Nixon Digital has scanned all 342 municipal websites in the Netherlands for privacy compliance. The results are concerning: 207 municipalities (61%) load services from American Big Tech companies before a visitor has given consent. In almost all cases, this involves Google services.
Key Figures
- 207 of the 339 successfully scanned municipalities (61.1%) load Big Tech services before consent
- 206 of those 207 (99.5%) involve Google services (including YouTube)
- 97 municipalities load Google Fonts, sending data to Google on every page visit
- 114 municipalities have embedded YouTube videos that activate Google trackers
- 70 municipalities load Google Analytics before consent
- Only 31 municipalities (9%) use a professional cookie banner platform
This means that millions of Dutch citizens who visit their municipal website for public services unknowingly share data with American tech companies. Without having given consent. And without most municipalities appearing to be aware of it.
Background and context
Municipal websites are not ordinary websites. They are digital service counters where citizens must go for passports, permits, tax matters, and WMO applications. Citizens have no choice: they depend on the website of their own municipality. This gives municipalities a special responsibility when it comes to protecting the privacy of their residents.
However, to date there has been no large-scale, automated study examining how Dutch municipal websites handle the privacy of their visitors. Individual municipalities have occasionally been reviewed, but a complete overview of all 342 municipalities was missing.
Nixon Digital has now created that overview. Using the Nixon Pro privacy audit tool, we systematically scanned all 342 municipal websites for four key elements: third-party cookies, trackers, external domains, and fonts that are loaded before a visitor has given consent through a cookie banner.
What did we measure?
For each municipal website, we scanned up to 100 pages. The scan measures what happens at the moment a visitor opens the website, without any interaction with a potential cookie banner. This simulates the behavior of an average visitor who simply visits the website.
We mapped four aspects:
- Third-party cookies before consent – Are cookies from external parties placed before the visitor gives consent?
- Third-party trackers before consent – Are tracking scripts loaded that can monitor the visitor’s behavior?
- Third-party domains before consent – How many external servers does the visitor’s browser connect to?
- Third-party fonts before consent – Are fonts loaded from external servers (such as Google Fonts)?
These four measurement points are interconnected. A cookie is placed through a script, and that script is loaded via an external domain. By looking at connections at the domain level, we get the most complete picture of which third parties receive data when someone visits a municipal website.
Why is this a problem?
When a municipal website loads an external domain, the visitor’s browser connects to that external server. During this process, certain data is automatically shared:
- The IP address of the visitor (personal data under the GDPR)
- Device information such as browser type, operating system, and screen resolution
- The visited URL, including any parameters
- Time of the visit
This combination of data forms a digital fingerprint that can make visitors identifiable and trackable. Especially when this data ends up with companies that already have large databases (such as Google, which already has profiles of billions of users through Gmail, Android, YouTube, and Chrome), this information can potentially be linked to existing profiles.
The legal framework: GDPR and Schrems II
The General Data Protection Regulation (GDPR, known in Dutch as the AVG) is clear: personal data may not be processed without a valid legal basis. For placing tracking cookies and sharing data with third parties for non-strictly necessary purposes, consent is required. That consent must be given in advance, explicit, and informed.
Additionally, the Schrems II ruling of the European Court of Justice (2020) plays an important role. This ruling states that personal data cannot simply be transferred to the United States, because the U.S. government can demand access to data stored by American companies under laws such as the CLOUD Act and FISA Section 702. Companies like Google, Meta, and Microsoft are subject to this legislation as U.S.-based companies.
This means that loading Google Analytics, Google Fonts, or YouTube embeds on a municipal website without explicit prior consent may not only violate the GDPR requirements for consent, but also the rules governing international data transfers.
