GDPR for Marketers: A Practical Checklist

Most GDPR checklists for marketers start at the wrong place. They tell you to audit your data map, review your privacy policy, train your team. All useful. None of them address the problem that breaks everything before any of those steps matter: your consent banner is not loading for 30 to 40 percent of the people who visit your site.

You cannot comply with a law your infrastructure is silently failing to enforce. That is the conversation nobody is having in the GDPR checklists being published right now, and it is the one this article starts with.

---

The September 2025 CNIL fines against Google (€325 million) and SHEIN (€150 million) made something explicit that regulators had been signaling for years: consent must be freely given, equally easy to reject, and properly recorded — and the regulator will test your site directly to verify it. CNIL no longer waits for complaints. They audit. Dark patterns are a frontline enforcement priority: making cookie rejection harder than acceptance is a GDPR violation, and placing cookies before consent is obtained is a per-session violation affecting every user. The DLA Piper survey documented €1.2 billion in GDPR fines during 2025 alone, with cumulative fines since 2018 reaching approximately €5.88 billion and breach notifications averaging 443 per day. The grace period argument is not available anymore.

This checklist covers what most guides skip: not just what your consent setup should say, but whether it is actually working — technically, legally, and in terms of the marketing intelligence you are allowed to keep but almost certainly are not.

---

The problem most marketers do not know they have

Before working through any checklist, it is worth understanding the architecture failure underneath the compliance failure.

Every standard CMP — OneTrust, Cookiebot, Usercentrics, Iubenda — loads from a third-party CDN. That is not an implementation quirk. It is how these products are built. OneTrust loads from cdn.cookielaw.org. Cookiebot loads from consent.cookiebot.com. Those domains are on every major ad-blocker filter list. uBlock Origin blocks them. Brave Shields blocks them. Users running these tools — and roughly 30 to 43 percent of internet users worldwide are running some form of ad blocking as of 2025 — never see the banner. Tracking never fires. You never see the failure in your dashboard, because the session itself was never properly captured.

The result: a meaningful share of your traffic is running through a consent-gate that failed to open, with no record that it failed, while you remain legally responsible for what tracking scripts fired on those sessions.

This is not a theoretical risk. It is a compounding one. Fix it before running through anything else on this list.

The second problem sits one layer up. When a user does see your banner and clicks "Reject All," most CMP configurations treat that as permission to discard all analytics data. That is overly broad and legally wrong. Anonymous analytics — aggregate session data with no personal identifiers, no persistent tracking, no cross-site behavior — does not require consent under GDPR. Article 6(1)(f) legitimate interest covers it in most configurations, and Recital 47 specifically contemplates statistical purposes. Research shows 34 to 47 percent of European visitors actively reject analytics cookies, and only 25 percent accept all. If your CMP is dumping the entire analytics payload on "Reject All," you are losing intelligence you were legally allowed to keep, on roughly one in three visitors.

Separate identifiable from anonymous data. Route them differently. Compliance does not require destroying your measurement capability — it requires scoping it correctly.

---

The checklist

Part 1: Verify your consent infrastructure is actually working

1. Audit whether your CMP loads before any tracking fires.

This is the single most common GDPR violation on small business websites. Open your site in a browser with no extensions, open developer tools, watch the network tab as the page loads. If GA4, Meta Pixel, or any advertising tag fires before your CMP banner appears and a consent signal is recorded, you are in violation on every session for every user in the EEA. It is that simple, and it happens constantly.

A compliant implementation requires that tracking scripts are blocked at the script level until consent is given. That means your CMP is not just displaying a banner — it is actively suppressing tags. Cookiebot's automatic blocking mode, Usercentrics' pre-blocking functionality, and GTM consent mode with proper trigger configuration all accomplish this, but only when correctly deployed. Check it with developer tools. Do not assume it is working because you installed the plugin.

2. Test your banner under real ad-blocker conditions.

Install uBlock Origin or enable Brave Shields. Load your site. Does the banner appear? If not, you have the third-party CDN problem described above. Every session from privacy-conscious users — who are disproportionately your most technically sophisticated and highest-value customers — is running through a broken consent gate.

