Third-party requests before consent

Why this matters

Even when cookies are blocked, third-party network requests can still transmit IP addresses, identifiers, or page metadata before user choice. That can still create compliance risk.

How to verify manually

1. Load the page in incognito and inspect third-party requests before any consent action.
2. Group requests by provider: analytics, ads, chat, video, fonts, tag manager, consent platform.
3. Check whether requests are essential or optional for baseline site functionality.

Typical root causes

• Third-party scripts load from the page template before the CMP decides.
• Optional widgets self-initialize on page load.
• Consent only blocks cookies but not network requests or remote script fetches.

GTM fix

1. Move optional vendor tags behind consent conditions instead of firing on all page views.
2. Audit custom HTML tags that pull remote scripts directly.
3. Separate essential operational tags from analytics and marketing vendors.

WordPress fix

1. Review theme, plugin, and page-builder integrations that inject third-party widgets globally.
2. Disable auto-embed or auto-load features for optional tools until consent is granted.
3. Retest pages after cache purge and plugin optimization layers are cleared.

Generic fix

1. Defer optional third-party scripts until consent is granted.
2. Lazy-load integrations on user action where possible.
3. Replace non-essential always-on embeds with click-to-load placeholders.

How to confirm the fix worked

• Confirm that only essential third-party requests remain before consent.
• Accept optional consent and verify optional vendors load only afterward.
• Run a fresh scan and compare the third-party request inventory.