Beta cookies.ie is in public beta — found a bug or have feedback? Tell us →
cookies.ie

← All fixes

Non-essential cookies are being set before consent

ePrivacy Article 5(3) makes it unlawful to store or read information on a visitor's device without prior consent — with narrow exceptions for strictly necessary cookies. A non-essential cookie existing before the banner is clicked is already a breach.

TL;DR
  • Only strictly necessary cookies may be set on first load. That list is much shorter than most sites assume.
  • Every analytics, marketing, chat, or A/B-test cookie must wait until the visitor clicks Accept.
  • The common culprits: GA4, Meta Pixel, HubSpot, Hotjar, Intercom, LinkedIn Insight, embedded YouTube, and GTM itself.

What the law says

Ireland's ePrivacy Regulations (S.I. 336/2011), Regulation 5(3), prohibit storing or accessing information on a visitor's terminal equipment unless the user has given consent, "having been provided with clear and comprehensive information". The only exception is for storage that is strictly necessary to provide a service the user has explicitly requested.

The bar for "strictly necessary" is high. The EDPB Guidelines 2/2023 on the technical scope of Art. 5(3) limit the exception to things like:

  • Session IDs that keep the user logged in during the same visit
  • CSRF tokens protecting a form the user is submitting
  • Load-balancer cookies routing the user's requests
  • A shopping-cart cookie remembering what the user added
  • A cookie storing the user's language/currency preference they just set

What is not strictly necessary, even if you find it useful: analytics of any kind (Google Analytics, Plausible server-tracking is the only common exception because it doesn't set cookies), A/B testing, session replay, personalisation, advertising, marketing attribution, fraud-prevention tools that also profile, and "anonymous" tracking pixels. All of these require consent before the first cookie.

Why it matters

ePrivacy Art. 5(3) is strict liability. The breach happens the moment the cookie is stored — not when data is sent somewhere, not when it's used. The DPC's cookie sweeps run an automated test almost identical to ours: load the site with a fresh browser, don't click anything, and inventory the cookies. If non-essential cookies appear, that is the finding.

The reason so many sites fail this check while passing the "banner present" check is that they've installed a banner but not wired it up to actually gate anything. The banner is theatrical; the scripts fire regardless.

How to fix it

1. Inventory what's being set

Open DevTools > Application > Cookies on a fresh incognito window, without clicking the banner. Every cookie that isn't one of the strictly-necessary ones above is a problem. Use our checker for a shareable report, and cross-reference detected vendors in the vendor library to see what each one sets.

2. Stop loading the script until consent

The correct fix is almost never "change the cookie settings" — it's "don't load the script at all" until the visitor consents. Moving a <script> tag behind a consent gate prevents every cookie that script would have set.

Google Tag Manager + Consent Mode v2

If you use GTM, configure Consent Mode v2 and set all non-essential signals to denied by default: 

<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('consent', 'default', {
    ad_storage: 'denied',
    ad_user_data: 'denied',
    ad_personalization: 'denied',
    analytics_storage: 'denied',
    functionality_storage: 'denied',
    personalization_storage: 'denied',
    security_storage: 'granted',
    wait_for_update: 500
  });
</script>

Then, in your consent banner's Accept handler, call gtag('consent', 'update', {...'granted'}). Consent Mode v2 still fires GA in a "cookieless" pinged mode before consent — which the DPC treats as a grey area. To be safe, also gate the GTM snippet itself behind consent rather than relying only on Consent Mode.

WordPress

A CMP plugin (Complianz, CookieYes, Cookiebot, WP Consent API) will auto-block known scripts if configured in "opt-in" mode. Check the plugin's mode setting — many default to "notice only" which does nothing. In wp-config.php or a must-use plugin you can also dequeue offending scripts on the wp_enqueue_scripts hook until a consent cookie is present.

Shopify

Use Shopify's Customer Privacy API and wrap any third-party script in a consent check. Shopify's native banner respects window.Shopify.customerPrivacy.analyticsProcessingAllowed() and similar flags — but custom scripts in your theme's theme.liquid will not, and those are usually the ones failing this check.

Plain HTML / static sites

Don't put tracker tags in your HTML directly. Load them dynamically from a consent handler:

// Do NOT ship this in the HTML:
// <script async src="https://www.googletagmanager.com/gtag/js?id=G-XXX"></script>

// Ship this instead, and call loadGA() only after consent:
function loadGA() {
  const s = document.createElement('script');
  s.async = true;
  s.src = 'https://www.googletagmanager.com/gtag/js?id=G-XXX';
  document.head.appendChild(s);
}

Embedded YouTube / Vimeo

A normal youtube.com/embed/... iframe sets advertising cookies on first load — switch to youtube-nocookie.com/embed/... for the "privacy-enhanced" mode, or load the iframe only after consent. Vimeo has a ?dnt=1 parameter that disables session tracking.

How to verify the fix

Re-run the cookie banner checker. The "No non-essential cookies are set before consent" check will list every offending cookie by name — cross-reference each one against the vendor library to find the script that set it.

Related fixes

cookies.ie is not a law firm. Strictly-necessary exceptions depend on context — a cookie that's necessary on a checkout page may not be on a marketing page. Ask a lawyer for edge cases.