The structural fix is to load your CMP from a first-party subdomain (cmp.yourdomain.com, consent.yourdomain.com). A CMP hosted on your own subdomain through a CNAME record is not on any filter list. It loads on every session. The consent signal reaches your tag management system, which then controls which tracking scripts are allowed to fire. This is how DataCops' first-party consent manager is architected — not from a shared CDN, from your own subdomain, visible to every visitor including those running aggressive privacy tools.

3. Verify that "Reject All" is as easy as "Accept All."

CNIL's enforcement has established a clear standard: unequal friction between Accept and Reject paths is a GDPR violation. The absence of a "Reject All" button on the first consent layer, pre-ticked boxes, and cookie walls blocking service access are red flags regulators now actively test for. Your banner must present rejection as a single-click option on the first screen, at the same visual prominence as acceptance. If your design buries the reject path in a "Manage preferences" submenu, you have a dark pattern problem and a fine risk that scales with your traffic.

4. Confirm your CMP logs consent correctly and that logs are retrievable.

GDPR Article 7(1) requires you to be able to demonstrate that the data subject consented. That means your CMP must log: the timestamp, the version of the consent banner shown, the specific categories accepted or rejected, and an identifier linking the log to that user. If a regulator asks you to prove consent for a specific user, you need to be able to pull it. Many lightweight CMP implementations store consent client-side only, in a cookie on the user's browser — which the user can delete, and which tells you nothing if they complain. Audit your consent log storage. Make sure records live server-side.

5. Separate anonymous analytics from identifiable tracking in your data architecture.

This is the compliance gap that destroys marketing intelligence unnecessarily. Anonymous aggregate analytics — sessions, page views, funnel completion, device type — do not require consent. They do not set persistent identifiers. They do not track individuals across sessions or sites. They are legal after "Reject All." Your CMP should route these differently from advertising pixels and identifiable analytics. If you are running a single-bucket approach where "Reject All" kills everything including anonymized session data, you are both over-complying (discarding legal data) and potentially under-complying (failing to properly scope what actually needs consent). DataCops' first-party analytics architecture is built around this separation: anonymous data flows unconditionally, identifiable data gates on consent.

---

Part 2: Legal foundations marketers get wrong

6. Map a lawful basis to every data processing activity — specifically.

"We have a privacy policy" is not a lawful basis. Under GDPR Article 6, you need one of six: consent, contract, legal obligation, vital interests, public task, or legitimate interest. For marketing activities, you are almost always working with consent or legitimate interest, and they are not interchangeable. Consent requires an opt-in and can be withdrawn. Legitimate interest requires a balancing test — your interest against the data subject's rights — documented in a Legitimate Interest Assessment (LIA). If you are using legitimate interest for behavioral advertising, you are probably wrong, and you will lose an enforcement action. CNIL's fines have repeatedly targeted companies claiming legitimate interest for consent-required activities.

Document the lawful basis for each data stream. Retargeting pixels: consent. Email marketing to existing customers: arguably legitimate interest, with LIA. Email marketing to purchased lists: no valid basis; stop. Analytics: legitimate interest if anonymized, consent if session-level personal data.

7. Audit your email marketing list consent documentation.

Meta's €1.2B fine wasn't about email marketing, but it proved regulators aren't bluffing. GDPR violations carry fines up to €20M or 4% of global annual turnover. The most common email compliance failure is also the least technical: consent bundled into account creation terms, or an unchecked checkbox buried at form registration that users do not notice. GDPR requires marketing consent to be granular, specific, and separate from service terms. "By creating an account you agree to our Privacy Policy" does not constitute marketing consent. Audit every signup form. Every lead gen page. Every checkout flow with a "keep me updated" option. If the checkbox is pre-ticked, you have a violation.

Double opt-in is effectively mandatory in Germany and Italy, and it is your strongest defensible proof of consent everywhere else.

8. Establish a process for Data Subject Requests — with actual timelines.

Article 15 (access), Article 17 (erasure), and Article 20 (portability) are increasingly enforced directly. You need a documented process that gets a response out within 30 days of receiving a request, with one possible 60-day extension for complex cases. That process needs to work across every system holding that person's data: your CRM, your email platform, your analytics stack, your ad platform customer lists. If deleting a user from your CRM does not trigger deletion from Meta Custom Audiences and your HubSpot contact database, your erasure response is incomplete. Map the systems. Document the process. Test it before you receive an actual request.

