El. prekyba
Modulių sąrašas
Kainoraštis
Pavyzdžiai
Sistemos galimybės
D.U.K.
Apie mus Įranga ir patarimai Instrukcijos Straipsniai Rekvizitai
Apie mus
Rekvizitai
Gauti pasiūlymą
Mūsų įmonės veikla: elektroninių parduotuvių kūrimo paslaugos, paruošti el. prekybos sprendimai, rezervavimo sistemos, specializuoti el.parduotuvių sprendimai. — UAB CZAR Intelligence
2025.09.14

Slapukai ir BDAR: kodėl dauguma svetainių Jus seka, nepaisant įstatymų

Introduction: The Cookie Banner Theatre

You visit a website. A familiar banner pops up: “We use cookies to enhance your experience. Accept all? Manage preferences?”

You pause, click “Manage”, and try to limit your choices. You think: “Nice! I’m in control here”.

But the truth? You’ve already been tracked.

Before you even clicked a single button, the site quietly loaded a bunch of tracking scripts - Facebook, Google, TikTok, Hotjar - and they’ve already collected data about you: your IP address, device type, and which page you landed on. Congratulations! You’re part of a remarketing campaign… and your consent hasn’t even been registered.

This is not just an accident - it’s a widespread problem.

Most businesses either don’t understand GDPR, don’t care, or leave implementation to marketing tools that are designed to gather as much data as possible, rather than protecting privacy.

In this article, we’ll break down:

  • What GDPR and cookie consent actually require,

  • How websites commonly break the rules,

  • The hidden data leaks happening server-side,

  • And what ethical, lawful tracking should look like.

 

 

Key Concepts and Terms

Let’s clear up some key terms before diving deeper:

Cookies - Small files stored in your browser that track information like logins, shopping carts, or behaviour.

Essential cookies - Required for the site to function (e.g. remembering your login).

Non-essential cookies - used for analytics, advertising, A/B testing, etc. - require user consent.

GDPR (General Data Protection Regulation) - EU law requiring explicit, informed consent for data collection and processing.

Consent Banner / Cookie Banner - The pop-up or interface asking users to allow or reject cookies.

First-party cookies - Set by the website you’re visiting directly.

Third-party cookies - Set by outside tools/services (e.g. Facebook, Google Analytics).

Server-side tracking - Sending user data directly from the website’s backend to another service, regardless of browser settings.

 

 

What GDPR Actually Requires (vs What Happens in Reality)

The Law: What You Should Be Doing

The General Data Protection Regulation (GDPR) is very clear about cookies and tracking:

  • Consent must be informed, specific, and freely given.

That means users must know what kind of data is being collected, by whom, and for what purpose.

  • Consent must be given before any tracking begins.

You can’t load marketing scripts or analytics cookies until the user clicks “Accept”.

  • It must be just as easy to reject as it is to accept.

“Accept All” and “Reject All” buttons should be equally visible and accessible.

  • Users must be able to change their minds later.

There should be an easy way to revisit or withdraw cookie preferences.

  • Only strictly necessary cookies (e.g. login, language selection) can be set without consent.

 

1. Consent must be freely given, specific, informed, and unambiguous

General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, Article 4(11): ‘"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes…’

Recital 32 GDPR: ‘Consent should be given by a clear affirmative act… Silence, pre-ticked boxes or inactivity should not therefore constitute consent.’

2. Cookies require prior consent, except for those strictly necessary

Directive 2002/58/EC (ePrivacy Directive), Article 5(3), as amended by Directive 2009/136/EC:‘Member States shall ensure that the storing of information, or the gaining of access to information already stored… is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information… This shall not prevent any technical storage or access that is strictly necessary…’

3. Consent must be obtained before any processing begins

GDPR, Article 6(1)(a): ‘Processing shall be lawful only if and to the extent that the data subject has given consent to the processing of his or her personal data for one or more specific purposes.’

4. Withdrawing consent must be as easy as giving it

GDPR, Article 7(3): ‘The data subject shall have the right to withdraw his or her consent at any time… It shall be as easy to withdraw as to give consent.’

5. The purpose of data processing must be transparent and specific

GDPR, Article 5(1)(b):‘Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.’

