blueredix logo
SCAN On-demand vulnerability scans from €149
high gdpr-cmp-missing

No cookie banner, but trackers are present

Your site loads tracking cookies and third-party marketing scripts on the very first visit, and we couldn't find any consent banner. Under GDPR and the German TDDDG that's the textbook violation.

What this means in plain English

The scanner observed your site as a first-time visitor — no prior consent given, no cookies set. On the very first paint, the page loaded at least one tracking script (Google Analytics, Facebook Pixel, Hotjar, etc.) or set at least one tracking cookie, and we couldn’t find any of the common consent-banner platforms (Cookiebot, Usercentrics, Borlabs, Klaro, OneTrust, Iubenda, Real Cookie Banner, CookieYes).

That’s the textbook GDPR plus German TDDDG violation: trackers running on visitor data without the consent they need.

Why it matters

Two regulators reinforce each other on this:

  1. TDDDG §25 (Germany) / ePrivacy Directive Article 5(3). Any storage of or access to information on a user’s terminal equipment requires their prior, informed, freely-given consent — unless the storage is strictly necessary for the service requested. Analytics, advertising, and behavioural cookies are not strictly necessary.
  2. GDPR Article 6. Processing personal data needs a lawful basis; for marketing and analytics trackers, consent is the only practical one. Article 7 governs how consent is requested and tightens the rules further.

German data protection authorities have issued fines from the low four-figures up to several hundred thousand euros for this specific category of finding. Even where no fine is imposed, an ordered remediation typically blocks marketing analytics on the site until the platform is fixed — which can be more disruptive than the fine itself.

There’s a competitive risk too: competitors increasingly file “Mitbewerberabmahnungen” (cease-and-desist letters between businesses) on this exact basis, with the longer-term prospect of damages claims under §3a UWG (German unfair-competition law).

How to fix it

Pick a consent-banner platform that has blocking mode, install it, and verify that the trackers don’t fire before consent.

For DE/EU SMEs the common choices are:

  • Borlabs Cookie. German vendor, native German UI, popular for WordPress sites. About €39/year.
  • Real Cookie Banner. German vendor, also for WordPress. Free tier for small sites.
  • Cookiebot. Danish, mature, multilingual. Free up to 50 sub-pages.
  • Usercentrics. German, enterprise-focused, used by mid-sized German companies.
  • Klaro. Open-source, self-hosted. Technical setup but no licence cost.

Whichever you pick, verify in a fresh incognito window with developer tools open: before clicking “Accept”, you should see no requests to tracker hosts (google-analytics.com, googletagmanager.com, connect.facebook.net, etc.) and no tracker cookies in the Application tab. The blueredix scanner re-runs that check on every scan.

For configuration tips when verification fails, see our CMP detected article — it covers the common configuration mistakes that let trackers slip through.

Further reading