9. Review all third-party vendor DPAs.

Every processor you share personal data with needs a Data Processing Agreement. That includes your analytics provider, email platform, ad network, attribution tool, CDN, and cloud hosting. If you are sending user data to a US-based processor, you need either Standard Contractual Clauses or EU-US Data Privacy Framework coverage. In 2026, regulators are treating inadequate processor management as an aggravating factor that directly elevates fine amounts. The "we were just using a standard SaaS tool" defense does not work. You are responsible for every sub-processor in your stack.

10. Assess your cross-border data transfer architecture.

TikTok was fined €530 million for illegally transferring EEA user data to China without adequate safeguards. If your analytics data, CRM records, or ad platform event data routes through servers outside the EEA, you need to know exactly where it is going and what legal mechanism covers the transfer. GA4 data routing through US Google servers requires EU-US DPF coverage. Server-side event routing through US-based cloud infrastructure requires SCCs at minimum. Map your data flows geographically and document the transfer mechanism for each one.

---

Part 3: Conversion tracking and the GDPR marketing stack

This is where most GDPR checklists stop being useful, because they treat consent as a legal checkbox rather than an infrastructure problem with direct consequences for campaign performance.

When a user rejects consent, your Meta Pixel stops firing. Your Google Ads conversion tag stops firing. Your attribution stack goes dark on that user. If you are running significant EU traffic — or UK traffic, or traffic from any jurisdiction with similar consent requirements — you have a measurement gap that is not just a compliance problem. It is a budget allocation problem. You are optimizing campaigns on a partial signal, teaching Meta and Google what a customer looks like based only on the consenting fraction of your audience.

Only 25 percent of European visitors accept all cookies. If your conversion measurement depends entirely on browser-side pixels, you are running paid media optimization on one quarter of your EU audience signal.

The fix has two components. First, implement server-side Conversion API (CAPI) alongside your consent framework. CAPI sends conversion events from your server directly to Meta, Google, TikTok, and LinkedIn, rather than relying on browser scripts that get blocked or consent-gated. For consented users, CAPI supplements pixel data for higher event match quality. For non-consented users, CAPI can send anonymized or modeled conversion signals that feed Consent Mode v2 modeling — no personal data, just aggregate behavioral patterns that improve ad platform optimization without violating consent.

This is precisely why Google Consent Mode v2 became mandatory for EEA advertisers on June 15, 2026. Google's modeling fills attribution gaps in the consented signal using behavioral patterns from consented users, but it requires a certified CMP sending proper consent signals and a CAPI integration to have the event data to model from. Without both, your Google Ads campaigns in the EEA are operating without the optimization signal they need.

Second, audit your CAPI setup for data quality before worrying about volume. If you are sending events to Meta CAPI without filtering out bot traffic, you are training Meta's lookalike audience algorithms on fraudulent signals. Global invalid traffic runs at 20.64% of all ad traffic (Fraudlogix 2026), and bot conversions that reach CAPI directly corrupt the audience modeling that drives your cost per acquisition. DataCops' bot-free CAPI filters 361 billion tracked IPs before any event fires — bots, VPNs, datacenter traffic, and proxy users are stripped from the conversion signal before it reaches the ad platform. This is not a standard CAPI feature. It requires infrastructure purpose-built for it.

The advanced conversion tracking implementation guide covers the full technical setup for compliant, consent-aware server-side tracking.

---

Part 4: The CMP tool landscape

You need a CMP. Here is what the market looks like in mid-2026, without the sales deck version.

OneTrust

The broadest privacy governance platform on the market. Genuinely covers cookie consent, DSAR management, data mapping, vendor risk, AI governance, and ESG reporting in one suite. If you are a large enterprise running a privacy program across multiple jurisdictions with a dedicated privacy team, OneTrust's depth is legitimate. The problem is pricing: OneTrust raised its minimum ACV to $10,000 in 2026, pushing a wave of mid-market customers to evaluate alternatives. Below enterprise scale, you are paying for ten modules to use two. Its CMP component loads from a third-party CDN — the ad-blocker problem applies. Right for: enterprises running full GRC programs. Value 6/10 for most marketers. Starts at $10,000/year.

