Free scan
Meta Pixel · troubleshooting

The Meta Pixel fires before consent

Open DevTools and there it is: a request to facebook.com/tr on page load, before your banner was ever answered. Here's why it happens and how to fix it properly.

What it looks like

Open your site in a fresh incognito window with DevTools → Network open, filter on facebook, and don't touch the consent banner. If the pixel is ungated you'll see connect.facebook.net/en_US/fbevents.js load with the page, immediately followed by a facebook.com/tr request carrying ev=PageView and your pixel ID — all before any consent interaction. Application → Cookies will show _fbp set on first paint. A second tell: Meta Events Manager reports PageView counts roughly equal to your total traffic, not just your consented traffic.

In our 2026 scan of 1,478 small-business sites, the Meta Pixel was the single most common tracker we found firing before consent — on 322 sites.

DevTools → Network — fresh incognito, banner untouched:
GET connect.facebook.net/en_US/fbevents.js ← loads with the page
GET www.facebook.com/tr/?id=1234…&ev=PageView ← fires before any banner click
Cookie: _fbp=fb.1.… ← set on first paint

Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Why it happens

1. GTM tag with no consent requirement

The Meta Pixel tag in Google Tag Manager fires on the All Pages trigger, and either Consent Mode defaults were never set or the tag is marked "No additional consent required" — so GTM fires it the instant the container loads.

2. Hardcoded base snippet in the theme

The fbevents.js base code was pasted directly into the site's <head> — a Shopify theme.liquid, a WordPress header.php, or a site-builder custom-code box. Raw snippets execute before any consent tool can intervene unless the CMP explicitly rewrites script tags.

3. CMP category mismatch

The pixel is categorized as "necessary" or "functional" in your consent platform, or the CMP's auto-block list doesn't recognize the script URL — so it is allowed through by default even when the visitor hasn't answered.

4. Duplicate installs

A platform integration — the Shopify Facebook & Instagram channel, a WordPress pixel plugin — injects its own copy of the pixel outside the one you gated. You fixed one install; the other keeps firing.

The risk context

California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that transmitting a visitor's page views and events to Meta for ad profiling before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.

To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.

How to fix it

  1. Find every install: search the rendered page source and your GTM container for fbevents.js and fbq(, and check platform integrations (Shopify channels, WordPress plugins) that inject the pixel on their own.
  2. Gate it with Meta's consent API: call fbq('consent', 'revoke') immediately after the base code loads, and fbq('consent', 'grant') only from your CMP's accept callback.
  3. If the pixel runs through GTM, add Consent Mode defaults (denied) and set the pixel tag's Consent settings to require ad_storage.
  4. Remove or disable duplicate installs so exactly one gated copy of the pixel remains.
  5. Re-scan to confirm no requests reach facebook.com/tr before consent.

Consent-gating snippet

// Immediately after the base pixel code loads:
fbq('consent', 'revoke');                 // hold all pixel activity
// After the visitor accepts marketing cookies:
cmp.onConsent('marketing', () => fbq('consent', 'grant'));

Move the grant call into your CMP's consent callback — never on initial load.

Verify the fix in 30 seconds — free re-scan, no signup.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Common questions

Why is the Meta Pixel firing before my consent banner?

The usual causes: the pixel tag in Google Tag Manager has no consent requirement, the base snippet is hardcoded in the site theme where no consent tool can intercept it, the consent platform has it categorized as necessary/functional, or a platform integration (like the Shopify Facebook channel or a WordPress plugin) injects a second ungated copy.

Is it illegal for the Meta Pixel to fire before consent?

A pixel firing before consent is a technical finding, not a legal conclusion — but it is the exact timing pattern California CIPA § 631 wiretapping claims are built on, with statutory damages of up to $5,000 per violation argued per visitor session. Gating the pixel behind consent removes the pattern. This is general information, not legal advice.

How do I stop the Meta Pixel firing before consent?

Use Meta's consent API — fbq('consent','revoke') by default, fbq('consent','grant') only after opt-in — set the GTM tag to require ad_storage consent, remove duplicate installs, then verify with a free real-browser re-scan that nothing reaches facebook.com/tr before consent.

Related

Meta Pixel compliance guideTikTok Pixel fires before consentGoogle Ads remarketing before consentConsent banner not blocking trackersCIPA exposure calculator
Monitor my site ($99/mo) Estimate my exposure