Beta cookies.ie is in public beta — found a bug or have feedback? Tell us →
cookies.ie

← All fixes

Analytics or marketing scripts fire before consent

Loading Google Analytics, Meta Pixel, or any other tracker before consent sends visitor data to third parties without a legal basis. The DPC treats the request itself as the breach — whether or not it also sets a cookie.

TL;DR
  • Sending a request to a tracker's servers is the breach — cookies are only part of it.
  • "Cookieless" analytics in GTM Consent Mode still sends pings. Gate the script itself, not just cookies.
  • Load tracker scripts only from the consent handler, never in your base HTML.

How this is different from the "cookies before consent" check

The two checks are related but not the same. "Cookies set before consent" looks at the browser's cookie jar. "Trackers fire before consent" looks at outbound network requests: is the browser sending data to google-analytics.com, facebook.net, doubleclick.net, or similar endpoints before the visitor has chosen?

You can fail this check without failing the cookie check — for example, a Meta Pixel <img> pixel or a server-to-server beacon can send IP + referrer to Meta without setting a cookie. Under GDPR that is still personal data processing, and the lawful basis (consent) is missing.

What the law says

Two things happen when a tracker fires: (1) data is read from the visitor's browser (IP, User-Agent, page URL, referrer — covered by ePrivacy Article 5(3)) and (2) personal data is transmitted to a third party (covered by GDPR Article 6, which requires a lawful basis).

The DPC's cookie guidance is explicit that "similar technologies" — pixels, fingerprinting, and other non-cookie tracking — fall under the same consent requirement as cookies. The CJEU's Meta Platforms (Bundeskartellamt) ruling reinforces that transmitting visitor data to ad-tech platforms without a specific, informed consent is a breach.

The NOYB Google Analytics complaints (101 cases filed across Europe) have led to Austrian, French, and Italian regulators finding GA unlawful in its default configuration. Firing GA before consent compounds that problem.

Why it matters

Unlike the cookie check, a tracker request can occur once and the transmission is done — there is no "undo". If a visitor's IP has already been sent to Meta, revoking consent later doesn't retrieve it. This is why regulators treat pre-consent tracker fires as a material issue even when the cookie footprint looks clean.

How to fix it

1. Find which scripts are firing

Open DevTools > Network, filter by "google-analytics", "facebook", "doubleclick", "hotjar", etc. on a fresh load. Our checker will list the detected vendors — cross-reference each with the vendor library to see the host domains it loads from.

2. Gate the script tag, not just the cookies

The most common mistake is enabling GTM Consent Mode v2 and calling it done. Consent Mode denies storage but still allows GTM to send "cookieless pings" to Google. Under DPC guidance those pings are processing, and need consent. The safer pattern is to also gate the load of GTM itself: 

// In your consent handler, only after the user accepts:
function loadGTM() {
  if (window.__gtmLoaded) return;
  window.__gtmLoaded = true;
  (function(w,d,s,l,i){
    w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(), event:'gtm.js'});
    var f=d.getElementsByTagName(s)[0],
        j=d.createElement(s);
    j.async=true; j.src='https://www.googletagmanager.com/gtm.js?id=' + i;
    f.parentNode.insertBefore(j,f);
  })(window, document, 'script', 'dataLayer', 'GTM-XXXXXXX');
}

3. For scripts you can't load dynamically

Some integrations insist on a tag in the <head> (old-school analytics, some chat widgets). Use the type attribute as a gate — browsers won't execute a script with an unknown type: 

<!-- Does NOT execute on first load -->
<script type="text/plain" data-consent="analytics"
        src="https://example-tracker.com/pixel.js"></script>

<script>
  function enableConsent(category) {
    document.querySelectorAll(
      'script[type="text/plain"][data-consent="' + category + '"]'
    ).forEach((s) => {
      const real = document.createElement('script');
      for (const a of s.attributes) {
        if (a.name !== 'type' && a.name !== 'data-consent') {
          real.setAttribute(a.name, a.value);
        }
      }
      real.textContent = s.textContent;
      s.parentNode.replaceChild(real, s);
    });
  }
</script>

Most CMPs (OneTrust, Cookiebot, Didomi) implement something similar internally — they rewrite type="text/plain" or type="text/partytown" tags to type="text/javascript" once the relevant consent is granted.

4. iframes and embeds

An <iframe src="youtube.com/embed/..."> fires a full cookie set from Google the moment the page loads. Options: swap to youtube-nocookie.com, render a click-to-load placeholder (the "cover image with play icon" pattern), or only inject the iframe in a consent-update handler.

5. Watch for server-side leaks

If your backend proxies requests to analytics or ad platforms (server-side tagging, Meta Conversions API, "first-party" tracker domains), they're still third-party processing — consent applies the same way. Don't fire these from page loads before consent.

How to verify the fix

Re-run the cookie banner checker. The "No analytics or marketing trackers fire before consent" check inspects network requests against the vendor library; the report will name any tracker it still detects.

Related fixes

cookies.ie is not a law firm. Rules for specific trackers (particularly Google Analytics and Meta Pixel in the EU) evolve with new CJEU and DPC decisions — consult a lawyer for edge cases.