The _ga cookie appears on first paint and collect beacons fire before anyone touches the banner. Usually it's a missing Consent Mode default — here's the full diagnosis.
Fresh incognito window, DevTools → Network, filter on collect, banner untouched. An ungated GA4 install shows googletagmanager.com/gtag/js?id=G-XXXX loading with the page, then beacons to google-analytics.com/g/collect?v=2&tid=G-XXXX… (or a regional host like region1.google-analytics.com) firing before any consent interaction. Application → Cookies shows _ga and _ga_<container> set on first paint.
If Consent Mode were configured with denied defaults, you'd instead see either no g/collect beacons at all, or cookieless pings carrying gcs=G100 — the parameter that tells you consent state was denied when the hit was sent.
Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
The standard GA4 snippet sits in <head> with no gtag('consent','default',…) call before it. Without a denied default, Google's tags behave as if consent were granted and the config fires a page_view immediately.
The GA4 configuration tag fires on Initialization – All Pages and its Consent settings were never configured — GTM's Consent Overview screen has never been reviewed for the container.
The banner records the visitor's choice in its own storage but never calls gtag('consent','update',…) — so Google's tags never hear about the decision and keep running on defaults.
GA is installed twice — a hardcoded gtag snippet in the theme and a plugin (Site Kit, a theme integration) or GTM tag. The gated copy behaves; the forgotten one fires on load.
California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that sending a visitor's page views and on-site behavior to a third-party analytics server before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.
The wiretap-statute wave has centered on session-replay, chat, and ad-pixel tools, but pre-consent analytics beacons matter under the comprehensive state laws too: CCPA/CPRA treats sharing data for cross-context behavioral advertising as something consumers can opt out of, and GA is frequently linked to Google Ads audiences — which is exactly that kind of sharing.
To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.
analytics_storage (and the ad signals) to denied — see the snippet below.gtag('consent','update',{analytics_storage:'granted'}) in its accept callback. Most CMPs (Cookiebot, OneTrust, Termly, CookieYes) have a Google Consent Mode toggle — turn it on.analytics_storage.g/collect beacons fire before consent (or that only denied-state pings with gcs=G100 remain, if you intentionally run cookieless pings).<!-- Place BEFORE the GTM/gtag snippet. Defaults all storage to "denied"
so no tags fire until your CMP updates consent after the user opts in. -->
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
ad_storage: 'denied',
analytics_storage: 'denied',
functionality_storage: 'denied',
personalization_storage: 'denied',
security_storage: 'granted',
wait_for_update: 500
});
</script>Your CMP (Cookiebot, OneTrust, Termly, etc.) calls gtag('consent','update',{...:'granted'}) only after the visitor accepts. Until then, tags stay blocked.
Verify the fix in 30 seconds — free re-scan, no signup.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
Most often the gtag.js snippet has no gtag('consent','default',…) call before it, so Google's tags default to a granted state; or the GA4 tag in Google Tag Manager has no consent requirement; or the banner never calls gtag('consent','update') so the tags never learn the visitor's choice; or GA is installed twice and the second copy is ungated.
The CIPA § 631 litigation wave has focused most heavily on session-replay, chat, and ad-pixel tools, but analytics beacons sent before consent are the same timing pattern, and under CCPA/CPRA sharing visitor data for cross-context behavioral advertising is something consumers can opt out of. A pre-consent beacon is a technical finding, not a legal conclusion. This is general information, not legal advice.
Add a Consent Mode default-denied snippet before gtag.js or GTM, enable your CMP's Google Consent Mode integration so it updates consent on accept, require analytics_storage on the GA4 tag in GTM, and verify with a free real-browser re-scan.