Severity: HighOwner: CMP adminTime to fix: 1-2 h
Pre-consent cookies
Fix analytics, marketing, and third-party scripts that activate before the visitor has made a consent choice.
Covers: pre_consent_analytics_cookie, pre_consent_marketing_cookie, pre_consent_tracker
Why this matters
Under ePrivacy (Article 5(3)) and GDPR principles, non-essential storage and tracking require consent before activation. Loading analytics or marketing scripts before user choice can create immediate compliance risk.
How to verify manually
- Open the site in a fresh private browsing window and do not interact with the banner.
- Check the Network panel for analytics, ads, heatmap, chat, or social pixel requests before consent.
- Inspect Application > Cookies and confirm whether non-essential cookies appear pre-consent.
Typical root causes
- GTM tags fire on page view without consent conditions.
- CMP loads after analytics tags instead of before them.
- Scripts are embedded directly in templates and bypass CMP blocking.
GTM fix
- Enable Google Consent Mode v2 with default denied states for ad_storage, analytics_storage, ad_user_data, and ad_personalization.
- Update tag firing rules so analytics and marketing tags only fire when consent state is granted.
- Use consent initialization events before any marketing or analytics trigger paths.
WordPress fix
- Install and configure CookieYes or Complianz with blocking enabled for analytics and marketing categories.
- Map services to categories and verify scripts are blocked pre-consent.
- Clear cache or CDN and retest in an incognito browser session.
Generic fix
- Block third-party script execution until consent is granted.
- Store pending scripts with a consent category marker.
- On consent grant, activate only scripts matching accepted categories.
<script
type="text/plain"
data-consent="analytics"
data-src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX">
</script>How to confirm the fix worked
- Re-run the scan in a fresh session and confirm the finding disappears.
- Verify that no non-essential cookies are set before interaction.
- Verify that analytics and marketing requests only begin after opt-in.
Next step
Re-scan after deployment to confirm that the runtime behavior changed, not just the banner copy.