You installed a cookie banner on your site and you think you’re compliant. Unfortunately, a banner that shows an “Accept” button is not enough. It must actually block third-party scripts until the user has given consent. And that’s where most free solutions — and even some paid ones — fail.
In 2026, an average site loads 20 to 40 third-party scripts: analytics, advertising, chat, video embeds, heatmaps, marketing tools. If your banner lets even a few of them through before consent, you are in breach of article 82 of the French Data Protection Act and potentially of the GDPR. The French CNIL has sanctioned more than 150 companies on this very ground between 2020 and 2025.
This article lists the 37 most commonly overlooked trackers by free banners, explains how to check your current configuration, and compares the technical approaches of the main market solutions.
Test your site for free in 10 seconds →
Why 37 services? The 2026 check-list
We audited the hundred most visited sites in France and compiled the list of third-party services that systematically cause GDPR compliance problems. The result: 37 services that any serious cookie banner must detect and block by default.
Analytics & heatmaps (14 services)
| Service | Publisher | Cookie without consent? |
|---|---|---|
| Google Analytics 4 | ❌ Illegal | |
| Google Tag Manager | ❌ Illegal (if it fires non-consented tags) | |
| Hotjar | Contentsquare | ❌ Illegal |
| Microsoft Clarity | Microsoft | ❌ Illegal |
| Matomo (self-hosted) | Matomo | ⚠️ Exempt if configured in cookieless mode |
| Plausible | Plausible | ✅ Exempt (cookieless) |
| Mixpanel | Mixpanel | ❌ Illegal |
| Segment | Twilio | ❌ Illegal (depending on destinations) |
| Amplitude | Amplitude | ❌ Illegal |
| Heap | Heap | ❌ Illegal |
| FullStory | FullStory | ❌ Illegal |
| LogRocket | LogRocket | ❌ Illegal |
| Pendo | Pendo | ❌ Illegal |
| Smartlook | Smartlook | ❌ Illegal |
Takeaway: only Plausible and Matomo in cookieless mode can be loaded without consent. All others require an active opt-in.
Advertising & social marketing (12 services)
| Service | Publisher | Cookie without consent? |
|---|---|---|
| Meta Pixel (Facebook) | Meta | ❌ Illegal |
| TikTok Pixel | TikTok | ❌ Illegal |
| Google Ads | ❌ Illegal | |
| LinkedIn Insight Tag | Microsoft | ❌ Illegal |
| Pinterest Tag | ❌ Illegal | |
| Twitter/X Pixel | X | ❌ Illegal |
| Snapchat Pixel | Snap | ❌ Illegal |
| Reddit Pixel | ❌ Illegal | |
| Quora Pixel | Quora | ❌ Illegal |
| Outbrain | Outbrain | ❌ Illegal |
| Taboola | Taboola | ❌ Illegal |
| Marketo | Adobe | ❌ Illegal |
A Meta Pixel loaded without consent is one of the most frequently sanctioned violations by the CNIL. It published several public decisions between 2023 and 2025 on this ground.
Video & map embeds (3 services)
| Service | Publisher | Cookie without consent? |
|---|---|---|
| YouTube | ❌ Illegal (except youtube-nocookie.com mode) | |
| Vimeo | Vimeo | ❌ Illegal |
| Google Maps | ❌ Illegal |
Many sites embed a YouTube video on their home page without realising that the YouTube iframe loads around thirty cookies before the user even clicks Play. A compliant banner must replace the iframe with a consent wall until consent is granted.
Chat & customer support (7 services)
| Service | Publisher | Cookie without consent? |
|---|---|---|
| Intercom | Intercom | ❌ Illegal |
| Crisp | Crisp | ❌ Illegal |
| Tawk.to | Tawk | ❌ Illegal |
| Zendesk Messaging | Zendesk | ❌ Illegal |
| Drift | Drift | ❌ Illegal |
| Olark | Olark | ❌ Illegal |
| HubSpot | HubSpot | ❌ Illegal |
Support chats pose a specific problem: they are perceived as “functional” by webmasters whereas they actually collect identification, location and journey data — and are therefore subject to consent.
