All Blog Posts

Cookiebot CMP uncovers pharmacy GDPR violations

Using the unique scanning technology at the heart of the Cookiebot consent management platform (CMP), a new special report by Usercentrics uncovers worrying GDPR compliance violations across a privacy-sensitive online industry in the EU.

Published March 29, 2022

89% of the 150 most popular pharmacy webshops in the EU fail GDPR compliance by allowing sensitive personal data to be tracked by third parties without end-user consent, when customers browse and buy pharmaceutical products for their mental and physical health.

In this blogpost, find a link to download the full report and learn more about how Cookiebot CMP can help you balance data privacy and data-driven business for higher customer trust.

Lack of transparency on webshops handling sensitive data

In a new scan report, Usercentrics scanned 150 popular online pharmacies in 10 EU countries using the scanning technology of its product Cookiebot CMP and found that 89% violated the EU’s General Data Protection Regulation (GDPR) by processing sensitive personal data without the prior and explicit consent of their end-users, who visit the webshops to browse and buy privacy-sensitive medicines, pharmaceutical products and alternative remedies for their mental and physical health.

Breaking consumer trust, risking damage to brand reputation and breaching core requirements of the EU’s General Data Protection Regulation (GDPR), the pharma e-commerce market in Europe, poised to grow by €9 bn during 2020-2024, paints a disturbing picture of massive data privacy abuse and compliance failures – three years after the GDPR took effect across the region.

To see the key findings and download the full special report by Usercentrics, click here.

Download the full pharma e-commerce report by Usercentrics

Illustration of laptop with medication and websites - Cookiebot
Processing sensitive personal data (like health data) without end-user consent is breach of the EU’s GDPR.

The 150 online pharmacies in the research sample scanned by Cookiebot CMP are websites with well-visited webshops, where EU residents shop products ranging from medical and pharmaceutical products to alternative medicines.

Selected from the top results on Google in ten EU member states – with an average size of 7,078 subpages and average monthly traffic of 495,000 visits – these 150 EU webshops are some of the most popular websites in the online pharmacy industry in the region and constitute important EU digital infrastructure that not only delivers big quantities of medicines and pharmaceutical products to EU residents, but also processes large amounts of sensitive personal data from end-users every day.

What kind of data is being collected?

Personal data generated and processed when EU residents visit these 150 online pharmacies can include:

  • user purchases,
  • search and browsing history,
  • on-site behavior (such as scrolling speed and how their mouse moves),
  • sites they visited before,
  • previous web searches,
  • IP addresses and other identifiers.

This personal data can, in turn, be sold to data brokers in real time bidding auctions for the purpose of serving personalized, behavioral and targeted advertisement back to the end-user, when they visit other websites across the internet – ads that might be personalized on account of previous browsing and purchase histories, e.g. based on the fact that the user has bought homeopathic anti-depressants or has searched for mental health treatments on Google.

Privacy-sensitive products sold on the 150 EU online pharmacies include: anti-depressants and anti-anxiety medicines, diabetes medicines, products related to women’s health, e.g. menstrual and menopausal products, products related to sexual health and sexual orientation, e.g. pregnancy tests, contraceptives and LGBTQIA+ products, covid-19 antibody and antigen tests, products related to high blood pressure and heart disease, products for smoking cessation and other addiction treatments.

Under the EU’s General Data Protection Regulation (GDPR), data about an individual’s health is considered sensitive personal data and requires explicit consent from the user in order to be tracked, collected, processed, shared or sold.

The EU’s GDPR has extraterritorial scope, so websites that have users from inside the EU are obligated to be in GDPR compliance, regardless of where in the world each website itself is located.


Learn more about the EU’s GDPR and cookies

Download the pharma e-commerce report by Usercentrics

Illustration of Medication and Syringes - Cookiebot
Consumers want more data privacy, so being GDPR compliant is an increasing focus of online businesses.

In contrast with the GDPR compliance failures and data privacy infringements happening on 89% of the most popular pharmacy webshops in the EU, consumer demand for more data protection and enhanced data privacy through transparency and control.

According to a 2021 study by Cisco

  • 79% of consumers say that data privacy is a buying factor for them.
  • 47% of consumers say they have switched companies over the company’s data policies or data sharing practices.
  • 19% of consumers say they have terminated a relationship with a retailer, e-commerce websites or online businesses over their data policies or data sharing practices.

