Free scan
Google Analytics · troubleshooting

Google Analytics loads before consent

The _ga cookie appears on first paint and collect beacons fire before anyone touches the banner. Usually it's a missing Consent Mode default — here's the full diagnosis.

What it looks like

Fresh incognito window, DevTools → Network, filter on collect, banner untouched. An ungated GA4 install shows googletagmanager.com/gtag/js?id=G-XXXX loading with the page, then beacons to google-analytics.com/g/collect?v=2&tid=G-XXXX… (or a regional host like region1.google-analytics.com) firing before any consent interaction. Application → Cookies shows _ga and _ga_<container> set on first paint.

If Consent Mode were configured with denied defaults, you'd instead see either no g/collect beacons at all, or cookieless pings carrying gcs=G100 — the parameter that tells you consent state was denied when the hit was sent.

DevTools → Network — fresh incognito, banner untouched:
GET googletagmanager.com/gtag/js?id=G-XXXX ← loads with the page
POST google-analytics.com/g/collect?v=2&tid=G-XXXX ← page_view before any banner click
Cookie: _ga=GA1.1.… ← set on first paint

Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Why it happens

1. gtag.js pasted with no Consent Mode defaults

The standard GA4 snippet sits in <head> with no gtag('consent','default',…) call before it. Without a denied default, Google's tags behave as if consent were granted and the config fires a page_view immediately.

2. GA4 config tag in GTM without consent settings

The GA4 configuration tag fires on Initialization – All Pages and its Consent settings were never configured — GTM's Consent Overview screen has never been reviewed for the container.

3. CMP not wired to Consent Mode

The banner records the visitor's choice in its own storage but never calls gtag('consent','update',…) — so Google's tags never hear about the decision and keep running on defaults.

4. Double installation

GA is installed twice — a hardcoded gtag snippet in the theme and a plugin (Site Kit, a theme integration) or GTM tag. The gated copy behaves; the forgotten one fires on load.

The risk context

California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that sending a visitor's page views and on-site behavior to a third-party analytics server before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.

The wiretap-statute wave has centered on session-replay, chat, and ad-pixel tools, but pre-consent analytics beacons matter under the comprehensive state laws too: CCPA/CPRA treats sharing data for cross-context behavioral advertising as something consumers can opt out of, and GA is frequently linked to Google Ads audiences — which is exactly that kind of sharing.

To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.

How to fix it

  1. Add Consent Mode defaults before the gtag/GTM snippet, defaulting analytics_storage (and the ad signals) to denied — see the snippet below.
  2. Wire your CMP to flip consent: it must call gtag('consent','update',{analytics_storage:'granted'}) in its accept callback. Most CMPs (Cookiebot, OneTrust, Termly, CookieYes) have a Google Consent Mode toggle — turn it on.
  3. In GTM, open Admin → Container Settings and enable consent overview, then set the GA4 configuration tag to require analytics_storage.
  4. Consolidate to a single install source — remove the hardcoded snippet if GA also runs via GTM or a plugin.
  5. Re-scan to confirm no g/collect beacons fire before consent (or that only denied-state pings with gcs=G100 remain, if you intentionally run cookieless pings).

Consent-gating snippet

<!-- Place BEFORE the GTM/gtag snippet. Defaults all storage to "denied"
     so no tags fire until your CMP updates consent after the user opts in. -->
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('consent', 'default', {
    ad_storage: 'denied',
    analytics_storage: 'denied',
    functionality_storage: 'denied',
    personalization_storage: 'denied',
    security_storage: 'granted',
    wait_for_update: 500
  });
</script>

Your CMP (Cookiebot, OneTrust, Termly, etc.) calls gtag('consent','update',{...:'granted'}) only after the visitor accepts. Until then, tags stay blocked.

Verify the fix in 30 seconds — free re-scan, no signup.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Common questions

Why does Google Analytics load before my consent banner?

Most often the gtag.js snippet has no gtag('consent','default',…) call before it, so Google's tags default to a granted state; or the GA4 tag in Google Tag Manager has no consent requirement; or the banner never calls gtag('consent','update') so the tags never learn the visitor's choice; or GA is installed twice and the second copy is ungated.

Does Google Analytics create CIPA risk?

The CIPA § 631 litigation wave has focused most heavily on session-replay, chat, and ad-pixel tools, but analytics beacons sent before consent are the same timing pattern, and under CCPA/CPRA sharing visitor data for cross-context behavioral advertising is something consumers can opt out of. A pre-consent beacon is a technical finding, not a legal conclusion. This is general information, not legal advice.

How do I make Google Analytics wait for consent?

Add a Consent Mode default-denied snippet before gtag.js or GTM, enable your CMP's Google Consent Mode integration so it updates consent on accept, require analytics_storage on the GA4 tag in GTM, and verify with a free real-browser re-scan.

Related

Google Ads remarketing before consentConsent banner not blocking trackersAll tracker compliance guidesFree cookie consent checker
Monitor my site ($99/mo) Estimate my exposure