Skip to content
StackPatrol
Audit9 min read

What loads on 10 Norwegian telecom and fibre sites, before and after consent

A before-and-after consent audit of ten well-known Norwegian mobile, broadband and fibre providers. The most surprising finding: a B2B infrastructure company with a heavy programmatic ad stack running before the user clicked anything.

Over the past few weeks I have scanned Norwegian news publishers and municipalities. This week I turned to an industry I thought I knew what I would find in: telecom. Mobile. Broadband. Fibre. Digital infrastructure.

Ten of the best-known Norwegian providers were scanned with StackPatrol. First the front page and up to 19 subpages were scanned with no consent interaction. Then StackPatrol clicked “Accept all” and revisited the front page and up to four of the same subpages, so that findings before and after consent could be compared.

I expected Google and Microsoft everywhere. What I did not expect was that a company selling digital infrastructure to Norwegian businesses would have one of the heaviest US ad stacks in the whole sample — and that it loaded before consent.

This is a technical observation, not a legal assessment

StackPatrol identifies vendors and classifies them by ownership region. The numbers below describe what was observed in a real browser during the test. They do not certify GDPR compliance or non-compliance. The EU Independence Score is a technical signal that weighs third-party dependency and jurisdiction risk — a lower score means higher dependency on non-European third-party vendors.

The short answer

The numbers below show what StackPatrol observed before any consent choice and after clicking “Accept all”, where a recognizable consent banner was found.

Medium risk

1. onecall.noEU score: 63Medium risk
US-owned vendors
3 → 9 after “Accept all” (+6)
European vendors
2 → 4 (+2)
Third-party domains
6 → 26 (+20)
Cookies
5 → 30 (+25)
Third-party cookies before consent
0
Banner
Yes

OneCall gets the highest EU score in the sample and has by far the thinnest baseline stack. Before consent, StackPatrol observed only three US vendors: AWS CloudFront, Google Analytics and Google Tag Manager. No third-party cookies were observed. Then the user clicks “Allow all cookies” and the picture changes: US vendors go from 3 to 9, third-party domains from 6 to 26, cookies from 5 to 30. Technologies that first appear after consent include Bing Ads, DoubleClick, Google Ads, Optimizely and Xandr/AppNexus. On the European side, Siteimprove and Telia ACE/Humany come in after consent. OneCall is the cleanest baseline in the sample, but also one of the clearest examples of how much a single consent click can change the technical stack.

2. mycall.noEU score: 51Medium risk
US-owned vendors
10 → 12 after “Accept all” (+2)
European vendors
2
Third-party domains
17 → 27 (+10)
Cookies
6 → 23 (+17)
Third-party cookies before consent
5
Core infrastructure
DNS on AWS
Banner
Yes

MyCall comes second, but has a considerably heavier baseline than OneCall. Before consent, StackPatrol observes Google Ads, DoubleClick, Google Analytics, Google Tag Manager, Google Fonts, Google Maps, YouTube Embed and AWS CloudFront, among others. The five pre-consent third-party cookies come from YouTube. After “Accept all” the stack grows further — Optimizely and Xandr/AppNexus appear, and cookies go from 6 to 23.

High risk

3. globalconnect.noEU score: 25High risk
US-owned vendors
23 → 26 after “Accept all” (+3)
European vendors
18
Third-party domains
51 → 59 (+8)
Cookies
25 → 32 (+7)
Third-party cookies before consent
24
Banner
Yes

This was the most surprising finding. GlobalConnect sells fibre, data centres and digital infrastructure to Nordic businesses. This is where I expected one of the cleanest stacks. The opposite was true. Before you have clicked anything, globalconnect.no loads 23 US-owned vendors and sets 24 third-party cookies. And this is not just analytics — it is a heavy programmatic ad stack: Adobe, Audigent, BidSwitch, DataXu/Roku, Eyeota/Dun & Bradstreet, FreeWheel, LiveRamp, Lotame, Magnite/Rubicon, Neustar/TransUnion, Nielsen eXelate, OpenX, PubMatic, The Trade Desk and TripleLift. All observed before consent.

Cookies such as demdex, rlas3, pxrc and matchadform are set from third-party domains tied to the ad stack before the user has a choice. What makes it more striking: GlobalConnect actually has a European consent tool, Cookiebot, installed on the site. The tool is there. But the ad stack fires before the banner is interacted with. After “Accept all”, three more US vendors come in, including Meta Pixel and Maze.

It is worth noting that GlobalConnect also has a lot of European technology in the stack: Adform, Improve Digital, ID5, Semasio, Smaato, Smart AdServer/Equativ, Ströer, Teads, Weborama and Norwegian Kindly. The alternatives exist. But the ordering — heavy US adtech before consent — is what sets GlobalConnect apart from the rest of the sample.

