If your website loads Google Analytics, Facebook Pixel, or even a third-party consent banner before a visitor clicks "Accept," you may already be in breach of the ePrivacy Directive and GDPR - and as of July 2025, enforcement is not just theoretical. It’s happening across Europe.
On July 15, 2025, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) published a series of enforcement letters following cookie investigations into five major websites. Each was found to violate Article 5(3) of the ePrivacy Directive by deploying tracking technologies before obtaining user consent. When combined with GDPR obligations, such violations constitute unlawful processing.
Though no fines were issued - owing to prompt remediation - the AP made one thing clear: these were not procedural slip-ups. They were legal violations. And this wave of letters marks the end of “educational leniency.” It’s a formal shift toward structured enforcement.
This builds directly on AP’s earlier wave of April 15 warnings to 50 organizations with non-compliant cookie banners. With these July outcomes, we now have concrete evidence of action - not just intention.
A Cross-Border Pattern of Illegality
The Dutch AP’s July crackdown follows its April warnings to 50 organizations - offering confirmation that violations are widespread and enforcement is escalating.
In Denmark, our scan of over 36,000 business websites revealed that 73.02% initiated tracking before consent. Google, Meta, and CCaaS vendors like Cookiebot were frequently found loading trackers before any user interaction.
In Germany, regulators and courts have moved beyond investigation and into judgment:
- March 2025: The Hannover Regional Court ruled that Google Tag Manager and Consent Mode 2.0 violate GDPR and ePrivacy due to pre-consent data transfers.
- July 2025: The Leipzig Regional Court awarded €5,000 in damages to a user tracked by Meta Pixel, even without demonstrating material harm. Unauthorized tracking itself was sufficient to justify compensation.
Together, these events outline a coordinated EU-wide legal standard:
Prior consent is not optional.
Convenience, configuration defaults, or platform “norms” are not valid defenses.
Representative Actions & Germany’s Role in Class Action Risk
This isn’t just a local issue. Thanks to the EU Representative Actions Directive (in effect since June 2023), consumer groups can now file cross-border class actions for privacy violations.
And Germany stands out as the most potent jurisdiction for bringing such claims. Under its implementation of the Directive, all affected consumers are bound by the outcome, even if they didn’t join the case at the start.
That means a single case in Germany involving a non-compliant CMP or tracker could unlock damages for millions of users across the EU - retroactively.
It’s no coincidence that Germany is where the first damage rulings are landing. It has:
- Procedural readiness for large-scale litigation
- Strong privacy case law history
- A system that prioritizes substantive consumer redress over symbolic enforcement
From Detection to Liability – The €5,000 Single User Precedent
The Dutch AP’s decision not to fine does not diminish the severity of the violation. It simply reflects that the controllers acted fast to remedy the situation.
But the reality is this: under slightly different conditions - more users, more data, more delay - fines and class actions would be viable.
The Leipzig court awarded €5,000 in damages to a single user tracked by Meta Pixel - establishing a precedent that unauthorized tracking alone can justify compensation. If this logic scales through representative actions, the financial risk becomes exponential.
- With collective actions enabled, even low opt-in rates can still trigger massive legal risk
- Public regulator findings - like those from the Dutch AP - make it easier for plaintiffs to build their case
In short, the economic consequences of ignoring pre-consent tracking now rival the reputational ones.
Consent Theater – Why Most CMPs Are Failing Their Clients
Many Cookie-Consent-as-a-Service (CCaaS) platforms, by default, load scripts from third-party CDNs or include embedded analytics - creating a high risk of unlawful processing unless explicitly designed to delay all data flow until valid consent is obtained.
These systems:
- Load scripts from third-party CDNs
- Trigger external telemetry and trackers before any user decision
- Use embedded analytics to monitor banner engagement
Far from protecting your business, these tools often create the very violation regulators are pursuing. And by running externally, they shift data to third parties before consent - which by legal definition, makes it unlawful processing.
This is what we call consent theater: the illusion of compliance, driven by banners that flash too late and scripts that run too early.
The Path Forward – Real Compliance by Design
At AesirX, we believe compliance isn’t just legal - it’s architectural.
Our First-Party CMP makes true compliance possible:
- No scripts run until explicit consent is recorded
- All consent logic is self-hosted and first-party
- Our scanner detects violations before regulators or plaintiffs do
If we can catch beacons loading before consent, so can regulators. And now, so can courts - and class-action lawyers.
What You Must Audit, Today
- Are any third-party scripts loading before consent is confirmed?
- Is your CMP self-hosted or dependent on external CDNs?
- Does Google Tag Manager execute even to load your CMP?
- If GTM is used to load your CMP - and GTM executes before consent - that alone constitutes a tracking violation under ePrivacy 5(3), even if no other tags are fired.
If you cannot answer with certainty - and with logs to prove it - you’re exposed.
As the Dutch AP made clear:
“Correcting the issue later” is not a defense.
It’s merely a reason to avoid sanctions this time.
Final Takeaway – Real Risk, Real Enforcement, Real Urgency
- Enforcement is happening.
- Courts are compensating.
- Class actions are forming.
- €5,000 per visitor is no longer theoretical.
The age of privacy theater is ending - digital trust now demands real consent. The time to act is now.
Ronni K. Gothard Christiansen
Technical Privacy Engineer & CEO, AesirX.io