Results
Overview
Of the 342 Dutch municipalities, we successfully scanned 339. Three scans failed due to technical issues on the municipality website side. Of the 339 successfully scanned municipalities, 207 (61.1%) share data with at least one Big Tech party before consent.
| Measurement | Result |
|---|---|
| Total municipalities in the Netherlands | 342 |
| Successfully scanned | 339 |
| Failed scans | 3 |
| At least 1 Big Tech service before consent | 207 (61.1%) |
| No Big Tech before consent | 132 (38.9%) |
| Average number of third-party domains per site | 8.1 |
| Total third-party domains found | 2,732 |
| Total trackers found before consent | 538 |
Google dominates
The most striking result is the overwhelming dominance of Google. Of the 207 municipalities that load Big Tech services before consent, 206 do so through a service from the Google ecosystem (Google itself or YouTube). Only one municipality (Wageningen) loads Facebook without also loading Google.
| Big Tech company | Number | Percentage |
|---|---|---|
| Google (incl. YouTube) | 206 | 99.5% |
| Of which Google only | 93 | 44.9% |
| Of which YouTube only | 50 | 24.2% |
| Of which both | 63 | 30.4% |
| 2 | 0.6% | |
| 2 | 0.6% | |
| Google Syndication (ads) | 2 | 0.6% |
This means that when we talk about “Big Tech on municipal websites,” in practice we are almost exclusively talking about Google.
Which Google services are being loaded?
Google is not a single service, but an ecosystem of dozens of products. We examined which specific Google services municipal websites load before consent:
| Google service | Number of municipalities |
|---|---|
| YouTube embeds (videos) | 114 |
| Google Fonts (fonts) | 97 |
| Google Analytics (analytics) | 70 |
| Google Maps (maps) | 31 |
| Google Translate (translation) | 15 |
| Google Ads (advertising) | 7 |
YouTube embeds: the hidden tracker
114 municipalities have embedded YouTube videos directly on their website. This may seem harmless, but when a YouTube embed loads, the visitor’s browser connects to multiple Google servers. During this process, cookies are placed and tracking scripts are loaded, even if the visitor does not play the video. Many municipalities are likely not aware of this.
Privacy-friendly alternatives do exist. YouTube itself offers a “privacy-enhanced mode” (youtube-nocookie.com), and municipalities can also host videos via European services such as Vimeo (with the correct settings) or on their own video servers.
Google Fonts: an unnecessary privacy risk
97 municipalities load fonts via fonts.googleapis.com. With every page visit, the visitor’s browser sends a request to Google servers, including the IP address. This is unnecessary, because Google Fonts can easily be hosted locally (self-hosting) or replaced with Bunny Fonts, a European alternative that works identically but keeps data within the EU.
In Germany, the Landgericht München already ruled in January 2022 that using Google Fonts via Google’s servers violates the GDPR, because IP addresses are transmitted to Google without consent. Dutch municipalities that load Google Fonts therefore face a concrete legal risk.
Google Analytics: intentionally chosen, but problematic
70 municipalities load Google Analytics before consent. Unlike Google Fonts (which is often included through a template), Google Analytics is usually installed deliberately. This makes it even more notable that it is active before consent: the cookie banner should block Google Analytics from loading until the visitor agrees.
European alternatives for web analytics are widely available. Matomo (open source, EU hosting available), Piwik PRO (EU-based), Siteimprove (Danish), and SIM Analytics (Dutch) are all solutions that keep data within Europe.
Google Maps and Translate
31 municipalities load Google Maps before consent and 15 load Google Translate before consent. Alternatives to Google Maps exist based on OpenStreetMap. For translations, municipalities can offer their own translated pages or use a European translation service.
Google Ads
7 municipalities load Google Ads scripts before consent. This is notable: it means these municipal websites are running advertising scripts that share data with Google’s advertising network. Based on the scan, it is not possible to determine whether this was done intentionally or is the result of a misconfigured template.
Cookie banners: a false sense of security?
A common defense is: “We have a cookie banner, so we are compliant.” Our research shows that this is not the case.