4. telia.noEU score: 25High risk
US-owned vendors
11 → 16 after “Accept all” (+5)
European vendors
4 → 5 (+1)
Third-party domains
24 → 40 (+16)
Cookies
9 → 43 (+34)
Banner
Yes

Telia already has a large stack before consent, but it grows considerably after “Accept all”, ending with 43 cookies and 16 US vendors. In the combined stack StackPatrol finds Salesforce Marketing Cloud/Pardot, Optimizely and Datadog, among others. After consent, LinkedIn Insight Tag and the EU-based CDP BlueConic come in as well. There is nothing inherently wrong with more loading after consent — that is exactly what “consent before loading” is meant to mean. The point is the scale.

5. ice.noEU score: 22High risk
US-owned vendors
6 → 13 after “Accept all” (+7)
European vendors
3 → 6 (+3)
Third-party domains
20 → 38 (+18)
Cookies
21 → 41 (+20)
Core infrastructure
email via Microsoft 365, DNS at Domeneshop
Banner
Yes

Ice goes from 6 to 13 US vendors after consent. After “Accept all”, StackPatrol observes Meta Pixel and Snapchat Pixel, among others. It is a good example of a site where the consent banner actually appears to influence what loads — but the scale after consent is large: 41 cookies per visit.

6. altibox.noEU score: 20High risk
US-owned vendors
13 → 20 after “Accept all” (+7)
European vendors
7 → 10 (+3)
Third-party domains
30 → 49 (+19)
Cookies
15 → 49 (+34)
Core infrastructure
email via Microsoft 365
Banner
Yes

Altibox ends with the most cookies in the entire sample: 49 after “Accept all”. After consent, LinkedIn, Bing, Hotjar, Snapchat, Meta and several other marketing and analytics technologies appear. At the same time, Altibox is a good example that the picture is not black and white. StackPatrol finds several European and Norwegian components, including EnID, Afiber, Altibox services and Bunny Fonts. The alternatives exist — but the combined post-consent stack is heavy.

7. talkmore.noEU score: 18High risk
US-owned vendors
8 → 14 after “Accept all” (+6)
European vendors
4 → 5 (+1)
Third-party domains
21 → 37 (+16)
Cookies
24 → 40 (+16)
Core infrastructure
email via Microsoft 365
Banner
Yes

Talkmore has a relatively heavy baseline already before consent, and grows further after “Accept all”. After consent, DoubleClick, Meta, Snapchat, Hotjar and Microsoft Clarity appear, among others. An unclassified domain also shows up: gtm.adt313.net. The same domain was also observed on Ice. I will not guess what it is just because the subdomain starts with “gtm”. But when an unclassified domain recurs across two telcos, it is worth having someone with access to the request log take a closer look. That is exactly the kind of thing a technical audit should make visible.

8. phonero.noEU score: 13High risk
US-owned vendors
16 → 18 after “Accept all” (+2)
European vendors
4 → 5 (+1)
Third-party domains
31 → 36 (+5)
Cookies
7 → 13 (+6)
Third-party cookies before consent
2
Core infrastructure
hosting via Cloudflare, DNS at AWS
Banner
Yes

Phonero has one of the heaviest baseline stacks in the sample. Before consent, StackPatrol observes 16 US vendors, including Amazon AWS, AWS CloudFront, Cloudflare, Google technologies, Vimeo, reCAPTCHA and Consent Pro. After “Accept all”, three more vendors appear, among them Meta Pixel and Hotjar. Cookies grow from 7 to 13. That means Phonero has both a heavy baseline and further expansion after consent.

9. nextgentel.noEU score: 10High risk
US-owned vendors
12 → 15 after “Accept all” (+3)
European vendors
3 → 4 (+1)
Third-party domains
24 → 37 (+13)
Cookies
8 → 17 (+9)
Core infrastructure
hosting via Vercel, email via Microsoft 365
Banner
Yes

NextGenTel gets one of the lowest scores in the test. Much of it comes from a combination of US core infrastructure and third-party stack: hosting via Vercel, email via Microsoft 365, plus Amazon S3, AWS CloudFront, Cloudflare, Google technologies and several marketing and analytics components. This is a good example that dependency is not only about cookies and pixels — core infrastructure counts too.