Cookiebot (now Usercentrics Web CMP)

The original scan-and-categorize-cookies tool, now absorbed into the Usercentrics portfolio. Cookiebot doubled its prices across most tiers in August 2025 after the Usercentrics acquisition matured, triggering significant customer complaints on Capterra and Reddit. The scanner is still solid, Google certifies it for Consent Mode v2, and setup takes minutes. Its weakness is the third-party CDN load, page-count-based pricing that surprises people when sites grow, and no DSAR management or broader privacy tooling. 500,000+ websites run its banner, which also means it is a well-known CDN target for filter lists. Right for: small single-domain sites wanting fast setup. Value 5/10. Pricing starts around €7/month for up to 50 subpages; scales unpredictably above that.

Usercentrics

The enterprise tier of the same company. Usage-based pricing (€50 to €500/month) gives more predictability than Cookiebot's page-count model. Covers GDPR, CCPA, TCF 2.2, Google Consent Mode v2. Strong analytics dashboard showing consent rates by banner variant, which is genuinely useful for marketers trying to optimize accept rates without crossing into dark patterns. Still loads from third-party CDN. Right for: mid-market with multi-language requirements who want consent analytics without an enterprise contract. Value 7/10. From €50/month.

Didomi

A French enterprise CMP that became significantly larger after acquiring Sourcepoint in July 2025, making it one of the dominant enterprise publisher-facing platforms. Didomi processes 2 billion consents monthly with 99.9999% uptime and supports 25+ countries with localized compliance logic. Strong at preference management and publisher ad-tech compliance. Not a self-serve product — custom pricing only, aimed at mid-to-large enterprise. Right for: large European publishers or media organizations with complex ad-tech consent signal requirements. Value depends entirely on your use case. Custom pricing, no self-serve tier.

iubenda

Italian-origin legal compliance tool that produces GDPR-ready privacy policies, cookie notices, and terms of service alongside a basic CMP. Users appreciate the feature range; reviews flag billing and customer support concerns. The privacy policy generator is its strongest component — the CMP itself is functional but not deep. No DSAR management. Right for: small businesses that need compliant legal documents plus a basic consent banner in one affordable tool. Value 7/10. Free tier available; paid plans from around $27/month.

CookieYes

A widely deployed consent tool with strong native integrations for Shopify and WordPress. Covers GDPR, CCPA/CPRA, historical consent logs. Free tier available; paid plans from $10 to $55/month per domain. No DSAR management. Its consent blocking method can break if the CMP script loads asynchronously or after other third-party tags — a technical deployment issue that requires verification, not just a visual banner check. Right for: Shopify stores and WordPress sites wanting fast native CMP integration. Value 7/10. From $10/month per domain.

Axeptio

A French CMP with a distinctive design philosophy: consent banners built to be human-centered and visually engaging rather than generic compliance UI. Higher consent rates are a legitimate outcome of better UX, and Axeptio has genuine data supporting that claim. Page-count-based pricing runs from around £29/month. No DSAR management. Not a full privacy program tool. Right for: brand-led teams where user experience and consent rate optimization are priorities. Value 7/10. From £29/month.

Quantcast Choice

Free TCF 2.2 CMP aimed primarily at publishers running programmatic advertising. The free tier covers the core consent management functionality for publisher ad stacks. Limited customization, no DSAR management, limited support. Right for: publishers needing TCF compliance without budget for a paid tool. Value 8/10 for that specific use case given the price. Free.

Osano

US-based CMP with DSAR management, data mapping, and cookie scanning in one platform. Pricing starts at $199/month per domain, which puts it in a premium bracket for SMBs. Strong customer support reviews. Performance analysis found Osano consistently results in longer main thread tasks than competing CMPs, which matters for Core Web Vitals. Right for: US-focused companies wanting integrated CMP plus DSAR management who do not need enterprise-scale governance. Value 6/10. From $199/month.

Secure Privacy

Cloud-based CMP covering GDPR, CCPA, and US state laws with data discovery and consent workflows. Entry pricing at $14/month per domain makes it one of the more affordable full-featured options. G2 reviews note the clean interface; documentation breadth is a common improvement request. Right for: SMBs wanting a full-featured CMP at accessible pricing. Value 7/10. From $14/month.

TrustArc

Enterprise privacy management platform covering consent, data mapping, and compliance automation. Competes with OneTrust in the enterprise segment. Pricing is not published; aimed at larger organizations. No public self-serve tier. Right for: enterprises that find OneTrust too expensive but need full GRC coverage. Value judgment requires a direct sales conversation. Custom pricing.

