Does Cookiebot actually block trackers before consent?
When it's installed and configured correctly — yes, that's its job. The problem is that plenty of real-world setups leak anyway, for reasons that have nothing to do with Cookiebot itself. Here's where the leaks come from, and how to verify yours in 30 seconds.
Cookiebot CMP (part of Usercentrics) is one of the most widely-deployed consent platforms — a recurring automatic cookie scanner, a consent banner, consent logging, and an automatic blocking mode designed to hold known tracking scripts until the visitor makes a choice.
RegSentry is not a consent platform and doesn't replace Cookiebot — it's the independent check that your Cookiebot setup is actually holding trackers back until visitors consent. The two are complementary: one manages consent, the other verifies enforcement.
Verify your Cookiebot setup — free real-browser scan, 30 seconds.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
What Cookiebot does well
Automatic, recurring scans that keep the cookie inventory current without manual upkeep
An automatic blocking mode that can hold known trackers until consent — genuinely useful when it covers everything
Consent logging for demonstrable records
Deep Google Consent Mode integration
The 5 ways a correctly-installed Cookiebot banner still leaks
None of these are bugs in Cookiebot. They're the coverage and configuration gaps that show up on real sites — the reasons a banner that looks right can still fire trackers before consent:
1. Manual-mode tags missing the markup When blocking is handled manually, each script tag needs Cookiebot's markup (the text/plain type plus its data attributes). A developer adds a new tag without it, and that tag executes immediately — the banner never gets a say.
2. Automatic blocking not enabled Sites sometimes run the banner in notice-only or manual configuration, assuming auto-blocking is on. The banner shows, consent is recorded — and nothing is actually held back.
3. Tags added outside Cookiebot entirely Pixels pasted into the theme, injected by plugins, or shipped by an agency don't pass through Cookiebot's blocking at all.
4. Tag-manager triggers that ignore consent state GTM tags firing on page-load instead of on consent events bypass the gate — the tag manager launches trackers while the banner is still up.
5. A tracker classified in the wrong category Scanner classifications are good but not infallible, and manual overrides happen. Anything treated as strictly-necessary loads before consent by design.
Why independent verification matters
In our 2026 scan of 1,478 small-business websites, 58% fired at least one tracker before the visitor consented — and nearly every affected site already had some consent setup in place. That's not an argument against using Cookiebot; it's the argument for verifying that any consent setup, from any vendor, is actually enforcing. A banner that displays and a banner that blocks look identical to the naked eye. The network tells the truth.
How RegSentry independently verifies enforcement
A real headless browser, not a checklist RegSentry loads your public pages the way a first-time visitor's browser would — with no stored cookies and no prior consent.
It never touches the banner The scan deliberately makes no consent interaction. Whatever contacts a third-party server in that window did so before consent — which is exactly what wiretapping and privacy claims turn on.
Every tracker's first contact, timestamped The scan records the precise moment each session-replay, analytics, chat, and ad-pixel script first calls home, so you get evidence — script, page, and timing — not a guess.
Independent by design RegSentry has no stake in your Cookiebot configuration. It doesn't know or care which scripts are supposed to be gated — it just reports what actually fired. That independence is the point of a verification layer.
Then it keeps watching Monitoring re-scans on a schedule and emails you when a NEW tracker shows up firing before consent — so the tag someone adds next month doesn't quietly undo today's clean result.
How to verify your Cookiebot setup in 30 seconds
Enter your domain below. No signup, no code to install, nothing changes on your site.
RegSentry loads your site in a real browser and never touches the Cookiebot banner — it just watches the network, the way a plaintiff firm's scanner would.
Anything that fired before consent shows up in the report — which script, which page, when — plus the specific fix for each tool (gate it through Cookiebot, correct its category, or wire the tag-manager trigger to consent).
Prefer to eyeball it first? Open your site in a fresh incognito window with DevTools → Network open, reload, and don't click the banner — requests to tracking domains before you consent are the leak. The scan just does that check thoroughly, on every page that matters, with evidence.
See whether your Cookiebot banner is actually blocking — free, no signup.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.