Pre-consent tracking is one of the most common—and most overlooked—GDPR compliance issues.
Many websites display a consent banner, but analytics and tracking scripts still execute before the user makes a choice. This checklist explains how to detect pre-consent tracking in practice and what to verify to ensure real compliance.
What is pre-consent tracking?
Pre-consent tracking occurs when analytics, marketing, or tracking technologies:
- Execute before the user gives consent
- Send network requests on page load
- Set cookies or access browser storage
- Generate or access identifiers
This can happen even when:
- A consent banner is visible
- Google Consent Mode is enabled
- Cookies appear to be blocked
Compliance depends on runtime behavior, not configuration intent.
Pre-consent tracking checklist
Use the checklist below to evaluate whether tracking fires before consent on your site.
1. Check script loading on page load
What to verify
- Are analytics scripts loaded immediately?
- Do Google tags or GTM containers load before interaction?
Red flag
gtag.jsor GTM is loaded in the<head>without blocking logic
Why it matters
If scripts load before consent logic runs, tracking may already occur.
2. Inspect network requests before interaction
What to verify
- Open browser developer tools
- Reload the page without clicking anything
- Inspect the Network tab
Red flag
- Requests sent to Google endpoints such as:
google-analytics.comgoogletagmanager.comg.doubleclick.net
Why it matters
Requests alone may constitute tracking, even without cookies.
3. Verify cookie creation on page load
What to verify
- Check cookies immediately after page load
- Look for analytics-related cookies
Red flag
_ga,_gid,_gcl_*or similar cookies appear before consent
Why it matters
Storing identifiers before consent is typically non-compliant.
4. Check localStorage and sessionStorage
What to verify
- Inspect
localStorageandsessionStorage - Look for analytics or tracking keys
Red flag
- Storage entries created before consent
- Identifiers stored even when cookies are blocked
Why it matters
Tracking is not limited to cookies.
5. Verify Consent Mode default states
What to verify
- Consent states are explicitly set before analytics loads
- Default values are enforced on page load
Red flag
analytics_storagedefaults to granted- Consent states are updated only after banner interaction
Why it matters
Consent Mode does not block analytics by default.
6. Test “Reject all” behavior
What to verify
- Click “Reject all”
- Reload or navigate the site
Red flag
- Analytics requests continue after rejection
- Tracking resumes on navigation
Why it matters
Rejection must be respected across pages.
7. Navigate to secondary pages
What to verify
- Click internal links after rejection
- Monitor requests and storage again
Red flag
- Tracking fires on route changes
- Analytics resumes after initial page
Why it matters
Compliance must persist across the site, not just the landing page.
8. Check mixed implementations
What to verify
- Is
gtag.jsused alongside GTM? - Are legacy scripts still present?
Red flag
- Multiple tracking entry points
- Duplicate analytics initialization
Why it matters
Mixed setups often bypass consent logic.
9. Validate behavior without interacting with the banner
What to verify
- Load the page
- Do nothing
- Observe behavior for several seconds
Red flag
- Delayed analytics requests appear automatically
Why it matters
Some scripts fire after short delays, not instantly.
10. Repeat tests in a clean browser session
What to verify
- Use incognito or a fresh browser profile
- Test without existing cookies or storage
Red flag
- Different behavior between first-time and returning visitors
Why it matters
Compliance must apply to all users, not just returning ones.
Why manual checks often fail
Manual testing is:
- Time-consuming
- Easy to misinterpret
- Inconsistent across pages and sessions
Many issues only appear:
- On specific routes
- After redirects
- With delayed execution
This is why real compliance requires repeatable, runtime testing.
Automating pre-consent tracking detection
Automated scanners that simulate real browser sessions can help detect:
- Network requests before consent
- Cookies created on load
- Tracking after rejection
- Differences across pages
Tools like CookieInspector focus on observing actual execution behavior, not just banner presence or tag configuration.
Key takeaway
A visible consent banner does not guarantee compliance.
To prevent pre-consent tracking, you must:
- Block analytics until consent
- Enforce consent states correctly
- Verify real browser behavior
- Test across pages and sessions
Without verification, pre-consent tracking often goes unnoticed.
Final note
This article is for informational purposes only and does not constitute legal advice. GDPR interpretations may vary by jurisdiction.
Related articles:
- Does Google Analytics fire before consent?
- Is Google Consent Mode GDPR compliant?