DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

Research · 2026

The state of pre-consent tracking

We scanned 45 leading India and global websites. Most were tracking visitors before they ever clicked.

In short
In a June 2026 scan of 45 leading India and global websites, 69% fired trackers before consent and 98% were missing at least one security header. Sites set 12 cookies and contacted 17 third-party domains on average before a visitor made any choice — the exact gap regulators scrutinise under GDPR and India’s DPDPA.
69%
fired trackers before consent

31 of 45 sites loaded analytics or ad trackers on the public homepage before any choice was made.

98%
missing a security header

44 of 45 sites were missing at least one of CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy or Permissions-Policy.

12
cookies on first load (avg)

Set on the initial public page load, before a consent choice.

17
third-party domains (avg)

Distinct external domains contacted per site on load.

48
average risk score (/100)

xScan-AI composite of tracking, headers, TLS and third-party exposure.

What the data shows

Banners are mostly cosmetic

Most sites that show a cookie banner still fired their trackers on the first page view, before the visitor clicked anything. Under GDPR and India's DPDPA, non-essential trackers are supposed to stay blocked until consent — a banner alone is not compliance.

Security hygiene is weak

Nearly every site was missing at least one standard response security header. These defend against clickjacking, XSS and protocol downgrade, and their absence is an easy, visible signal of under-investment in basic web hygiene.

The third-party surface is large

On average each site contacted 17 external domains and set a dozen cookies before consent — every one a place personal data can flow without a recorded choice.

Method

We loaded the public homepage of 45 leading India and global websites (news, ecommerce, BFSI, SaaS, travel and health) using the Cloudflare URL Scanner via ConsentX’s xScan-AI, in June 2026. For each site we recorded the cookies set, scripts and third-party domains contacted before any consent choice, the response security headers and the TLS configuration, then derived a 0–100 risk score.

This is an indicative snapshot of 45 leading sites, not a statistical census of the web, and automated checks at scan time are advisory rather than a legal determination. We plan to widen the sample in future updates.

Where does your site stand?

Run the same xScan-AI scan on your own site, free. See what fires before consent and how to fix it.

Run a free scan Fix it with ConsentX

Frequently asked questions

How was this measured?+

Each site's public homepage was loaded with the Cloudflare URL Scanner via ConsentX's xScan-AI, and we recorded which cookies, scripts and third-party domains fired before any consent choice, plus the response security headers and TLS. The run covered 45 leading India and global websites in June 2026.

Is 45 sites a representative census?+

No. This is an indicative snapshot of leading, high-traffic sites, not a statistical census of the whole web. It shows how common pre-consent tracking is even among well-resourced brands. We will expand the sample over time.

Does firing a tracker before consent mean a site is breaking the law?+

Not automatically — it depends on the tracker, the jurisdiction and whether the cookie is essential. But non-essential analytics and advertising trackers loading before consent is the exact pattern regulators scrutinise under GDPR and DPDPA.

How do I see where my own site stands?+

Run the free ConsentX cookie scanner. It loads your public pages, lists what fires before consent and returns a plain-English risk score and report — the same xScan-AI engine used for this study.