Over the past few years, regulators in both Europe and the United States have made one thing increasingly clear: websites must honour a user’s decision to reject tracking.

Authorities have not only issued guidance—they have begun imposing significant penalties. Under the GDPR, more than 2,200 fines totalling around €5.65B have been issued since 2018, with enforcement increasing sharply in recent years. (GDPR Enforcement Tracker)

In several cases, regulators have specifically targeted cookie consent and tracking practices. For example, France’s data protection authority fined fast-fashion retailer Shein €150 million after investigations found cookies were placed or advertising delivered without valid user consent. (CNIL)

Across the Atlantic, California regulators and privacy lawsuits are similarly focusing on unauthorised data sharing and tracking. The Disney recent fine of $2.75M for essentially not honouring user opt-out requests, is the largest fine to date (California Department of Justice).

Against this backdrop, a simple question occurred to me:

How well are Swedish companies actually doing?

So I decided to test it.

A Study of Sweden’s Largest Websites

I recently published a new whitepaper titled:

Unconsented Tracking in Sweden
A Study of Website Compliance Among Sweden’s Leading Brands

The study analyses the behaviour of 40 major Swedish websites across sectors such as retail, automotive, finance, and telecommunications.

The goal was straightforward:

If a visitor clicks “Reject All” on a consent banner, does the website actually stop tracking them?

To answer this, I used an automated audit process that simulates a user rejecting consent and then interacting with the website while monitoring all network activity and cookies. The tool measures whether tracking technologies still load and assigns a Risk Score based on the findings.

Why Sweden? I am Englishman living and working in Sweden for 15+ years. It’s home.

What the Audit Found

The results were surprising. Across the 40 websites tested, compliance varied widely—from very good to very poor.

Some key observations:

1. Consent banners do not guarantee compliance

Many websites displayed a proper “Reject All” option but still loaded tracking scripts afterwards. In other words, the interface suggested privacy control—but the technical implementation told a different story.

2. Third-party trackers were the most common issue

In many cases, analytics or marketing tags loaded regardless of the user’s consent choice.

These often originated from:

• Analytics platforms
• Advertising networks
• Social media integrations

3. Company size did not predict compliance

Large and well-known brands appeared at both ends of the spectrum. Some global companies performed well, while others showed significant compliance risks.

4. Consent management platforms are not enough

Many organisations assume that implementing a consent banner solves the problem. In reality, compliance depends on how tracking technologies are integrated with the consent system.

Why This Matters

From an EU regulatory perspective, the core requirement is simple:

Tracking that identifies or profiles users should not occur without valid consent.

When that principle is violated—even unintentionally—organisations expose themselves to:

• regulatory investigation
• financial penalties
• reputational damage

Recent enforcement actions show that regulators are increasingly willing to investigate the technical reality behind consent banners, not just their appearance.

This makes independent verification more important than ever.

Download the Full Study

Download the consent study whitepaper (no registration required!) 

 

 

The full report includes:

• the complete audit methodology
• results for all 40 Swedish websites
• examples of common tracking failures
• a discussion of how organisations can improve governance

A Practical Question for Data Teams

If regulators examined your website tomorrow, would the technical behaviour match what your consent banner promises?

Many organisations simply do not know.

If you would like to understand the Risk Score of your own web properties, independent audits can provide a clear baseline and highlight areas for improvement.

---

Brian Clifton is a measurement and data privacy strategist, author, and founder of Verified Data — the leading data quality and compliance audit platform. Formerly Google’s Head of Web Analytics for EMEA, Brian has spent over two decades helping organisations build trust in their data. He is the author of the best-selling books Successful Analytics and Advanced Web Metrics with Google Analytics and a certified member of the European Association of Data Protection Professionals.