These numbers paint a clear picture: data privacy is becoming a consumer demand and a metric of brand reputation, influencing customer choices in ways similar to how “sustainability” and “being organic” now add value to brand image.

For an e-commerce website, taking data privacy legislations seriously as an e-commerce website is taking customer demand seriously too.

In other words, building consumer confidence by being compliant with local data laws is and will be a must for online businesses in the coming years, especially considering the expectation of a steady increase in the number who are willing to act to protect their privacy over time.

Balancing data privacy with data-driven business will be a sign of healthy success for any company in the emerging post third-party cookie internet economy that puts the user and their consent at center.

Illustration of magnifying glass over a bottle of medication - Cookiebot
Don’t break the trust of your customers, become GDPR compliant today with Cookiebot CMP.

Download the pharma e-commerce report by Usercentrics

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Does your website have a CMP?

Cookiebot CMP by Usercentrics helps your website balance data privacy and data-driven business by automating the entire compliance process surrounding cookies, trackers and end-user consent on your domain.

The unique scanning technology at the heart of Cookiebot CMP can not only be used to attain compliance with the world’s comprehensive data laws (like the EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA and many others): it can also be used for investigative purposes, such as this special scan report uncovering GDPR compliance fails in the EU pharma e-commerce market, and Cookiebot CMP report from 2019 that revealed unconsented third-party tracking on EU government domains.

If your website does not currently have a consent management platform, try Cookiebot CMP free for 14 days, or forever if your domain has less than 50 subpages.

Visit or to learn more.

About Cookiebot CMP

Cookiebot CMP is a tool to help websites of any shape and size balance data privacy and data-driven business for true compliance and better customer relations.

Built around an unrivaled scanning technology that detects and controls all cookies and similar tracking technologies on websites, Cookiebot CMP empowers the end-user with transparency and control over their data and enables websites to become compliant with the world’s major data privacy legislations.

Illustration of a laptop with medication to the side of it - Cookiebot
Cookiebot CMP is built around an unrivaled scanning technology. Sign up today!

The Cookiebot CMP scanner finds more cookies and trackers than any competitor and is able to detect whether cookies and trackers are being set without user consent (i.e. activated and in use on the website’s landing page despite no consent from end-users).

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Scan your website for free to find all cookies and trackers

How does the Cookiebot CMP scanner work?

The Cookiebot CMP scanner performs fully rendered user simulations to discover, locate and identify all cookies and trackers that are active on all subpages of any given website.

The Cookiebot CMP scanner does that by simulating multiple users (7-8 on average) visiting a website simultaneously and performs all actions that real users potentially would. The simulated users will scroll through up to 10,000 sub-pages, clicking all links, menu points and buttons. They will move their cursors around, play and pause embedded video or audio content.

During these simulated sessions, the scanner monitors all network traffic between the website and the “browsers” of the simulated users – as well as any traffic sent to other websites. The scanner uses this data to identify all cookies and trackers that are activated as result of the simulated users and their on-site behavior.

The Cookiebot CMP scanner detects all cookies and trackers and catalogues all technical properties, such as name, type, duration/expiry period, their exact location within the source code of the website, and monitors domain data to determine if third parties are controlling the cookie.

All the information that the Cookiebot CMP scanner finds is automatically logged in a global repository, which consists of millions of trackers that the scanner has encountered across the web. 

Learn more about consent and Cookiebot CMP

Scan your website for free to find all cookies and trackers

How does Cookiebot CMP determine “non-compliance”?

The Cookiebot CMP scanning technology does not state compliance, but only detects non-compliance.

The way Cookiebot CMP determines non-compliance is to detect whether there are any cookies that are being activated without end-user consent. If any of these cookies can be classified as non-necessary (e.g. by being from a third-party provider or for the purpose of running analytics or marketing services), Cookiebot CMP is able to determine that the website does not meet the compliance requirements of the EU’s GDPR.

Illustration of medication & magnifying glass - Cookiebot

See the key findings and download the full Usercentrics report here.

Cookiebot CMP classifies unclassified cookies as necessary and does not state non-compliance for cookies set when imitating users (e.g. in the possible event of implied consent, despite not being best practice and specifically non-compliant according to several EU data protection authorities).

