doubleclick.net and googleadservices.com requests on page load mean your remarketing audiences are filling with visitors who never opted in. Here's why, and the Consent Mode v2 fix.
Fresh incognito window, DevTools → Network, filter on doubleclick or googleads, banner untouched. An ungated setup shows requests to googleads.g.doubleclick.net (e.g. /pagead/viewthroughconversion/…) and www.googleadservices.com firing with the page, sometimes joined by google.com/pagead/1p-user-list/… — the remarketing list hit. Application → Cookies shows _gcl_au set on first paint.
The business-side tell: your remarketing audiences keep growing at roughly the rate of total traffic, which means visitors are being added to ad audiences before they've answered the banner.
Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
The Google Ads tag (gtag('config','AW-XXXX')) sits next to the GA snippet in <head> with no Consent Mode defaults before it — so the remarketing hit goes out with the page.
The Google Ads remarketing and conversion-linker tags in Google Tag Manager have no Consent settings, so they fire as soon as the container loads.
ad_user_data and ad_personalization — the two consent signals Google added for ads in Consent Mode v2 — were never defaulted to denied, so Google's ad tags treat them as granted.
An old campaign left a site-wide remarketing snippet or per-page conversion snippets hardcoded in templates (thank-you pages are a classic spot), bypassing whatever gating you added later.
California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that adding a visitor to advertising audiences and sending their browsing to Google's ad systems before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.
Beyond the wiretap statutes, this is squarely a comprehensive-privacy-law issue: under CCPA/CPRA, sharing visitor data for cross-context behavioral advertising is what consumers have the right to opt out of, and states like Texas and Colorado require honoring universal opt-out signals for targeted advertising.
To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.
ad_storage, ad_user_data, and ad_personalization to denied — see the snippet below.ad_storage consent.AW-, googleadservices, and viewthroughconversion, and move anything you find into the gated setup.doubleclick.net or googleadservices.com before consent.<!-- Place BEFORE the GTM/gtag snippet. Consent Mode v2 defaults:
ads signals denied until your CMP updates them after opt-in. -->
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
ad_storage: 'denied',
ad_user_data: 'denied',
ad_personalization: 'denied',
analytics_storage: 'denied',
wait_for_update: 500
});
</script>Your CMP calls gtag('consent','update',{ad_storage:'granted', ad_user_data:'granted', ad_personalization:'granted'}) only after the visitor accepts marketing.
Verify the fix in 30 seconds — free re-scan, no signup.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
Usually the gtag config for your AW- ID runs on page load with no Consent Mode defaults, the ads tags in GTM have no consent requirements, the Consent Mode v2 signals (ad_user_data, ad_personalization) were never defaulted to denied, or a legacy remarketing/conversion snippet is still hardcoded in page templates from an old campaign.
A remarketing hit before consent is a technical finding, not a legal conclusion. It is, however, the timing pattern pre-consent tracking claims focus on, and under CCPA/CPRA and other comprehensive state laws, sharing visitor data for targeted advertising is exactly what consumers can opt out of. Consent Mode v2 with denied defaults removes the pattern. Not legal advice.
Add a Consent Mode v2 default-denied snippet before gtag/GTM (ad_storage, ad_user_data, ad_personalization), enable your CMP's Consent Mode integration, require ad_storage on every ads tag in GTM, remove legacy hardcoded snippets, and verify with a free re-scan.