Skip to content
StackPatrol
Audit9 min read

What loads on 10 Norwegian municipality sites, before and after consent

A before-and-after consent audit of ten large Norwegian municipalities. The range was enormous: from a perfect EU score with 6 third-party domains to a public site running Meta Pixel with no visible consent choice in the test.

Last week I scanned the 10 largest Norwegian news sites and found what I expected: lots of Google, lots of Sourcepoint, and a stack that grows dramatically after the user clicks “Accept all”. That is an industry where adtech is part of the business model.

My expectation for the municipalities was the opposite. This is the public sector. Citizens often have no real alternative to using municipal digital services, so the bar for third-party tracking should be higher than on ordinary commercial sites. It should be tidy. In some places, it is not.

This is a technical observation, not a legal assessment

StackPatrol identifies vendors and classifies them by ownership region. The numbers describe what was observed in the browser during the test. The EU Independence Score is a technical signal that weighs third-party dependency and jurisdiction risk — a lower score means higher dependency on non-European third-party vendors. It is not a legal assessment.

The short answer

Each municipality site was scanned with StackPatrol: front page and up to 19 subpages, both before and, where possible, after clicking “Accept all” on the consent banner. The numbers below show the post-consent measurement where the banner affected loading, and the baseline/no-interaction measurement where there was no banner or the after-measurement was technically identical to the before-measurement.

Low risk

1. bergen.kommune.noEU score: 100Low risk
US-owned vendors
0
European vendors
4
Third-party domains
6
Cookies
2
Banner
No — little sign one was needed
2. oslo.kommune.noEU score: 87Low risk
US-owned vendors
1 → 2 after “Accept all” (+1)
European vendors
1
Third-party domains
1 → 6 (+5)
Cookies
0 → 5 (+5)
Banner
Yes
3. lillestrom.kommune.noEU score: 85Low risk
US-owned vendors
1
European vendors
5
Third-party domains
12 → 13 (+1)
Cookies
12 → 16 (+4)
Banner
Yes

Medium risk

4. kristiansand.kommune.noEU score: 57Medium risk
US-owned vendors
8 → 11 after “Accept all” (+3)
European vendors
2
Third-party domains
14 → 22 (+8)
Cookies
8 → 12 (+4)
Banner
Yes
5. asker.kommune.noEU score: 51Medium risk
US-owned vendors
4
European vendors
5
Third-party domains
14 → 15 (+1)
Cookies
16 → 20 (+4)
Banner
Yes
6. trondheim.kommune.noEU score: 40Medium risk
US-owned vendors
9
European vendors
1
Third-party domains
14
Cookies
18
Banner
No

High risk

7. sandnes.kommune.noEU score: 33High risk
US-owned vendors
9
European vendors
2
Third-party domains
21
Cookies
6
Banner
Yes, but no technical difference before/after
8. fredrikstad.kommune.noEU score: 26High risk
US-owned vendors
8
European vendors
3
Third-party domains
14
Cookies
4
Banner
Yes, but no technical difference before/after
9. drammen.kommune.noEU score: 24High risk
US-owned vendors
7
European vendors
2
Third-party domains
14
Cookies
10
Banner
No
10. stavanger.kommune.noEU score: 20High risk
US-owned vendors
18
European vendors
4
Third-party domains
34
Cookies
19
Banner
No

The range is enormous. Bergen contacts 6 third-party domains and gets a perfect EU score. Stavanger contacts 34 third-party domains and has 18 US-owned vendors. Drammen stands out because StackPatrol observed Meta Pixel on a municipality domain with no visible consent choice in the test. Three municipalities — Bergen, Oslo and Lillestrøm — are on Low risk. That shows it is fully possible to build a modern municipality site with a high European share and low third-party dependency.

The key finding: the consent banner is often absent, or has little technical effect

On Norwegian media houses, a Sourcepoint banner was standard at 9 of 10. On Norwegian municipalities the picture is different. 4 of 10 municipalities in the test — Bergen, Trondheim, Stavanger and Drammen — did not have a consent banner that StackPatrol could find. I also checked several of the sites manually in a normal browser, on mobile and in incognito mode, without seeing a banner on the front page. 2 of 10 — Sandnes and Fredrikstad — had a banner where StackPatrol clicked “Accept all”, but observed no technical difference between the before and after measurements.

Bergen is no drama. The stack consists of boost.ai, Sem & Stenersen Prokom, Siteimprove and Skyra. All Norwegian, European or EEA-based, and StackPatrol found almost nothing to suggest a consent banner was necessary for what loaded.

Trondheim is another story. With no consent interaction, StackPatrol observed reCAPTCHA, Google Ads, DoubleClick, Google Analytics and YouTube embeds. YouTube set __Secure-YNID, VISITOR_INFO1_LIVE and __Secure-ROLLOUT_TOKEN, among others. Stavanger loaded 34 unique third-party domains and 18 US-owned vendors with no consent interaction — more third parties than many commercial sites I have scanned in baseline. And on drammen.kommune.no, StackPatrol observed Meta Pixel. That was the single sentence I least expected to write when I began this audit round.

The Drammen case

Drammen municipality gets an EU score of 24 out of 100, among the lowest in the sample. The observed stack includes Meta Pixel, Cloudflare and Cloudflare Turnstile, Azure Application Insights, a Vimeo embed, Font Awesome and Google Fonts. Third-party cookies were also observed from vimeo.com and login.edialog24.com.

What I cannot answer is what Meta Pixel is doing on a kommune.no domain. The most common use for Meta Pixel is measuring conversions for Facebook ads — seeing whether people who clicked an ad later performed a desired action on the site — and it can also be used for ad retargeting. Both uses are worth investigating more closely when they occur on a public municipality site with no visible consent choice in the test.

