Free scan
Consent banner · troubleshooting

Your consent banner isn't blocking trackers

The banner shows, the network tab doesn't care: trackers fire before anyone clicks, and clicking Reject changes nothing. This is the most common consent failure we see — and it's almost always configuration.

What it looks like

Three checks, all in a fresh incognito window with DevTools → Network open. One: before touching the banner, the network tab already lists third-party tracker requests — pixels, analytics beacons, recorder scripts. Two: Application → Cookies shows tracking cookies (_fbp, _ga, _hjSession…) set on first paint. Three: click Reject, reload, and watch the same requests fire again.

Any one of those means the banner is collecting opinions, not enforcing them. It matches what we found at scale: in our 2026 scan of 1,478 small-business sites, 58% fired at least one tracker before consent — and nearly every affected site had some consent setup. The trackers fired anyway.

DevTools → Network — fresh incognito, banner untouched:
GET connect.facebook.net/en_US/fbevents.js ← banner visible, not yet answered
POST google-analytics.com/g/collect ← fires before any click
(after clicking Reject + reload) ← …the same requests fire again

Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Why it happens

1. The banner is notice-only

The CMP was deployed in its informational mode — it displays and records choices but was never configured to actually block scripts. Many platforms require you to explicitly enable auto-blocking or rewrite your script tags; out of the box, nothing is held back.

2. Auto-blocking misses hardcoded and unknown scripts

CMP auto-blockers work from a recognition list. Scripts pasted directly into the theme, inline snippets, or trackers the list doesn't recognize sail through — and many CMPs default unknown scripts to allowed.

3. The banner and your tags aren't connected

The CMP records the choice in its own cookie, but Google Consent Mode was never wired up and no consent callbacks were registered — so GTM, gtag, and every hand-installed snippet simply never hear about the visitor's decision.

4. Tags added after the banner was set up

The banner was configured once, then marketing added new tags via GTM, plugins, or platform apps. Nothing forces a new tag through the consent setup, so each addition ships ungated by default.

The risk context

California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that trackers transmitting visitor data before the visitor has answered the banner before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.

This is why, as our state-law guides put it, a consent banner alone is not a defense: the claims turn on when data was transmitted, and a banner that doesn't block doesn't change the network log. The banner's job is to hold trackers until the answer — anything less is cosmetic.

To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.

How to fix it

  1. Switch the CMP into blocking mode: enable auto-blocking / prior-consent enforcement in its settings, and confirm the mode is active on the production domain (not just staging).
  2. Wire Google Consent Mode: add the default-denied snippet before GTM/gtag and enable the CMP's Consent Mode integration so accept/reject actually updates Google's tags.
  3. Bring raw snippets under CMP control: convert hardcoded trackers to the CMP's managed format (most use type="text/plain" with a category attribute) or move them into GTM with consent requirements.
  4. Audit categorization: walk the CMP's detected-script list, categorize everything, and change the unknown-script default from allowed to blocked.
  5. Verify in a real browser — load the site fresh, reject, reload, and watch the network tab. Then re-scan after every new tag, because the next ungated tracker is one GTM publish away.

Verify the fix in 30 seconds — free re-scan, no signup.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Common questions

Why do trackers still fire when I have a consent banner?

The most common reasons: the banner is running in notice-only mode and was never configured to block; its auto-blocker doesn't recognize hardcoded or newer scripts and defaults them to allowed; the banner isn't wired to Google Consent Mode or any consent callbacks so tags never hear the decision; or tags were added after the banner was set up and never routed through it.

Does having a consent banner protect me legally?

A banner alone is not a defense if trackers transmit data before the visitor answers — pre-consent tracking claims turn on the timing shown in the network log, not on whether a banner was displayed. Whether any configuration satisfies any statute is a legal question; what a scan verifies is the technical behavior. Not legal advice.

How do I test whether my banner actually blocks trackers?

Open the site in a fresh incognito window with the DevTools network tab open: check for tracker requests before you answer the banner, check for tracking cookies on first paint, then click Reject, reload, and see if the requests return. RegSentry's free scan runs the same check in a real browser and lists every tracker that fired before consent.

Related

Free cookie consent checkerGoogle Analytics loads before consentMeta Pixel fires before consentCalifornia CIPA guide
Monitor my site ($99/mo) Estimate my exposure