GDPR, Article 13(1)(c): ‘The purposes of the processing for which the personal data are intended… shall be provided to the data subject.’

6. The identity of data recipients must be disclosed

GDPR, Article 13(1)(e) and (f): ‘The recipients or categories of recipients of the personal data… and where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation…’

7. Use of manipulative interface design (‘dark patterns’) is unlawful

While not explicitly mentioned in the GDPR, enforcement authorities such as the CNIL (France), AEPD (Spain), and others have issued guidance and rulings confirming that deceptive consent interfaces, such as unequal button design or hiding the "Reject" option, violate the principles of fairness (Article 5(1)(a)) and transparency (Article 12).

 

 

The Reality: What Happens on Most Websites

Here’s what actually happens across thousands of websites:

  • Tracking cookies are already running before the banner even appears.

The banner may claim to block tracking “unless you consent”, but by then, data has already been sent.

  • Many banners load through the same tracking scripts they’re supposed to block.

(Yes, really: the script asking you for permission is loaded via Google Tag Manager, which is already tracking you)

  • “Reject All” is hidden behind 3 clicks - “Accept All” is big and blue, front and centre.

Even after rejecting analytics or advertising cookies, server-side tracking still sends data to Meta, Google, Omnisend, and others.

In short, users are tricked into thinking they’re in control, while the tech stack quietly tracks them anyway.

 

 

Example: Visiting a Popular VPN Website

You go to the homepage of a well-known VPN provider. A cookie banner appears. You choose “Only necessary cookies”. But by inspecting the network traffic in your browser, you see this:

  • Requests have already been made to Google Ads, Facebook Pixel, TikTok Analytics, etc.

  • Several cookies are set from third-party domains before consent.

  • Server-side POST requests to analytics services - still active after refusal.

Result? Google knows you visited the site. Facebook starts showing you ads. Your browser’s privacy tools haven’t helped, because the backend is leaking your data anyway.

 

Informed Consent - The user knows what’s being collected, by whom, and why

Prior Consent - No non-essential cookies until the user says yes

Google Tag Manager - A tool that loads scripts on websites, often used to deploy tracking

Server-side POST requests - Data sent directly from the website backend, invisible to browser privacy tools

 

 

Marketing vs Privacy: Who’s Actually in Charge?

If you’ve ever wondered why so many websites get GDPR wrong, the answer is simple: The marketing department is usually in charge of cookie banners.

Not legal. Not IT. Not privacy experts.

And marketing teams often have one goal: track everything that moves.

 

 

The Problem with “Marketing First” Setups

Modern marketing tools like Google Analytics, Meta Pixel, Omnisend, Hotjar and TikTok Ads offer powerful ways to:

  • Monitor visitor behaviour

  • Re-target users with ads

  • Optimise conversions

  • Generate reports and audience segments

 

These tools require data, a lot of it. So what happens?

 

  • Tracking is prioritised before GDPR compliance is considered

  • Consent banners are implemented as a checkbox exercise, not a real gatekeeper

  • Cookie scripts are loaded before consent is collected

  • Analytics and eCommerce tools are installed by marketing people, with no privacy review

 

 

A Common Setup: Looks Compliant, Isn’t

Let’s say a marketing team wants to track how people behave after clicking on a Facebook ad:

  1. They install Meta Pixel using Google Tag Manager

  2. They add a cookie banner that appears after 3 seconds

  3. Even if a user clicks “Reject”, the server still sends purchase events to Facebook

  4. The banner only pretends to stop tracking, but it has no control over server-side logic

 

To most users, it looks like they’ve opted out. In reality, backend scripts never got the memo.

 

 

Why Even “Secure” Brands Do It Wrong

Even privacy-focused or security-themed companies fall into this trap, not because they want to mislead, but because:

  • They don’t audit what their tracking scripts actually do

  • They don’t link cookie consent choices with backend data flows

  • They assume that just having a banner = GDPR compliance

The truth is: compliance takes more than a plugin.

It requires technical implementation that respects user choices at every level.

