What Is a GDPR Cookie Violation? Real Examples & How to Fix Them

GDPR cookie violations are not abstract legal theory. They are concrete technical failures that happen on real websites every day. In this article, we show you five real-world violation patterns we have encountered while scanning thousands of sites with ConsentScope. Each example includes what went wrong, why it matters and exactly how to fix it.

Violation 1: The invisible Facebook Pixel

A mid-sized fashion e-commerce store had Cookiebot installed and configured. The banner appeared correctly. The cookie policy was comprehensive. But when we scanned the site with ConsentScope, we immediately saw a Facebook Pixel firing before consent.

Root cause: The marketing team had added the Meta Pixel directly to the Shopify theme liquid file six months ago. Nobody told the developer who managed Cookiebot. The pixel loaded from connect.facebook.net before Cookiebot's auto-blocking script had a chance to intercept it.

Fix: Remove the hardcoded pixel from the theme. Add the pixel through Google Tag Manager with a consent-based trigger that checks for Cookiebot's marketing consent event before firing. Retest in a clean browser session.

Violation 2: Google Analytics 4 on "legitimate interest"

A B2B SaaS company used OneTrust with GA4 configured under "legitimate interest" instead of consent. Their legal team had read that analytics cookies are "low risk" and decided legitimate interest was sufficient.

Why it is wrong: The European Data Protection Board has explicitly stated that storage and access under the ePrivacy Directive requires consent. Legitimate interest is not a valid legal basis for analytics cookies. The EDPB guidelines are clear on this point.

Fix: Move GA4 from the "legitimate interest" category to "statistics" or "analytics" in OneTrust. Configure GTM to fire the GA4 tag only after the user consents to analytics. Update the cookie policy to reflect the correct legal basis.

Violation 3: The "Accept All" button with hidden reject

A German news publisher used a custom-built consent banner. The banner showed a large green "Accept All" button in the center. The "Reject All" option was a tiny grey text link buried at the bottom of the banner, invisible without scrolling.

Why it is wrong: GDPR Article 7 requires that consent is freely given. The European Court of Justice and multiple DPAs have ruled that burying the reject option or making it visually inferior to accept constitutes a dark pattern and invalidates consent.

Fix: Redesign the banner so that "Accept" and "Reject" are equally prominent. Same size buttons, same color intensity, same visual weight. Place them side by side or stacked with equal spacing. Provide a "Manage Preferences" option for granular control.

Violation 4: Consent banner on page three

A travel booking site loaded the consent banner only after the user navigated to the third page or spent 30 seconds on the site. In the meantime, Google Ads, Bing Ads and a retargeting pixel fired on every page load.

Why it is wrong: Consent must be obtained before any non-essential processing occurs. Delaying the banner while tracking continues is equivalent to not having a banner at all. The ePrivacy Directive is unambiguous: no consent means no storage or access.

Fix: Load the consent banner synchronously in the head section so it appears before any tracking scripts execute. If you use a tag manager, make sure the CMP loader is a hardcoded script, not a tag inside GTM.

Violation 5: The cookie policy that lies

An online education platform had a beautifully written cookie policy that listed only 8 cookies. When we scanned the site, ConsentScope detected 34 cookies, including three advertising pixels and a session replay tool that were not mentioned anywhere in the policy.

Why it is wrong: GDPR Article 13 and 14 require transparent information about processing. A cookie policy that omits tracking technologies is not just incomplete; it is actively misleading. If a user reads your policy, decides to trust you and then discovers you are tracking them with tools you never disclosed, that trust is broken and the consent is invalid.

Fix: Run a comprehensive cookie scan across every page template on your site. Update the cookie policy to include every single cookie, pixel and storage entry. Assign correct categories and retention periods. Review quarterly or after every deployment.

How to avoid these violations

1. Audit quarterly: Website updates, new plugins and marketing campaigns reintroduce violations constantly.
2. Cross-team communication: Marketing must tell developers before adding any tracking pixel.
3. Use a verification tool: ConsentScope detects pre-consent cookies, scripts and storage in real time.
4. Document everything: Every cookie, every vendor, every legal basis. Update when things change.
5. Test reject paths: Most teams test "Accept All." Few test "Reject All." The reject path is where violations hide.