I have long been curious about what actually loads when you visit a Norwegian website. After the Schrems II ruling in 2020, many businesses began saying they were “GDPR compliant” while their sites still loaded analytics tools, fonts, ad technology and third-party scripts from large global vendors.
There are tools to investigate this manually, but I wanted something simple enough that a communications lead, editor, DPO or developer could get an overview without opening DevTools. So I built StackPatrol. You enter a URL, the scanner opens the page in a real browser, and maps third-party domains, cookies, scripts, vendors, ownership region and what changes after consent.
This week I ran an audit of ten major Norwegian news sites. First StackPatrol ran a baseline: front page plus up to 19 internal pages without clicking the consent banner. Then, where a recognizable consent banner was found, StackPatrol clicked “Accept all” and re-scanned the front page plus up to four selected internal pages with the consent cookie active. In total this gave a broad baseline of up to 200 pages, plus a controlled post-consent sample. The difference between those two states is what this article is about.
This is a technical observation, not a legal assessment
StackPatrol identifies vendors and classifies them by ownership region. The numbers describe what was observed in the browser during the test. The EU Independence Score is a technical signal that weighs third-party dependency and jurisdiction risk — a lower score means higher dependency on non-European or higher-risk third-party vendors. It is not a legal assessment.
The short answer
The numbers below show what StackPatrol observed before any consent choice and after “Accept all”, where a recognizable consent banner was found.
- US-owned vendors
- 3 → 10 (+7)
- Total vendors
- 14 → 26
- Cookies after “Accept all”
- 27
- US-owned vendors
- 5 → 22 (+17)
- Total vendors
- 16 → 41
- Cookies after “Accept all”
- 94
- US-owned vendors
- 4 in baseline
- Total vendors
- 6 in baseline
- Cookies in baseline
- 26
- Post-consent measurement
- not done — no recognizable banner found
- US-owned vendors
- 7 → 12 (+5)
- Total vendors
- 20 → 30
- Cookies after “Accept all”
- 35
- US-owned vendors
- 9 → 14 (+5)
- Total vendors
- 24 → 33
- Cookies after “Accept all”
- 37
- US-owned vendors
- 7 → 11 (+4)
- Total vendors
- 16 → 24
- Cookies after “Accept all”
- 23
- US-owned vendors
- 9 → 27 (+18)
- Total vendors
- 21 → 48
- Cookies after “Accept all”
- 91
- US-owned vendors
- 12 → 16 (+4)
- Total vendors
- 27 → 31
- Cookies after “Accept all”
- 68
- US-owned vendors
- 14 → 25 (+11)
- Total vendors
- 29 → 44
- Cookies after “Accept all”
- 104
- US-owned vendors
- 11 → 29 (+18)
- Total vendors
- 24 → 53
- Cookies after “Accept all”
- 140
8 of 10 sites landed in the “High risk” category. The average was roughly 8 US-owned vendors per site before consent. For the 9 sites where StackPatrol found a banner and ran a post-consent measurement, the average was roughly 18 US-owned vendors after “Accept all”. StackPatrol found a Sourcepoint banner at 9 of 10 sites. NRK stood out in that the scanner did not find a recognizable consent banner in the test.
The key finding: the gap between “before” and “after” is enormous
On the four most extreme sites, the post-consent sample ended with between 91 and 140 cookies, and between 41 and 53 vendors after the user clicked “Accept all”. ABC Nyheter went from 21 cookies in baseline to 140 cookies after consent in the post-consent sample. TV 2 went from 9 to 27 US-owned vendors. Dagbladet went from 14 to 25 US-owned vendors, and from 15 cookies in baseline to 104 cookies after consent.
There is not necessarily anything wrong with this in itself. This is exactly what “consent before loading” is meant to mean: the user gets a choice, and if they say yes, more ad, analytics and measurement tools can load. What I want to highlight is how dramatic the difference actually is once someone says yes. For users who click “Accept all”, the practical vendor chain becomes far larger than the baseline number suggests — in the most extreme cases, over 90–140 cookies and 40–50 vendors in the post-consent measurement.
Nettavisen: clean baseline, dramatic change
Nettavisen has one of the best baselines in the entire sample. Before consent, StackPatrol observed 5 US-owned vendors and 16 vendors in total — relatively clean for a large Norwegian news site. Then you click “Accept all”. US-owned vendors jump from 5 to 22. Total vendors go from 16 to 41. Cookies go from 14 to 94. In the post-consent sample, 75 new unique third-party domains that were not visible in the baseline also appear.
As I read it, the Nettavisen case shows that the site technically distinguishes clearly between before and after consent. That is positive. At the same time it shows how much is actually activated when the user chooses “Accept all”. A more prominent or equally accessible reject option would likely reduce how many users end up in the post-consent stack.
