Severity: HighOwner: DevTime to fix: 1-2 h
Third-party embeds before consent
Delay YouTube, maps, chat, booking, and other third-party embeds until the visitor has opted in or explicitly chosen to load them.
Covers: pre_consent_embed, third_party_embed_before_consent
Why this matters
Embedded third-party content often leaks requests and identifiers on first load even when no cookie banner interaction has occurred.
How to verify manually
- Inspect page load for iframe, script, and API requests from embedded vendors.
- Identify whether the embeds are essential or purely optional.
- Check whether click-to-load placeholders are available instead of auto-loading embeds.
Typical root causes
- Embeds are rendered directly in page HTML with no consent gate.
- CMS blocks or page builders load iframe content immediately.
- The CMP blocks cookies but not iframe or embed initialization.
GTM fix
- Do not use GTM to inject optional embeds before consent is granted.
- Gate embed loader scripts behind marketing or functional consent where appropriate.
- Audit custom HTML tags for iframe injection.
WordPress fix
- Replace auto-loaded embed blocks with click-to-load alternatives.
- Use CMP integrations or placeholder plugins for YouTube, maps, and chat tools.
- Verify cached templates are not restoring old embed markup.
Generic fix
- Render placeholders instead of live third-party embeds before consent.
- Load the real embed only after opt-in or explicit user action.
- Separate essential service embeds from optional marketing or media content.
How to confirm the fix worked
- Confirm embed vendors do not receive requests on first load.
- Confirm the embed loads only after opt-in or click-to-load interaction.
- Run a fresh scan and verify the embed finding clears.
Next step
Re-scan after deployment to confirm that the runtime behavior changed, not just the banner copy.