue that such functions are standard, or harmless. But intent is not what the law evaluates.
The key questions are:
- Does the component access or store information on a user’s device before consent?
- Is it strictly necessary for the user-requested service?
If not, it requires prior consent.
CMP providers must meet the same compliance obligations as any other third-party service. Simply branding a tool as a “consent solution” does not provide legal immunity.
Recommendations for Compliance
To align with both the ePrivacy Directive and GDPR:
- Self-host your CMP to retain complete control
- Use first-party design without third-party CDNs or external scripts
- Eliminate telemetry and analytics from your CMP interface
- Avoid GTM and load your CMP directly
- Audit your setup using tools like the AesirX Privacy Scanner to confirm compliance
Compliance is not a checkbox, nor is it something you can outsource blindly. It is a matter of design, responsibility, and respect for user privacy.
If your Consent Management Platform tracks users before asking for permission, it’s not managing consent-it’s undermining it and why would you pay for a CMP if it’s not making you compliant?
Ronni K. Gothard Christiansen
Technical Privacy Engineer & CEO, AesirX.io