Strict exemption (1 service)
Only one service escapes consent: Stripe for the cookies strictly necessary for payment security (anti-fraud). Even there, only secure session cookies are exempt, not the associated marketing cookies.
The cookie banner comparison (April 2026)
Before installing a banner, check objectively what it covers. Here is a comparison of the most common solutions, based on technical and verifiable criteria.
| Criterion | WebLegal CCB | Typical free banner | Commercial solution (Termly / Iubenda / Cookiebot free tier) |
|---|---|---|---|
| Price | Free, no site or page limit | Free but often limited (1 domain, < 100 pages, watermark) | Paid from the first serious site or limited to 1 domain |
| Trackers detected by default | 37 services + extensible regex | 5 to 15 on average | 20 to 30 |
| Maintained languages | 14 EU languages + 16 fallbacks | 1 to 3 (English + 2 others) | 10 to 50 depending on the plan |
| Google Consent Mode v2 | 7 signals out of 7 (including security_storage) | Often incomplete (3 to 5 signals) | 7 out of 7 in the paid version |
| Consent wall for embeds | 9 localised embeds (YouTube, Vimeo, Maps, TikTok, Twitter, Instagram, Facebook, Spotify, SoundCloud) | Rare, often missing | Partial, plan-dependent |
| Script size | 40 KB unminified (~12 KB gzip) | 30 to 60 KB | 80 to 300 KB (OneTrust: 300+ KB) |
| Open / auditable code | ✅ Readable, unminified by design | Varies | Rarely (obfuscated, minified) |
| Automatic detection of existing CMP | ✅ 36 CMPs recognised (for anti-conflict scanner) | No | Partial |
| Third-party hosting (GDPR) | Script served from weblegal.ai (EEA) | Varies (often US CDN) | Often US CDN (non-EU transfer to be declared) |
Distinctive features of WebLegal CCB:
- The lightest on the market among complete solutions. A 40 KB script (12 KB gzip) versus 80 to 300 KB for alternatives. Less latency, better Core Web Vitals score, positive SEO impact.
- Deliberately unminified. The code is readable by a developer, a DPO or a CNIL expert. This is a transparency and compliance argument: you can justify exactly what the banner does on your site.
- Real localisation of consent walls. When a German user encounters a blocked YouTube video, the waiting screen is in German, not English by default. Same logic for Vimeo, Spotify, Instagram, TikTok, etc.
- Full Consent Mode v2 since April 2026. All 7 Google signals are emitted from the first load, then updated after consent. Zero loss of Google Ads conversions due to a missing signal.
How to test your current banner
Before switching solutions, test what your current banner actually does. Two practical methods:
Method 1 — Automated scanner (30 seconds)
Enter your URL in our compliance scanner. It analyses your page in a headless browser, detects cookies set before clicking “Accept” and lists services loaded without consent. Result in 10 seconds, no sign-up.
Method 2 — Chrome DevTools (5 minutes)
- Open your site in private browsing mode
- F12 → Application tab → Cookies (before any interaction)
- Look at cookies already set: if you see anything other than your own session cookies +
wl_cc_consent(or equivalent), you have a problem - Network tab, filter
XHR/Fetch→ look at requests togoogle-analytics.com,facebook.net,tiktok.com,hotjar.com: any request before clicking is a violation
Method 3 — Dedicated extension
The Chrome extension CMP Verifier (free) simulates a visitor who has refused, then accepted, and tells you whether consent rules have been respected. Very useful for documenting compliance to your DPO.
The four most common mistakes
Mistake 1 — The banner appears but blocks nothing
This is the most widespread mistake with free “one-click cookie banner” WordPress plugins. The plugin shows the banner, records consent… but doesn’t touch the scripts. Google Analytics keeps loading. Result: you made the effort of installing a banner with no legal benefit at all.
