BlueOcean Privacy AI

Guides Guide

Tracking without consent — how high is the legal risk?

The most common data protection violation on websites is invisible: trackers that fire before anyone agrees. Across the EU, this is exactly what regulators and claimants increasingly target.

BlueOcean Privacy AI 4 min read

How big is the legal risk really?

The risk is real and growing: trackers that send data without consent breach the ePrivacy Directive (Art. 5(3)) and the GDPR — and across the EU they trigger complaints, regulatory action and claims from competitors, consumer associations and data subjects.

Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a user's device — cookies and most tracking technologies — requires prior consent unless it is strictly necessary for the service. Where that processing involves personal data, the GDPR applies on top: a valid legal basis, transparency and the data subject's rights.

Particularly in focus: Google Analytics, Meta pixels and embedded services such as fonts, maps or YouTube, which open connections to third-country (often US) servers as soon as the page loads. National regulators apply these EU rules in their own way — in Germany, for example, supervisory authorities and courts have repeatedly objected to trackers firing before consent, and similar enforcement exists in France, Italy, Spain and other member states.

Who is liable — including the agency?

The website operator is the controller and bears primary responsibility under the GDPR. But agencies that build and maintain websites are increasingly drawn in — both contractually and when something goes wrong.

If you build websites for clients, do not dismiss data protection as "the client's problem". A sloppy tracking setup ultimately comes back to the agency: unhappy clients, rework at your own expense, and in the worst case a claim for the cost of fixing it.

In practice the line between controller (your client) and processor (often the agency) matters: a clear contract and a clean technical implementation protect both sides.

Check if your site is clean in 5 minutes — free. Run a free website scan →

How to spot the problem

You cannot tell from the source code whether trackers fire before consent — only a real browser test that compares behaviour before and after consent reveals it.

That is exactly what the free scan from BlueOcean Privacy AI does: a real browser loads the page and shows which trackers become active before consent is given — with a clear rating against the ePrivacy and GDPR requirements.

  • Before consent — which requests fire on page load, without any interaction?
  • After "Reject all" — does anything still load that should not?
  • Third-country transfers — which services connect to servers outside the EU?

How to protect yourself and your clients

Choose a banner that technically blocks trackers before they load — rather than merely "managing" them after the fact — and keep the privacy policy current and a record of each client site's status.

A compliant setup rests on a few principles:

  • Block before load. No tracker runs until the visitor has actively consented.
  • "Reject all" is equivalent. Declining must be as easy and as prominent as accepting — same level, same effort.
  • Keep the privacy policy current. When a new tool or pixel is added, the disclosure has to reflect it.

BlueOcean Privacy AI blocks content before it loads, keeps the privacy policy up to date, and gives you a traffic-light status for every client page. Want to secure your portfolio? Start a free website scan or book a consultation and we will look at it together.

Let's take a quick look at your sites

In a 15-minute call you’ll see where your client sites stand — and how to secure them effortlessly.

Run a free website scan Book a free consultation

FAQ

Can I face legal action for tracking without consent?

Yes. Trackers that read or write data on a device, or process personal data, without prior consent breach the ePrivacy Directive (Art. 5(3)) and the GDPR. Across the EU this can lead to complaints, regulatory action and claims — from competitors, consumer associations and data subjects.

Is the agency or the client liable?

The website operator is the controller and primarily responsible under the GDPR. In practice, however, agencies that build and run the site are increasingly drawn into liability as well — including contractually. A clear contract and a clean implementation protect both parties.

How do I find out whether my site is affected?

With a real browser scan that checks what fires before consent is given. The free check from BlueOcean Privacy AI shows the result in minutes, rated against the ePrivacy and GDPR requirements.

See all guides →