analytics.tiktok.com shows up in the network tab on page load — often installed by an app or channel integration nobody gated. Here's the diagnosis and the fix.
Fresh incognito window, DevTools → Network, filter on tiktok, banner untouched. An ungated install loads analytics.tiktok.com/i18n/pixel/events.js with the page and immediately sends pixel events back to analytics.tiktok.com — before any consent interaction. Application → Cookies shows _ttp set on first paint, and TikTok Events Manager reports page views roughly equal to total traffic rather than consented traffic.
In our 2026 scan of 1,478 small-business sites, the TikTok Pixel was firing before consent on 73 sites.
Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
The ttq base snippet was added straight to the site's <head> per TikTok's install instructions, so it loads and fires with the page — no consent tool ever gets a say.
The TikTok Pixel tag in Google Tag Manager fires on All Pages and its Consent settings were never configured.
On Shopify and similar platforms, the TikTok sales-channel app injects the pixel automatically, outside your theme and outside your CMP. This copy keeps firing even after you gate the one you know about.
The consent platform's auto-block list doesn't match analytics.tiktok.com, or the pixel sits uncategorized — so the default is to let it through.
California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that transmitting a visitor's page views and events to TikTok for ad targeting before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.
To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.
ttq and analytics.tiktok.com, and check platform channel apps (Shopify's TikTok channel injects its own copy).ttq.load() only from your CMP's accept callback, or keep the pixel exclusively in GTM.ad_storage — see the snippet below.analytics.tiktok.com before consent.<!-- Place BEFORE the GTM/gtag snippet. Defaults all storage to "denied"
so no tags fire until your CMP updates consent after the user opts in. -->
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
ad_storage: 'denied',
analytics_storage: 'denied',
functionality_storage: 'denied',
personalization_storage: 'denied',
security_storage: 'granted',
wait_for_update: 500
});
</script>Your CMP (Cookiebot, OneTrust, Termly, etc.) calls gtag('consent','update',{...:'granted'}) only after the visitor accepts. Until then, tags stay blocked.
Verify the fix in 30 seconds — free re-scan, no signup.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
Common causes: the base code is pasted directly in the head where no consent tool can intercept it, the GTM tag has no consent requirement, a store channel app (like Shopify's TikTok channel) injects its own ungated copy of the pixel, or the consent platform doesn't recognize the script URL and lets it through.
A pixel firing before consent is a technical finding, not a legal conclusion — but ad pixels transmitting visitor data before consent are a recurring target in California CIPA § 631 claims (statutory damages up to $5,000 per violation, argued per session) and raise opt-out issues under CCPA/CPRA. Gating the pixel removes the timing pattern. Not legal advice.
Gate ttq.load() behind your CMP's marketing-consent callback or run the pixel only through GTM with ad_storage consent required, disable duplicate injection by channel apps, then verify with a free real-browser re-scan.