Does OneTrust actually block trackers before consent?
When it's installed and configured correctly — yes, that's its job. The problem is that plenty of real-world setups leak anyway, for reasons that have nothing to do with OneTrust itself. Here's where the leaks come from, and how to verify yours in 30 seconds.
OneTrust is an enterprise privacy platform — consent management is one module alongside data mapping, DSAR automation, and vendor risk. Its cookie-consent product includes site scanning, geolocation-based banner rules, auto-blocking, and consent records, built for organizations running a full privacy program.
RegSentry is not a consent platform and doesn't replace OneTrust — it's the independent check that your OneTrust setup is actually holding trackers back until visitors consent. The two are complementary: one manages consent, the other verifies enforcement.
Verify your OneTrust setup — free real-browser scan, 30 seconds.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
Site scanning that builds and maintains a cookie inventory across large web estates
Auto-blocking that can hold categorized scripts until the visitor chooses
Fits into a broader governance program (data mapping, DSARs, vendor risk) rather than standing alone
The 5 ways a correctly-installed OneTrust banner still leaks
None of these are bugs in OneTrust. They're the coverage and configuration gaps that show up on real sites — the reasons a banner that looks right can still fire trackers before consent:
1. Tags shipped outside the governance workflow In a large organization, marketing, product, and agencies all deploy tags. A script added outside OneTrust's categorization workflow — a campaign pixel, an A/B tool — fires before consent because OneTrust was never told it exists.
2. One template or region configured differently With geolocation rules and multiple banner templates, it only takes one template where auto-blocking wasn't enabled — or one region falling through the rules — for that slice of traffic to get untamed trackers.
3. Mis-categorized scripts in a big inventory The larger the cookie inventory, the easier it is for a session recorder or analytics tag to end up filed as strictly-necessary. That category loads pre-consent by design.
4. Tag-manager triggers that ignore consent state If GTM (or another tag manager) fires tags on page-load rather than on OneTrust's consent events, the banner and the tags are running on separate tracks.
5. Hardcoded pixels in legacy templates Older page templates and microsites often carry pixels pasted in years ago, before the CMP rollout — they never went through the banner at all.
Why independent verification matters
In our 2026 scan of 1,478 small-business websites, 58% fired at least one tracker before the visitor consented — and nearly every affected site already had some consent setup in place. That's not an argument against using OneTrust; it's the argument for verifying that any consent setup, from any vendor, is actually enforcing. A banner that displays and a banner that blocks look identical to the naked eye. The network tells the truth.
How RegSentry independently verifies enforcement
A real headless browser, not a checklist RegSentry loads your public pages the way a first-time visitor's browser would — with no stored cookies and no prior consent.
It never touches the banner The scan deliberately makes no consent interaction. Whatever contacts a third-party server in that window did so before consent — which is exactly what wiretapping and privacy claims turn on.
Every tracker's first contact, timestamped The scan records the precise moment each session-replay, analytics, chat, and ad-pixel script first calls home, so you get evidence — script, page, and timing — not a guess.
Independent by design RegSentry has no stake in your OneTrust configuration. It doesn't know or care which scripts are supposed to be gated — it just reports what actually fired. That independence is the point of a verification layer.
Then it keeps watching Monitoring re-scans on a schedule and emails you when a NEW tracker shows up firing before consent — so the tag someone adds next month doesn't quietly undo today's clean result.
How to verify your OneTrust setup in 30 seconds
Enter your domain below. No signup, no code to install, nothing changes on your site.
RegSentry loads your site in a real browser and never touches the OneTrust banner — it just watches the network, the way a plaintiff firm's scanner would.
Anything that fired before consent shows up in the report — which script, which page, when — plus the specific fix for each tool (gate it through OneTrust, correct its category, or wire the tag-manager trigger to consent).
Prefer to eyeball it first? Open your site in a fresh incognito window with DevTools → Network open, reload, and don't click the banner — requests to tracking domains before you consent are the leak. The scan just does that check thoroughly, on every page that matters, with evidence.
See whether your OneTrust banner is actually blocking — free, no signup.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.