Meta Pixel - A Facebook tracking tool to monitor user activity and conversions

Purchase event - A signal sent to ad platforms when a user buys something, often tied to campaigns

 

 

Server-Side Tracking: The Hidden Backdoor No One Tells You About

When people talk about cookies and tracking, they usually focus on what happens in the browser - scripts running on the page, storing small data files, asking for permission through popups. But there’s a whole other side to tracking that most people never see: server-side events.

Server-side tracking means that information about what a user does on a website - visiting a product page, making a purchase, filling out a form - is sent directly from the website’s backend to a third-party service like Facebook, Omnisend, or Google Ads. This bypasses the user’s browser entirely. That also means it bypasses most cookie banners.

Let’s say you click “Reject All” on a website’s cookie banner. You’d expect not to be tracked, right? But in many cases, your clickstream data, product views, purchases, and even email address can still be sent to external platforms through the backend, without any cookies involved.

This is where things get messy. While cookie banners might technically block client-side scripts (those running in the browser), they often have no way to control or inform the backend systems. If the server is still configured to send purchase events to Meta or synchronise orders with marketing platforms like Klaviyo or Omnisend, you are still being tracked, whether you gave consent or not.

What makes this worse is that most websites don’t even do this maliciously. It’s often the result of poor integration: someone sets up the server connection once and forgets to connect it to the cookie banner settings. From a technical perspective, these events are happening “in the background”. From a legal perspective, this is a serious GDPR violation.

And there’s no easy fix, because tools like Meta and Google are pushing server-side tracking harder than ever. They market it as a way to be more “accurate” and “resilient” to browser restrictions, which is true. But what they don’t advertise is that unless you, as the business owner, take extra steps to respect consent at the server level, your users are still being tracked against their wishes.

Backend - The part of a website that runs on a server, not visible to the user

Clickstream data - A record of pages a user visits, often used to analyse behaviour

 

 

The Illusion of Compliance: Why Most Websites Get It Wrong

So, you visit a website, a cookie banner pops up, and everything seems fine. You make your selection, maybe rejecting marketing cookies, and assume you’re safe from tracking. But here’s the uncomfortable truth: on most websites, the banner is just theatre.

Many business owners believe they’re compliant simply because they have a cookie banner. But the banner is only the beginning, and without proper technical implementation behind it, it does nothing to stop unauthorised tracking.

Here’s why things often go wrong:

 

1. The Consent Banner Loads Too Late

Many websites embed their cookie banner inside Google Tag Manager or similar tools. That means by the time you see the banner, tracking scripts (like Google Analytics, Meta Pixel, Hotjar, TikTok) have already loaded and fired. So, even if you click “Reject All”, the data is already gone.

 

2. Scripts Fire Before Consent Is Stored

Some banners display properly and allow you to make a choice, but they don’t block the scripts from loading in the first place. It’s like asking for permission after already opening someone’s mail. True compliance means blocking all non-essential scripts until explicit consent is given.

 

3. Backend Systems Ignore Consent

As explained in the previous section, even if the front end behaves well, backend systems often keep working independently. So, order events, signups, and user data might still be sent to Facebook or analytics platforms, consent or no consent.

 

4. Marketers Prioritise Tracking Over Privacy

In many organisations, marketers configure tracking tools. Their main goal? Conversions, retargeting, campaign insights - not privacy compliance. This isn’t necessarily malicious - often, they just don’t know how GDPR works. And when privacy and performance clash, tracking usually wins.

 

5. No One Knows If It’s Working

Even teams that try to get everything right struggle to verify if consent mechanisms actually block cookies. It requires technical testing tools and knowledge of how scripts behave - most businesses don’t have this expertise. So they trust the system… even if it’s broken.

 

In short, there’s a huge gap between GDPR as it’s written and GDPR as it’s implemented. And the people responsible for privacy often aren’t the ones implementing the technology, leaving most websites in a grey area, or fully non-compliant without even knowing it.

 

 

Consent Theatre: What Should Happen vs What Actually Happens

Let’s walk through a simple visit to a website. We'll compare the ideal GDPR-compliant version with the common real-world version. The difference? One respects your privacy. The other fakes it.

What Should Happen (Compliant Scenario)

 

1. You visit the website.

Only strictly necessary cookies are set (e.g. to remember your language or keep your session running).

2. You see a cookie banner immediately.

The banner clearly explains what cookies are used and why.

