Where Europe’s Top Websites Fall Short on Web Governance

Privacy Compliance Lessons from Europe's 1000 Highest-Revenue Websites

Eight years after GDPR came into effect, the assumption that Europe’s largest organisations have privacy compliance under control turns out to be optimistic. ObservePoint audited approximately 1,000 of Europe’s highest-revenue websites — the Fortune 500 Europe plus the next 500 by revenue — scanning 10 pages deep from each homepage and simulating visitor sessions from Germany to test how these sites actually behave for European users.

The findings are consistent and concerning. Nearly half of all pages set third-party cookies before a visitor has taken any action. A quarter of sites had no detectable consent manager at all. Of the sites sending data to Google, fewer than half sent any Consent Mode signal, and of those that did, nearly a third got it wrong. Meanwhile, 95% of pages transmitted German visitor data to servers in the United States, the same data transfer failure at the heart of the largest GDPR fines ever issued.

The report covers cookie consent and pre-consent tracking, Google and Bing Consent Mode signaling, geolocation data flows, WCAG 2.1 accessibility compliance, and the enforcement actions that show what regulators are actually prioritising. Whether you are responsible for privacy, legal, marketing, or digital experience, this is the benchmark data your 2026 compliance programme should be built around.