How to check: apply Method 2 above. If you see _ga or _fbp cookies before clicking, it’s confirmed.
Mistake 2 — YouTube/Vimeo embeds still load
Even if your banner blocks Google Analytics, it often lets through <iframe src="https://www.youtube.com/embed/..."> iframes embedded directly in your pages. Each loads 20 to 30 Google cookies.
Solution: the banner must dynamically replace the iframe with a waiting screen saying “This video uses cookies. Accept to watch it.” This is the consent wall — standard in WebLegal CCB, optional or absent in many others.
Mistake 3 — “Reject all” is not equivalent to “Accept all”
The CNIL has required since April 2021 that refusing must be as simple as accepting. If your banner shows a big green “Accept all” button but hides “Refuse” behind a text link three clicks away, you are non-compliant. Documented CNIL fines between 2022 and 2025 on this ground: more than 50 public decisions.
Mistake 4 — The banner blocks Googlebot
Some banners also display to indexing robots, which can be interpreted as an abusive interstitial by Google and hurt your SEO. A modern banner must detect known User-Agents (Googlebot, Bingbot, DuckDuckBot) and not disrupt their crawl.
Status at WebLegal CCB: feature on the roadmap — see our public roadmap (issue #174).
Install WebLegal CCB in 2 minutes
If after reading you decide to migrate, here is the procedure:
- Go to weblegal.ai/en/cookie-banner/
- Enter your site name and the cookie categories you use
- Copy the snippet (a one-line
<script src="...">) - Paste it before any other third-party script in the
<head>tag of your site - Test via Method 1 above
Zero sign-up, zero credit card, zero page or domain limit. The snippet is a single 40 KB script hosted on weblegal.ai — your site loads nothing else until the visitor interacts with the banner.
FAQ
Is my free WordPress banner enough?
Probably not. The majority of free plugins show a banner but don’t block scripts. Test with Method 2 (DevTools) to be sure. If you see _ga, _fbp, _gcl_au or .hotjar.com cookies before clicking, you are non-compliant.
Can I get away with “strictly necessary cookies only”?
Yes, provided you effectively don’t use any analytics, advertising or third-party chat tracker. Concretely: no Google Analytics, no Facebook Pixel, no embedded YouTube, no Google Maps, no Intercom. A blog site without any marketing tool can get away with it. An e-commerce site: never.
Are paid banners better?
Not automatically. A paid banner generally offers more languages and more polished admin interfaces, but not necessarily better blocking quality. Script weight (sometimes 200-300 KB with OneTrust) can also hurt your SEO via Core Web Vitals.
How do I prove my banner’s compliance to the CNIL?
Keep three elements:
- the script code used (or the public URL such as
https://weblegal.ai/js/wl-cookie-consent.js) - a periodic scan of your own site (screenshot + report)
- a consent registry — proof that you store the user’s choice
At WebLegal, consent is stored in a wl_cc_consent cookie with date and categories, whose format is publicly documented.
Should I display the banner to non-EU visitors?
Yes by default. It is technically possible to restrict the banner to EU visitors, but it is not recommended:
- if a non-EU visitor authenticates with an EU account, you must respect their rights
- similar regulations now exist in the United Kingdom (UK GDPR), California (CCPA), Brazil (LGPD), and are spreading to other jurisdictions
- UX consistency is better with a universal banner
In summary
The compliance of a cookie banner comes down to three technical criteria:
- It must effectively detect and block the 20 to 40 common third-party scripts — not just display a banner.
- It must implement full Consent Mode v2 (7 Google signals) to preserve your marketing data.
- It must replace embeds (YouTube, Vimeo, Maps, etc.) with localised consent walls.
A 10-second test with our scanner tells you where you stand. A migration to WebLegal CCB takes 2 minutes, costs zero, and covers the 37 services listed here.