Sourcepoint

Sourcepoint targets the higher end of the market, with plans starting at $500/month, and delivered outstanding performance results in independent benchmarks, recording median banner render times under 10 milliseconds by using iframe-based consent delivery. Now owned by Didomi following the July 2025 acquisition. Strongest for large publisher ad-tech deployments. Right for: large publishers and media companies with complex programmatic consent signal requirements. Value depends on scale. Custom pricing from $500/month.

Complianz

WordPress-native consent management, free for basic compliance. Covers GDPR and CCPA, integrates directly with WordPress without external scripts. The free tier handles most cookie consent requirements for WordPress sites. No DSAR management, limited scalability beyond WordPress. Right for: WordPress sites that want native plugin integration and minimal cost. Value 9/10 for that use case. Free core plugin; premium from around €9/month.

CookieHub

A focused CMP built on Google-certified Consent Mode v2, IAB TCF participation, and multilingual capability. Positioned for marketing and compliance teams that need a clean, certified consent layer without the complexity of enterprise suites. Right for: growing companies needing certified Consent Mode v2 compliance and multi-language support at mid-market pricing. Value 7/10. Tiered pricing from free.

Enzuzo

One of the CMPs formally recommended by OneTrust to customers displaced by its $10,000 minimum ACV increase. Covers GDPR, CCPA, and US state laws with DSAR management on paid tiers. Flat multi-domain pricing (Growth at $22/month for 4 domains, Pro at $59/month for 10) is a significant advantage for agencies managing multiple client sites. Right for: agencies and multi-site businesses that need predictable multi-domain pricing with DSAR support. Value 8/10. From $22/month for 4 domains.

DataCops

One first-party architecture covering CMP, analytics, and CAPI in a single pipeline. The CMP loads from your own subdomain via CNAME, not a shared CDN — the banner loads on every session including those running uBlock Origin or Brave. Anonymous analytics flow unconditionally after "Reject All" because they carry no personal identifiers. Identifiable tracking and CAPI event forwarding gate on consent, TCF 2.2 compliant for EEA. Bot filtering at 361 billion IPs means the conversion data reaching Meta, Google, TikTok, and LinkedIn CAPI is clean before it fires. The bundled architecture eliminates the separate CMP cost (OneTrust at $10K/year, Cookiebot at €7+/month per domain) alongside the CAPI infrastructure cost. Typical CMP implementation costs for SMBs run $2,000 to $15,000 per year; DataCops replaces that alongside the conversion tracking stack at Business tier ($49/month, which includes CAPI for Meta, Google, TikTok, and LinkedIn). The honest weakness: SOC 2 Type II is in progress (not yet certified), the brand is newer than OneTrust or Elevar, and the enterprise integration catalog is narrower than Tealium or Segment. Right for: performance marketers who need consent infrastructure that does not break conversion tracking and want bot-filtered CAPI alongside a first-party CMP without assembling four separate tools. Value 9/10. Free tier available; CAPI starts at Business $49/month. Pricing details here.

---

Part 5: Feature comparison

---

Part 6: When NOT to use DataCops

This section is mandatory because honest positioning matters more than maximizing sign-ups from people it is the wrong fit for.

If you need SOC 2 Type II certification today, DataCops is not your answer. The certification is in progress. Enterprise procurement requirements that need it now will need to use a certified alternative: Tracklution (SOC 2 + ISO 27001), Elevar, or an established CMP like OneTrust. Come back in a few months.

If you are a large enterprise with a dedicated privacy and legal team running a full GRC program — data mapping, vendor risk assessments, DPIAs, AI governance, whistleblower reporting — you need OneTrust or a comparable full-governance platform. DataCops is conversion infrastructure, not enterprise GRC.

If you are a publisher with a complex programmatic advertising stack requiring granular IAB TCF signal management across dozens of SSPs and DSPs, Didomi's acquisition of Sourcepoint makes it the most capable option in that specific scenario. DataCops is not built for publisher ad-tech complexity at that scale.

If your entire business runs on Shopify and you need millisecond-precise order-level attribution with native Shopify pixel integration, Elevar at $200/month is built specifically for that use case in a way DataCops is not. The order-level fidelity Elevar delivers for Shopify-native stores is worth the premium if that specificity matters for your business.

---

Quick answers

Do I need a CMP if I only use Google Analytics?

