The banner shows, the network tab doesn't care: trackers fire before anyone clicks, and clicking Reject changes nothing. This is the most common consent failure we see — and it's almost always configuration.
Three checks, all in a fresh incognito window with DevTools → Network open. One: before touching the banner, the network tab already lists third-party tracker requests — pixels, analytics beacons, recorder scripts. Two: Application → Cookies shows tracking cookies (_fbp, _ga, _hjSession…) set on first paint. Three: click Reject, reload, and watch the same requests fire again.
Any one of those means the banner is collecting opinions, not enforcing them. It matches what we found at scale: in our 2026 scan of 1,478 small-business sites, 58% fired at least one tracker before consent — and nearly every affected site had some consent setup. The trackers fired anyway.
Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
The CMP was deployed in its informational mode — it displays and records choices but was never configured to actually block scripts. Many platforms require you to explicitly enable auto-blocking or rewrite your script tags; out of the box, nothing is held back.
CMP auto-blockers work from a recognition list. Scripts pasted directly into the theme, inline snippets, or trackers the list doesn't recognize sail through — and many CMPs default unknown scripts to allowed.
The CMP records the choice in its own cookie, but Google Consent Mode was never wired up and no consent callbacks were registered — so GTM, gtag, and every hand-installed snippet simply never hear about the visitor's decision.
The banner was configured once, then marketing added new tags via GTM, plugins, or platform apps. Nothing forces a new tag through the consent setup, so each addition ships ungated by default.
California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that trackers transmitting visitor data before the visitor has answered the banner before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.
This is why, as our state-law guides put it, a consent banner alone is not a defense: the claims turn on when data was transmitted, and a banner that doesn't block doesn't change the network log. The banner's job is to hold trackers until the answer — anything less is cosmetic.
To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.
type="text/plain" with a category attribute) or move them into GTM with consent requirements.Verify the fix in 30 seconds — free re-scan, no signup.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
The most common reasons: the banner is running in notice-only mode and was never configured to block; its auto-blocker doesn't recognize hardcoded or newer scripts and defaults them to allowed; the banner isn't wired to Google Consent Mode or any consent callbacks so tags never hear the decision; or tags were added after the banner was set up and never routed through it.
A banner alone is not a defense if trackers transmit data before the visitor answers — pre-consent tracking claims turn on the timing shown in the network log, not on whether a banner was displayed. Whether any configuration satisfies any statute is a legal question; what a scan verifies is the technical behavior. Not legal advice.
Open the site in a fresh incognito window with the DevTools network tab open: check for tracker requests before you answer the banner, check for tracking cookies on first paint, then click Reject, reload, and see if the requests return. RegSentry's free scan runs the same check in a real browser and lists every tracker that fired before consent.