Cookiebot CMP does not find cookies that are set behind log-in, or cookies properly withheld before end-user consent across all subpages on a website and does not find cookies properly withheld across all sub-pages nor cookies in use behind logins or restricted areas.


Learn more about the EU’s GDPR and cookie consent

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

How did Usercentrics select the top 150 EU online pharmacy webshops?

Usercentrics used the scanning technology of its consent management platform Cookiebot CMP to scan the top 150 online pharmacy websites in the EU and detected a total of 7,160 cookies. Selected from the top results on Google in ten EU member states – with an average size of 6,776 subpages and average monthly traffic of 495.000 visits – the 150 EU webshops are some of the most popular websites in the online pharmacy industry in the European Union.

Download the pharma e-commerce report by Usercentrics

What is a ‘non-necessary cookie’?

A ‘non-necessary cookie’ is any kind of cookie that is not strictly necessary for the most basic functions of a website. Necessary cookies are one among four categories of cookies (preference cookies, statistics cookies and marketing cookies); common examples include cookies that handle user logins or shopping cart contents on a domain. Any cookie that tracks personal data from end-users for the purposes of e.g. remembering language preference or choice of currency across visits, performing analytics services or engaging in marketing and digital advertising cannot be classified as a non-necessary cookie.

Learn more about the EU’s GDPR and cookie consent

How do cookies work?

Cookies are usually small files that get set on an end-user’s browser when they land on a website. Here, they will collect, process and share information (often personal data) about the end-user in order to run analytics services about the website’s performance or run marketing campaigns on the domain. Some cookies, like third-party marketing cookies, track personal data including IP addresses as well as search and browser history, and stay active on user browsers for years.

Scan your website to find all cookies and trackers

What does ‘cookie compliance’ mean according to the EU’s GDPR?

In the EU, the General Data Protection Regulation (GDPR) and the ePrivacy Directive form the overall data privacy regime that comes with specific requirements for how websites are allowed to use cookies and process personal data from users inside the EU. Any processing of personal data from users inside the EU must be done on a legal basis, and the most common is ‘with the consent of the end-user’. If a website intends to use cookies that will process personal data from EU users, the website is required to inform its users with full transparency about such operations, then ask for and obtain the explicit consent from the end-users before any activation of such cookies is legally allowed to take place.

Learn more about cookie consent

What is a ‘third-party provider’?

A ‘third-party provider’ simply means that the cookies and trackers on a website are not of the domain’s own origin (first-party cookies) but are placed on the website and operated by third parties, usually through the use of analytics services (such as Google Analytics), social media plugins (such as Facebook or Twitter) or marketing services (such as HubSpot). The use of third-party services on a website is the most common way for third-party cookies to become embedded on a domain, e.g. featuring YouTube videos on a website.

Learn more about tracking cookies and third-party providers

What is a ‘first-party cookie’?

First-party cookies are cookies that are hosted entirely on the website visited by the user. Unlike third-party cookies that are operated by third-party providers, first-party cookies live entirely on the domain in question. However, first-party cookies are not always privacy-safe, as they have also been known to transmit personal data to third parties through a complex set of tracking structures, e.g. pixel trackers that correlate end-user data to third parties, effectively bypassing the first-party concept – and therefore needing end-user consent to operate legally.

Learn more about website tracking

What is ‘personal data’ and ‘sensitive personal data’ under the EU’s GDPR?

Under the EU’s GDPR, ‘personal data’ is any kind of any information that relates or can in any way be related to an identified or identifiable living person (defined in the GDPR as a “data subject”). This can include IP addresses, search and browser history, location data (such as geolocation through a phone), e-mail addresses, home addresses and names. Under the EU’s GDPR, ‘sensitive personal data’ is a subcategory of personal data that includes information about a person’s health, ethnicity, religious beliefs, political convictions and sexual orientation.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.


Download the full Usercentrics pharma e-commerce report

2021 Cisco study: Building Consumer Confidence in The Age of Privacy Through Transparency and Control

EU pharma e-commerce market to grow by USD 10.69 bn during 2020-2024

Learn more about the EU’s GDPR

Learn more about cookie consent under the EU’s GDPR

Learn more about compliant cookie policies

Learn more about Google Consent Mode and Cookiebot CMP

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.