Open DevTools and there it is: a request to facebook.com/tr on page load, before your banner was ever answered. Here's why it happens and how to fix it properly.
Open your site in a fresh incognito window with DevTools → Network open, filter on facebook, and don't touch the consent banner. If the pixel is ungated you'll see connect.facebook.net/en_US/fbevents.js load with the page, immediately followed by a facebook.com/tr request carrying ev=PageView and your pixel ID — all before any consent interaction. Application → Cookies will show _fbp set on first paint. A second tell: Meta Events Manager reports PageView counts roughly equal to your total traffic, not just your consented traffic.
In our 2026 scan of 1,478 small-business sites, the Meta Pixel was the single most common tracker we found firing before consent — on 322 sites.
Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
The Meta Pixel tag in Google Tag Manager fires on the All Pages trigger, and either Consent Mode defaults were never set or the tag is marked "No additional consent required" — so GTM fires it the instant the container loads.
The fbevents.js base code was pasted directly into the site's <head> — a Shopify theme.liquid, a WordPress header.php, or a site-builder custom-code box. Raw snippets execute before any consent tool can intervene unless the CMP explicitly rewrites script tags.
The pixel is categorized as "necessary" or "functional" in your consent platform, or the CMP's auto-block list doesn't recognize the script URL — so it is allowed through by default even when the visitor hasn't answered.
A platform integration — the Shopify Facebook & Instagram channel, a WordPress pixel plugin — injects its own copy of the pixel outside the one you gated. You fixed one install; the other keeps firing.
California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that transmitting a visitor's page views and events to Meta for ad profiling before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.
To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.
fbevents.js and fbq(, and check platform integrations (Shopify channels, WordPress plugins) that inject the pixel on their own.fbq('consent', 'revoke') immediately after the base code loads, and fbq('consent', 'grant') only from your CMP's accept callback.ad_storage.facebook.com/tr before consent.// Immediately after the base pixel code loads:
fbq('consent', 'revoke'); // hold all pixel activity
// After the visitor accepts marketing cookies:
cmp.onConsent('marketing', () => fbq('consent', 'grant'));Move the grant call into your CMP's consent callback — never on initial load.
Verify the fix in 30 seconds — free re-scan, no signup.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
The usual causes: the pixel tag in Google Tag Manager has no consent requirement, the base snippet is hardcoded in the site theme where no consent tool can intercept it, the consent platform has it categorized as necessary/functional, or a platform integration (like the Shopify Facebook channel or a WordPress plugin) injects a second ungated copy.
A pixel firing before consent is a technical finding, not a legal conclusion — but it is the exact timing pattern California CIPA § 631 wiretapping claims are built on, with statutory damages of up to $5,000 per violation argued per visitor session. Gating the pixel behind consent removes the pattern. This is general information, not legal advice.
Use Meta's consent API — fbq('consent','revoke') by default, fbq('consent','grant') only after opt-in — set the GTM tag to require ad_storage consent, remove duplicate installs, then verify with a free real-browser re-scan that nothing reaches facebook.com/tr before consent.