Yes, if you have any EU traffic. GA4 collects personal data (IP addresses, user identifiers) and requires consent under GDPR unless you configure it for fully anonymized, non-personal collection. The default GA4 installation starts tracking before consent is given, which is a violation. Google's Consent Mode v2 requires a certified CMP to manage signals correctly.

What happens if I do not implement Google Consent Mode v2?

Google requires certified Consent Mode v2 integration for advertisers serving ads in the EEA. Without it, Google Ads campaigns cannot serve personalized ads to EEA users and optimization is severely degraded. The June 15, 2026 deadline made this mandatory. Non-compliance affects both legal standing and campaign performance.

Can I use legitimate interest for retargeting?

Almost certainly not. CNIL and other EU DPAs have consistently rejected legitimate interest claims for behavioral advertising and retargeting. You need explicit consent. If you are running retargeting to EU users without a consent signal, you have an exposure.

What is the fine risk for a small business?

Spanish enforcement demonstrates clearly that GDPR is not purely a Big Tech concern — fines span a wide range of sectors and organisation sizes, including SMEs. The headline maximums (€20M or 4% global turnover) apply to egregious violations, but smaller fines for SMEs are common in high-enforcement jurisdictions. More practically, a complaint from a single user to a DPA triggers an investigation that costs time, legal fees, and remediation work regardless of whether a fine follows.

Is cookieless analytics GDPR compliant by default?

Cookieless analytics that collects no personal data and sets no persistent identifiers is generally exempt from GDPR consent requirements — it falls outside the scope of "personal data" under Article 4. But verify the specific tool's data model. "Cookieless" is a marketing term; the legal question is whether the data collected is personal. Read the best cookieless analytics guide for what to verify in each tool before assuming compliance.

What do I do about US traffic?

GDPR applies to data subjects in the EEA regardless of where you are based. It does not apply to US residents visiting from within the US. You do not need a GDPR consent banner for US traffic. Running cookieless defaults globally — as Vercel Analytics, Cloudflare Analytics, and Plausible do — is legal maximalism applied worldwide when it is only legally required in the EU. You lose returning user recognition and funnel analytics on US, UK, and APAC traffic unnecessarily. Apply consent requirements geographically, not universally.

How do I handle consent for my CRM and email marketing list?

Every contact in your CRM needs a documented lawful basis for marketing communications. For EU-based contacts, that almost always means explicit consent, with a record of when and how it was given. Audit your list import history. If you cannot trace consent for a segment of your EU contacts, stop marketing to that segment and re-permission them before resuming. The B2B conversion tracking guide covers the data flow from lead capture to CRM with GDPR in mind.

---

The GDPR checklist, condensed

The long version above is what implementation looks like. If you need a working reference:

Infrastructure

• CMP loads before any tracking fires (verify with dev tools)
• CMP loads under ad-blocker conditions (test with uBlock Origin)
• Reject All is as visible and one-click as Accept All
• Consent logs are stored server-side with timestamps and banner version
• Anonymous analytics are routed separately from identifiable data
• CAPI implemented alongside pixel for consented conversion events
• Google Consent Mode v2 active with certified CMP for EEA

Legal

• Lawful basis documented for every data processing activity
• Marketing consent is granular, separate from account terms, unchecked by default
• Double opt-in active for EU email acquisition (mandatory in DE and IT)
• Data Subject Request process documented with 30-day response workflow
• DPAs signed with every processor touching personal data
• Cross-border data transfers covered by SCCs or EU-US DPF
• Legitimate interest assessments completed where LI is claimed

Operational

• Cookie declaration updated every time new tags are added to GTM
• Privacy policy reflects actual data practices (audit quarterly)
• Data retention schedules defined and enforced in each system
• Breach notification process documented (72-hour regulatory window)
• Staff handling personal data trained on lawful basis and data subject rights

---

The enforcement pattern across 2025 and 2026 makes one thing clear: regulators are testing sites directly, they are applying escalating penalties to repeat violations, and they are treating consent mechanism failures as aggravating factors in every related enforcement action. The question that most marketers have not honestly answered yet is not whether their privacy policy is up to date. It is whether their consent infrastructure is actually running — and whether the conversion data flowing into their ad platforms right now was collected from the humans they think it was.

What percentage of your EU traffic last month hit a consent gate that never loaded?