Here's a fact that makes privacy lawyers lose sleep: according to research from the University of Amsterdam and Aarhus University, over 60% of websites that display a cookie consent banner still load tracking scripts before the user has a chance to accept or reject. The banner is there. The consent mechanism exists. But Google Analytics, Meta Pixel, TikTok Pixel, and Hotjar are already firing in the background — before any consent is given.
This isn't a grey area. Under GDPR and the ePrivacy Directive, loading non-essential cookies or tracking scripts before explicit user consent is a clear violation. And EU data protection authorities have been issuing multi-million euro fines specifically for this.
Why This Happens
The technical root cause is simple: the tracking script is placed in the <head> section of the HTML, and it loads before the Consent Management Platform (CMP) script. Modern CMPs (Cookiebot, OneTrust, Usercentrics) are supposed to block scripts from firing until consent is obtained. But this only works if the CMP loads first.
Common scenarios that cause this:
1. Scripts hardcoded above the CMP — A developer places the Google Tag Manager snippet before the Cookiebot script in the HTML <head>
2. Tag Manager misconfiguration — GTM fires a tracking tag that isn't correctly gated behind a consent trigger
3. Third-party plugins — A WordPress plugin injects analytics scripts directly into the page header, bypassing both GTM and the CMP
4. CMP loading delay — The CMP script is loaded asynchronously and takes 1–2 seconds to initialise, but tracking scripts fire immediately
What the Regulators Say
The French CNIL fined Amazon €35 million (2020) and Google €150 million (2022) specifically for placing cookies without consent. The Austrian DSB, Italian Garante, and Belgian APD have all issued significant fines for the same violation. The pattern is clear: regulators check whether trackers fire before consent, and they fine when they do.
In 2025, the EDPB (European Data Protection Board) published updated guidelines specifically stating that cookie walls and pre-consent tracking are non-compliant. This removed the last ambiguity.
What Our Deep CMP Audit Checks
Standard trust scanners check whether a cookie banner exists. We go deeper:
1. Script load order — We parse the <head> section and check whether tracking domains (google-analytics.com, googletagmanager.com, connect.facebook.net, etc.) appear before any CMP or consent-related scripts
2. Pre-consent tracker identification — We list the specific tracking scripts that fire before the CMP loads
3. CMP presence verification — We confirm whether a recognised CMP is present at all
If analytics scripts load before the CMP initialises, we flag it as a high-severity legal risk with the specific pre-consent trackers listed.
How to Fix This
1. Move the CMP script to the very first position in your <head> — it must load before anything else
2. Use your CMP's blocking mode — Cookiebot, OneTrust, and Usercentrics all support automatic script blocking based on consent categories
3. Gate all GTM tags behind consent triggers — In Google Tag Manager, use the Consent Mode v2 signals to prevent tags from firing until explicit consent is received
4. Test on a fresh browser — Clear all cookies, visit your site, and check the browser's network tab (F12 → Network). If you see requests to google-analytics.com or facebook.com before you click "Accept", you have a problem
Run a deep cookie consent audit on your site at RoastReady — our scanner detects pre-consent trackers that most compliance tools miss.