10. chilimobil.noEU score: 5High risk
US-owned vendors
7 → 13 after “Accept all” (+6)
European vendors
2
Third-party domains
15 → 26 (+11)
Cookies
0 → 14 (+14)
Core infrastructure
hosting via Vercel, email via Microsoft 365, DNS at Domeneshop
Banner
Yes

Chilimobil gets the sample's lowest score: 5 out of 100. Much of it comes from the core infrastructure. The site is hosted on Vercel, email runs through Microsoft 365, and the report shows Adobe Fonts, Google Analytics, Google Fonts and Google Tag Manager before consent. After consent, more ad and tracking technologies appear. But here is the nuance worth highlighting: Chilimobil loads 0 cookies before consent. They also use Fathom Analytics alongside Google, and their DNS is at Norwegian Domeneshop. Chilimobil is a good illustration of why the score alone does not tell the whole story. They appear to handle consent gating cleanly on the cookie side, but lose points because the foundation itself — hosting and email — is American. Those are two very different kinds of dependency. Both count.

The range is enormous

OneCall starts with 6 third-party domains. GlobalConnect starts with 51. Chilimobil sets 0 cookies before consent. GlobalConnect sets 24 third-party cookies before consent. After “Accept all”, OneCall ends with 30 cookies, Telia with 43, Ice with 41, Altibox with 49.

This is why I believe the score alone is never enough. You have to look at what actually happens — before consent, after consent, and in the infrastructure itself.

The key finding: one click changes the whole stack

All ten sites in this test had a consent banner that StackPatrol was able to click. And the differences before and after are large. OneCall goes from 5 to 30 cookies. MyCall from 6 to 23. Telia from 9 to 43. Ice from 21 to 41. Altibox from 15 to 49. Chilimobil from 0 to 14.

It shows how little a baseline alone tells you about the real technical stack many users meet after clicking “Accept all”. But GlobalConnect still stands out. There, the most interesting finding comes before the user has clicked anything at all: 23 US vendors, 24 third-party cookies, a heavy programmatic ad stack — before consent.

The consent tool is sometimes American itself

Phonero uses Consent Pro. Telia uses OneTrust. Both are US-owned. The tool meant to manage privacy is itself a third party subject to non-European law. That does not automatically make its use unlawful, but it is a real vendor and jurisdiction consideration. European alternatives exist in the same category, including Cookiebot and Cookie Information, which several others in the sample use.

What they all have in common

Google is everywhere. In one form or another — Analytics, Tag Manager, Ads, Fonts, Maps or YouTube — Google shows up on all ten. Microsoft 365 handles email at at least five of them: Chilimobil, NextGenTel, Talkmore, Altibox and Ice. Vercel appears as hosting at Chilimobil and NextGenTel. AWS is used for DNS at OneCall, MyCall and Phonero. Cloudflare is central at Phonero and appears on subpages elsewhere.

This is not particularly Norwegian. It is the standard stack of 2026. But it is worth asking whether it should be the standard for companies delivering mobile, fibre and digital infrastructure.

What can be done about it

I will not pretend this is easy for a telco. You have login solutions, coverage maps, customer dialogue, web shops, support tools and marketing to account for. But some moves are low-hanging fruit.

1. Check what loads before consent. If ad pixels, programmatic adtech or Meta/Snapchat fire before the banner is interacted with, it should be investigated. Often it is a tag manager or CMP configuration that can be fixed. GlobalConnect is the clearest example here.

2. Measure both before and after consent. A baseline alone does not give the whole picture. OneCall looks like an extremely thin stack before consent; after “Accept all”, cookies go from 5 to 30. The same pattern appears at several providers.

3. Consider European alternatives where practical. Self-hosted fonts or Bunny Fonts can reduce third-party dependency. Friendly Captcha or hCaptcha can be weighed against reCAPTCHA. Matomo, Piwik PRO, Plausible or Fathom can be considered as alternatives or supplements to Google Analytics.

4. Assess the consent tool as a vendor. If the CMP is American, there are Danish and European alternatives in the same category.

5. Separate tag problems from infrastructure problems. Meta Pixel, Snapchat Pixel and ad tags can often be managed in a tag manager. Hosting on Vercel and email on Microsoft 365 are something else — strategic vendor choices. Both should be visible in the risk assessment.

Why I am sharing this

I am not sharing this to single out individual companies. Norwegian telecom delivers critical infrastructure, and most of these providers are aware of the issues. The point of StackPatrol is to make it easy to see what actually happens, so the conversation about alternatives can start from facts rather than guesswork.

What I find worth highlighting is that a company selling digital infrastructure to Norwegian businesses has a heavy US ad stack active before consent. At the same time, OneCall shows how much of the stack can actually be held back until the user has made a choice: 3 US vendors, 6 third-party domains and 0 third-party cookies before consent. That, too, is a technical choice.

Want to see where your own site stands?

StackPatrol scans your URL with a real browser, captures every third-party request before and after consent, and shows you which vendors are EU-based and which are US-owned. Free, no account needed.

Scan your site for free
Published 6 July 2026 by StackPatrol. Independent · No tracking · No affiliate links.