Of the 339 successfully scanned municipalities, the vast majority (220, or 65%) have no cookie banner at all. Of the remaining municipalities, 88 have a self-built or unrecognizable banner, and only 31 use a professional Consent Management Platform (CMP): 27 use CookieYes and 4 use Cookiebot.
| Type of cookie banner | Number of municipalities |
|---|---|
| No banner | 220 (65%) |
| Unknown / self-built banner | 88 (26%) |
| CookieYes (professional CMP) | 27 (8%) |
| Cookiebot (professional CMP) | 4 (1%) |
The cookie banner paradox
The most interesting insight from our research is what we call the “cookie banner paradox”: municipalities that use a professional cookie banner platform actually score worse on Big Tech usage than municipalities without a banner.
| Banner type | Big Tech % | Number |
|---|---|---|
| Cookiebot | 100% | 4 of 4 |
| CookieYes | 96% | 26 of 27 |
| No banner | 65% | 144 of 220 |
| Unknown banner | 37% | 32 of 88 |
The explanation is logical: municipalities often install a CMP because they know their website loads many external services. The banner is intended to ask for consent for those services. However, the scan shows that in most cases the banner does not actually block Big Tech services from loading. The services are loaded before consent, regardless of the cookie banner.
This points to a common problem: a cookie banner is installed as a form of “checklist compliance,” without the technical implementation actually being correct. The banner shows a window, the visitor clicks “accept” or “reject,” but behind the scenes scripts are already being loaded before that choice is made.
It can also be done differently: municipalities that are doing it right
In contrast to the 207 municipalities that load Big Tech services, there are also municipalities that deliberately choose privacy-friendly alternatives. More than 70 municipalities load only services hosted within the EU or the Netherlands and do not share data with American tech companies.
These municipalities show that a well-functioning municipal website is perfectly possible without sharing data with American tech companies. They use European alternatives for analytics (Matomo, Siteimprove, Piwik PRO, SIM Analytics), Dutch text-to-speech functionality (ReadSpeaker), and European fonts (Bunny Fonts).
This is not a compromise in functionality. These websites provide the same services, but respect the privacy of their residents.
Technical background: how does the scan work?
To properly interpret the results, it is important to understand what the Nixon Pro scan measures and how it works.
The scan process
The Nixon Pro audit tool visits a website in the same way a regular browser would, but in an automated and scalable way. For each municipality, up to 100 pages are scanned. The tool records all network requests made by the browser when loading each page, specifically the requests that occur before any interaction with a cookie banner.
This is a deliberate choice: we measure what happens during the first visit, without the visitor taking any action. This simulates the behavior of the vast majority of visitors, who often ignore, close, or do not understand a cookie banner.
What are third-party domains?
When you visit a website, your browser does not only load files from the website itself (the “first-party domain”), but often also files from other servers. These other servers are called “third-party domains.” Every external domain that is loaded automatically receives information from the visitor’s browser, including the IP address.
For example: if a municipality uses Google Fonts, the browser loads fonts from fonts.googleapis.com. If there is a YouTube video on the page, the browser connects to youtube.com, i.ytimg.com, and possibly yt3.ggpht.com. Each of these connections sends data to Google’s servers.
What is a digital fingerprint?
The combination of IP address, browser type, operating system, screen resolution, language settings, installed plugins, and other technical characteristics forms a unique “digital fingerprint.” Like a real fingerprint, this combination is in most cases unique to an individual.
On its own, a digital fingerprint cannot be directly linked to a person’s name. However, a company like Google has enormous databases of user profiles (through Gmail, Android, YouTube, and Chrome). When a digital fingerprint can be linked to an existing profile—for example because the user is logged in somewhere—the anonymous fingerprint can suddenly become an identifiable individual.
This is exactly why sharing data with Big Tech companies is problematic: they are the only ones with the scale to link digital fingerprints to real identities.
What are trackers?
Trackers are scripts specifically designed to monitor the behavior of visitors, often across multiple websites. Well-known examples include Google Analytics, Facebook Pixel, and LinkedIn Insight Tag. Trackers go beyond simply loading an external domain: they are designed to build profiles of individual users.
