Pre-consent tracking checklist: how to detect analytics firing before consent

by

Pre-consent tracking is one of the most common—and most overlooked—GDPR compliance issues.

Many websites display a consent banner, but analytics and tracking scripts still execute before the user makes a choice. This checklist explains how to detect pre-consent tracking in practice and what to verify to ensure real compliance.

What is pre-consent tracking?

Pre-consent tracking occurs when analytics, marketing, or tracking technologies:

  • Execute before the user gives consent
  • Send network requests on page load
  • Set cookies or access browser storage
  • Generate or access identifiers

This can happen even when:

  • A consent banner is visible
  • Google Consent Mode is enabled
  • Cookies appear to be blocked

Compliance depends on runtime behavior, not configuration intent.

Pre-consent tracking checklist

Use the checklist below to evaluate whether tracking fires before consent on your site.

1. Check script loading on page load

What to verify

  • Are analytics scripts loaded immediately?
  • Do Google tags or GTM containers load before interaction?

Red flag

  • gtag.js or GTM is loaded in the <head> without blocking logic

Why it matters
If scripts load before consent logic runs, tracking may already occur.

2. Inspect network requests before interaction

What to verify

  • Open browser developer tools
  • Reload the page without clicking anything
  • Inspect the Network tab

Red flag

  • Requests sent to Google endpoints such as:
    • google-analytics.com
    • googletagmanager.com
    • g.doubleclick.net

Why it matters
Requests alone may constitute tracking, even without cookies.

3. Verify cookie creation on page load

What to verify

  • Check cookies immediately after page load
  • Look for analytics-related cookies

Red flag

  • _ga, _gid, _gcl_* or similar cookies appear before consent

Why it matters
Storing identifiers before consent is typically non-compliant.

4. Check localStorage and sessionStorage

What to verify

  • Inspect localStorage and sessionStorage
  • Look for analytics or tracking keys

Red flag

  • Storage entries created before consent
  • Identifiers stored even when cookies are blocked

Why it matters
Tracking is not limited to cookies.

5. Verify Consent Mode default states

What to verify

  • Consent states are explicitly set before analytics loads
  • Default values are enforced on page load

Red flag

  • analytics_storage defaults to granted
  • Consent states are updated only after banner interaction

Why it matters
Consent Mode does not block analytics by default.

6. Test “Reject all” behavior

What to verify

  • Click “Reject all”
  • Reload or navigate the site

Red flag

  • Analytics requests continue after rejection
  • Tracking resumes on navigation

Why it matters
Rejection must be respected across pages.

7. Navigate to secondary pages

What to verify

  • Click internal links after rejection
  • Monitor requests and storage again

Red flag

  • Tracking fires on route changes
  • Analytics resumes after initial page

Why it matters
Compliance must persist across the site, not just the landing page.

8. Check mixed implementations

What to verify

  • Is gtag.js used alongside GTM?
  • Are legacy scripts still present?

Red flag

  • Multiple tracking entry points
  • Duplicate analytics initialization

Why it matters
Mixed setups often bypass consent logic.

9. Validate behavior without interacting with the banner

What to verify

  • Load the page
  • Do nothing
  • Observe behavior for several seconds

Red flag

  • Delayed analytics requests appear automatically

Why it matters
Some scripts fire after short delays, not instantly.

10. Repeat tests in a clean browser session

What to verify

  • Use incognito or a fresh browser profile
  • Test without existing cookies or storage

Red flag

  • Different behavior between first-time and returning visitors

Why it matters
Compliance must apply to all users, not just returning ones.

Why manual checks often fail

Manual testing is:

  • Time-consuming
  • Easy to misinterpret
  • Inconsistent across pages and sessions

Many issues only appear:

  • On specific routes
  • After redirects
  • With delayed execution

This is why real compliance requires repeatable, runtime testing.

Automating pre-consent tracking detection

Automated scanners that simulate real browser sessions can help detect:

  • Network requests before consent
  • Cookies created on load
  • Tracking after rejection
  • Differences across pages

Tools like CookieInspector focus on observing actual execution behavior, not just banner presence or tag configuration.

Key takeaway

A visible consent banner does not guarantee compliance.

To prevent pre-consent tracking, you must:

  • Block analytics until consent
  • Enforce consent states correctly
  • Verify real browser behavior
  • Test across pages and sessions

Without verification, pre-consent tracking often goes unnoticed.

Final note

This article is for informational purposes only and does not constitute legal advice. GDPR interpretations may vary by jurisdiction.

Related articles:

  • Does Google Analytics fire before consent?
  • Is Google Consent Mode GDPR compliant?