You are given clear choices: Accept all, Reject all, or Customise.

3. No tracking scripts (like Google Analytics or Meta Pixel) are loaded.

They are blocked until and unless you consent.

4. You click “Reject all”.

The site honours your choice.

No tracking scripts run. No data is sent to Google, Facebook, TikTok, or any other third party.

5. Your choice is stored (in a cookie or local storage) and respected in future visits.

You can always change it later.

 

What Usually Happens (Non-Compliant Scenario)

1. You visit the website.

Tracking scripts load immediately via Google Tag Manager or similar tools.

Data is already being sent to Google, Facebook, and others - even before you see a banner.

2. A cookie banner pops up.

It may look slick, but it’s often deceptive.

You think you’re in control, but tracking is already happening in the background.

3. You click “Reject all”.

But the scripts have already fired. Google Analytics already knows you visited.

In some cases, even after rejection, tracking continues via server-side scripts.

4. Your decision is not respected or is not properly stored.

You visit again tomorrow, and the banner pops up again - or worse, doesn’t, and just resumes tracking.

 

The Paradox. Most users believe they’re in control when they see a cookie banner. In reality, unless it’s implemented with technical precision, it does nothing. Worse, it creates a false sense of security while violating GDPR.

 

 

Why This Matters: Legal and Ethical Consequences

You might wonder: okay, so what if cookies load a little too early? Who really cares? But beneath this seemingly small detail lies a huge issue of trust, legality, and accountability.

It's About Consent - And That’s a Legal Right

Under the General Data Protection Regulation (GDPR), users have the right to:

  • Know what personal data is being collected,

  • Choose whether to allow that collection,

  • Revoke consent at any time.

Tracking someone before they’ve given explicit consent is illegal in most cases. The only exception? Strictly necessary cookies - those needed for the website to function (like keeping your shopping cart full).

Anything else - analytics, advertising, social media pixels - requires prior consent. If you load those tools before consent is given, you’re in violation.

Real-World Consequences

This isn’t just about theory. Regulators are watching.

The French data protection authority (CNIL) fined Google €100M and Amazon €35M for non-compliant cookie banners.

Other European regulators have also issued warnings and fines, even to small and medium businesses.

Companies can face fines of up to €20 million or 4% of global turnover, whichever is higher.

Even if you’re not fined right away, you could be:

  • Reported by users who know their rights.

  • Audited during compliance checks, especially if your company works with European partners or clients.

  • Losing customer trust, as privacy-conscious users grow increasingly sceptical of shady cookie practices.

It’s Also an Ethical Issue

Think about it: people come to your site. You ask for their permission… but only after you've already collected their data.

This undermines the very idea of consent.

  • You’re pretending to give people control, but in reality, you're tracking them anyway.

  • It’s not just bad UX, it’s misleading and manipulative.

If your business prides itself on transparency, trust, or ethical marketing, this one technical detail might be silently destroying your credibility.

 

 

Summary

The GDPR isn’t just a legal framework - it’s a reminder that users are not passive data points. Behind every click and cookie is a real person. But somewhere along the way, we traded trust for convenience, and compliance for conversions.

What’s most striking isn’t that so many websites break the rules - it’s that many of them don’t even realise it.

Most teams treat privacy like an afterthought:

  • Marketing focuses on collecting every possible signal.

  • Developers follow what the analytics script recommends.

  • Legal compliance is reduced to a banner that loads after the tracker.

But meaningful privacy isn’t something you add later. It has to be part of the architecture, from the first line of code to the final campaign.

So, what can we take away?

  • If you’re building a site: Start with privacy, not tracking.

  • If you’re using tools: Understand how they actually work, not just what they claim to do.

  • If you’re managing data: Think of consent as a dialogue, not a checkbox.

  • And if you’re just browsing: Know that you’re not imagining it - most sites don’t play fair.

 

The internet wasn’t designed for privacy. But it doesn’t have to stay that way.

Paruošti ir individualūs el. prekybos sprendimai

Atraskite naujas galimybes savo elektroninei parduotuvei – dirbkime kartu ir paverskime jūsų verslą sėkmės istorija!

Kainoraštis Gauti pasiūlymą