TV 2 and ABC Nyheter: largest in absolute terms
TV 2 goes from 9 to 27 US-owned vendors after consent. In the post-consent sample, technologies including Adobe Marketing/Analytics, Amazon Ads, Connatix, LinkedIn Insight Tag, LiveRamp, Magnite, Media.net, PubMatic, Quantcast, Sharethrough, Sovrn, The Trade Desk, Xandr and Yieldmo appear. Total cookies go from 20 to 91, and unique third-party domains from 31 to 129.
ABC Nyheter is even more extreme in this test. It has the lowest EU score in the sample, at 10. After “Accept all”, StackPatrol observed 18 new US-owned vendors, 53 vendors in total and 140 cookies in the post-consent sample. 138 unique third-party domains were also observed after consent. That does not automatically mean anything is unlawful, but it shows the breadth of modern ad and RTB infrastructure once the user has consented.
Dagbladet: high baseline and large post-consent growth
Dagbladet ranks high on both measurements. Already before consent, StackPatrol observed 14 US-owned vendors and 29 vendors in total. The baseline included JW Player, Maze, X/Twitter, Facebook SDK and several Google services. After consent, 11 new US-owned vendors and 89 new cookies came on top. That means a Dagbladet reader who clicks “Accept all” ends up, in the post-consent sample, with 25 US-owned vendors, 44 vendors in total and 104 cookies. The EU score of 12 reflects this third-party dependency.
NRK: no visible banner in my tests, but cookies nonetheless
NRK is the only site where StackPatrol did not find a recognizable consent banner in the test. I also checked manually on desktop, in incognito mode and on two phones, without seeing a consent banner. That still does not mean NRK sets no cookies. The baseline report showed 26 cookies and 6 vendors in the no-interaction scan. Cookies from tns-cs.net and nrkstream.tns-cs.net were observed, with the names i00 and srp. Google Analytics, Sentry, WordPress.com/Jetpack Stats, Akamai and jsDelivr were also observed.
What I cannot answer is whether NRK has a legal assessment saying this is strictly necessary telemetry that does not require consent, or whether there are technical reasons the banner was not shown in my tests. Both are possible. What I can say is that StackPatrol observed cookies and third-party vendors without the user having made an active consent choice.
Who stands out at the top?
E24 and Nettavisen top the list with EU scores of 66 and 46, and are the only ones that land on Medium risk in this test. E24 stays relatively low even after consent, at +7 US-owned vendors. Nettavisen, as noted, has a clean baseline but changes dramatically once the user says yes.
Much of what pulls some Schibsted and Amedia sites up is that parts of the stack actually sit in Nordic or European infrastructure: Pulse, SPiD, AID login, Adnuntius, Adform and Readpeak. There are still dependencies on global vendors like Google Fonts, Xandr and other ad platforms. But the findings also show that it is fully possible to run a modern news site with a higher European share in the stack.
What they all have in common
Google, in one form or another, was observed on all 10 sites — Analytics, Tag Manager, DoubleClick, Fonts, GStatic or Publisher Tag. Xandr/AppNexus, now part of Microsoft Invest, was observed on 9 of 10. Sourcepoint provided the consent banner at 9 of 10. Large CDN and infrastructure vendors like Akamai, Cloudflare and other global players recur in several places. This is standard adtech and web infrastructure of 2026. There is nothing particularly Norwegian about it.
What is interesting is that European alternatives already exist side by side with the global vendors: Adform, Adnuntius, Improve Digital, Readpeak, Smart AdServer/Equativ, RTB House, Schibsted's own Pulse/SPiD stack and Amedia's AID login. The infrastructure exists. Several of the houses already have it integrated.
What can be done about it
There is low-hanging fruit that does not necessarily require major changes. Google Fonts can be replaced with self-hosted fonts or European alternatives. reCAPTCHA can be weighed against alternatives like hCaptcha or Friendly Captcha. Non-essential ad and tracking pixels should wait until after consent — several findings suggest US analytics, ad or tracking vendors can be visible before the banner is interacted with, which is often something that can be investigated and adjusted in the tag manager or CMP configuration.
The hardest part is the ad stacks. Xandr, Magnite, PubMatic, Google and others are still central to the ad economy. That is a real trade-off, not something I pretend has a simple solution. But better visibility is a first step. If you do not know which vendors, cookies and domains actually load, it is also hard to assess risk, documentation and alternatives.
Why I am sharing this
I am not sharing this to single anyone out. Norwegian media houses still do important journalism, and most are aware of these issues. The point of StackPatrol is to make it easy to see what actually happens, so the conversation about alternatives can start from facts rather than guesswork.
What I find worth highlighting is that the technical reality behind a Norwegian news front page is often far more complex than it looks from the outside. On the largest sites we are talking about over 100 cookies and 40–50 vendors per visit after consent. That is information Norwegian media houses, advertisers, DPOs, agencies and readers should be able to access quickly, without having to be technical themselves.
See exactly what loads on your site, before and after consent
StackPatrol scans your URL with a real browser, captures every third-party request, and shows you which vendors are EU-based and which are US-owned. Free, no account needed.
Scan your site for free