In our research, we found 538 trackers that are active before consent on municipal websites. On average, each municipal website loads 1.6 trackers before consent.
Methodology
Scope and data collection
The study covers all 342 municipalities in the Netherlands as of March 2026. The list of municipal websites was compiled based on publicly available data. For each municipality, the primary .nl website was scanned.
Scans were conducted using the Nixon Pro audit tool during the first week of March 2026. For each website, up to 100 pages were scanned. The tool simulates a browser visit without interacting with any cookie banner, in order to measure what is loaded by default during a first visit.
Definition of Big Tech
For this study, we use the following definition of Big Tech: external domains belonging to Google (including YouTube, googleapis.com, gstatic.com, doubleclick.net), Meta (facebook.com, facebook.net), LinkedIn (linkedin.com), and Google Syndication (Google’s advertising network). A municipality is classified as “loading Big Tech” if at least one of these domains is loaded before consent.
Limitations
Our research has several limitations that should be taken into account when interpreting the results:
- The scan measures the loading of external domains, not the actual data being transmitted. Loading a Google domain means a connection is made in which at least an IP address is shared, but we cannot determine what additional data is processed.
- The scan is a snapshot in time. Websites change regularly. The results reflect the situation at the time of scanning.
- We measured up to 100 pages per website. It is possible that additional services are loaded on pages that were not scanned. The real situation may therefore be worse than what we measured.
- The scan measures what is loaded before a visitor interacts with a cookie banner. It is possible that some services are blocked after cookies are rejected. However, this does not change the fact that they are already loaded before consent.
Conclusion
The results of this study are clear: a majority of Dutch municipal websites share visitor data with American Big Tech companies without consent. In almost all cases, this involves Google services. This affects millions of Dutch citizens who rely on their municipal website for everyday public services.
The problem is not that municipalities deliberately choose privacy-violating technology. The problem is a lack of awareness and technical knowledge. Google Fonts often comes bundled with templates, YouTube videos are embedded without considering the privacy implications, and cookie banners are installed without verifying whether they actually work.
The solution is not complicated. European alternatives exist, are mature, and are often free. Municipalities such as Baarle-Nassau, Heemskerk, and Nieuwegein show that it is possible. It simply requires the conscious choice to take the privacy of residents seriously.
Instant clarity on your website’s privacy
Is your cookie banner actually enforcing consent?
Check your website for GDPR violations. Gain insight into the behavior of third-party cookies, trackers, domains, and fonts.
- Within 1 minute
- Build for GDPR
- Know whether you are compliant
Frequently Asked Questions (FAQs)
Is Google Analytics allowed under the GDPR?
Google Analytics is not automatically prohibited, but its use must comply with the GDPR. This means, among other things, that visitors must give consent before tracking takes place. If Google Analytics is already active before a visitor accepts cookies, this may violate privacy legislation.
Do municipal websites share personal data with Google?
This can happen when Google services are loaded on a website. For example, when a page uses Google Fonts, YouTube, or Google Analytics, the visitor’s browser connects to Google’s servers. During this process, data such as the IP address is automatically shared. Under the GDPR, an IP address is considered personal data.
Why are Google Fonts a privacy issue?
When Google Fonts are loaded via Google’s servers, the visitor’s browser automatically sends a request to Google. This request includes data such as the IP address. Because this can happen without consent, privacy experts argue that this may violate the GDPR.
Are cookie banners required on websites?
In many cases, yes. When a website uses tracking cookies or external services that process personal data, consent must be obtained first. A cookie banner must also work technically correctly and block trackers until a visitor gives consent.
How can you check whether a website is privacy compliant?
This can be done by performing a technical privacy audit. This checks which external domains, trackers, and cookies are active when a website loads. This makes it visible whether data is being shared before a visitor gives consent.
About this study
This study was conducted by Nixon Digital, a Dutch company specialized in website privacy and compliance. The research was published in collaboration with De Telegraaf.
For questions about this research or about Nixon Pro, the privacy audit tool used to conduct this study, please contact us via info@nixon.nl.