For the record: I have no reason to believe this is a deliberate decision by Drammen municipality. It could just as easily stem from an old campaign, a CMS theme, a previous vendor, or a developer who added the pixel for one specific purpose and forgot to remove it. That is exactly why tools like StackPatrol exist: to make such things visible.

The Stavanger case

Stavanger has the lowest EU score in the sample, at 20 out of 100, and the largest number of third-party domains: 34. The stack includes BootstrapCDN, UNPKG, Uploadcare, Google Ads, Google Analytics, Google Tag Manager, Google Fonts, GStatic, Google Maps, Google Search/misc, YouTube, Microsoft Azure Blob, Microsoft Forms, Microsoft Office Online, Microsoft Azure SignalR and a long list of Monsido services. On the European side there is Norkart, Friskus, Gisline and Sanity.

Much of this is probably tied to functionality such as forms, maps, search, video and citizen dialogue. There can be legitimate reasons several of these services are on a municipality site. But it also means a citizen visiting stavanger.kommune.no, in this test, met a long chain of third-party domains and US-owned vendors without having made an active consent choice. It is worth investigating more closely.

Sandnes and Fredrikstad: banners that do not appear to govern loading

Sandnes and Fredrikstad deserve their own paragraph because they illustrate a general pattern I often see. StackPatrol found a consent banner and clicked “Accept all”. Then the tool compared the before and after states. In both tests the measurements were technically identical. No new third parties appeared. No new cookies were set. No new third-party domains were observed after the click.

In this test, the consent choice therefore appears technically cosmetic. The user gets an impression of control, but StackPatrol observed no change in what actually loaded. This is not necessarily a deliberate decision — it more likely points to a configuration error where the banner is installed without being connected to the actual loading of third parties. It is one of the most common mistakes I see, and often one of the easiest to fix in a tag manager or CMP setup.

Bergen, Oslo and Lillestrøm show it can be done

It is easy to get lost in the bad findings, so it is worth highlighting that some municipalities actually have this tidy. Bergen municipality gets a perfect EU score: 100 out of 100. The stack consists of four vendors: boost.ai, Sem & Stenersen Prokom, Siteimprove and Skyra. Zero US-owned vendors, two cookies in total, no third-party cookies. It is the cleanest stack I have seen on a large Norwegian public site.

Oslo municipality has one US-owned vendor in baseline, Amazon AWS, probably tied to hosting or infrastructure. Google Analytics and Hotjar load only after the user clicks “Accept all”. That is how consent-before-loading is supposed to work. EU score: 87. Lillestrøm municipality is also low. Google Fonts is the only US-owned service in baseline, and the rest of the stack largely builds on European alternatives for search, consent management, analytics and login. EU score: 85. These three municipalities show it is fully possible to build a modern municipality site with a high European share and strictly consent-based third-party loading. It is not a technical impossibility.

What they all have in common

Monsido recurs at several municipalities. It is typically used for web governance, quality assurance, accessibility and analytics. It can be a legitimate vendor, but should still be documented and assessed like any other third party. Siteimprove, which is Danish, is also common, often used for accessibility, quality and analysis. Boost.ai is on several municipality sites — one of the few all-Norwegian vendors in the sample and worth noting for how well distributed it is. Sem & Stenersen Prokom, Norkart and Skyra also recur, showing there are solid Norwegian and European alternatives for much of what a municipality needs.

What I learned

Three things surprised me. First, the gap between best and worst is enormous. Bergen contacts 6 third-party domains and gets a perfect score. Stavanger contacts 34. Drammen has Meta Pixel in the stack. There is not one standard municipal web stack, but many different technical choices with very different risk profiles.

Second, the consent banner is often not there, or does not appear to govern anything when it is. 4 of 10 municipalities in this test lacked a banner StackPatrol could find. 2 of 10 had a banner where StackPatrol observed no technical difference before and after “Accept all”. That means citizens, in several cases, do not appear to get a real technical choice before third-party resources load.

Third, sometimes there is good reason not to have a banner. Bergen has chosen a stack so clean that StackPatrol found little to suggest consent was needed for what loaded. That is perhaps the best solution: not to hide complexity behind a banner, but to reduce the complexity in the first place.

What can be done about it

I will not pretend this is easy. Municipalities have complex needs: map solutions, form solutions, login services, chatbot, analytics, accessibility measurement and citizen dialogue. Much of this is legitimate to build in. But some moves are low-hanging fruit.

1. Check whether Meta Pixel, Google Analytics or Hotjar load before consent. If so, it should be investigated. Often it is a tag manager or CMP configuration that can be fixed.

2. Check that the consent banner actually governs something. Having a banner is not enough. Compare the network log before and after “Accept all”. If there is no difference, the banner is probably not properly connected to scripts and cookies.

3. Consider European alternatives for what is not strictly necessary. Self-hosted fonts or European font providers can reduce the need for Google Fonts. Friendly Captcha or hCaptcha can be weighed against reCAPTCHA. Plausible or Matomo can be considered as alternatives to Google Analytics.

4. Audit regularly, not just at launch. Third parties tend to accumulate over time. A pixel added for a campaign 18 months ago can still be active long after the campaign ended.

Why I am sharing this

I am not sharing this to single out individual municipalities. I have scanned 10 municipalities, and I am sure both better and worse findings exist among the other 347 Norwegian municipalities. The point is that the technical reality behind a municipality site is often more complex than it looks from the outside. That is information citizens, communications departments, IT departments and data protection officers should have easy access to.

Want to check your own site?

StackPatrol scans your URL with a real browser, captures every third-party request before and after consent, and shows you which vendors are EU-based and which are US-owned. Free, no account needed, and it takes under a minute on a front page.

Scan your site for free
Published 26 June 2026 by StackPatrol. Independent · No tracking · No affiliate links.