Free scan
Works with OneTrust

Does OneTrust actually block trackers before consent?

When it's installed and configured correctly — yes, that's its job. The problem is that plenty of real-world setups leak anyway, for reasons that have nothing to do with OneTrust itself. Here's where the leaks come from, and how to verify yours in 30 seconds.

OneTrust is an enterprise privacy platform — consent management is one module alongside data mapping, DSAR automation, and vendor risk. Its cookie-consent product includes site scanning, geolocation-based banner rules, auto-blocking, and consent records, built for organizations running a full privacy program.

RegSentry is not a consent platform and doesn't replace OneTrust — it's the independent check that your OneTrust setup is actually holding trackers back until visitors consent. The two are complementary: one manages consent, the other verifies enforcement.

Verify your OneTrust setup — free real-browser scan, 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

What OneTrust does well

The 5 ways a correctly-installed OneTrust banner still leaks

None of these are bugs in OneTrust. They're the coverage and configuration gaps that show up on real sites — the reasons a banner that looks right can still fire trackers before consent:

1. Tags shipped outside the governance workflow
In a large organization, marketing, product, and agencies all deploy tags. A script added outside OneTrust's categorization workflow — a campaign pixel, an A/B tool — fires before consent because OneTrust was never told it exists.
2. One template or region configured differently
With geolocation rules and multiple banner templates, it only takes one template where auto-blocking wasn't enabled — or one region falling through the rules — for that slice of traffic to get untamed trackers.
3. Mis-categorized scripts in a big inventory
The larger the cookie inventory, the easier it is for a session recorder or analytics tag to end up filed as strictly-necessary. That category loads pre-consent by design.
4. Tag-manager triggers that ignore consent state
If GTM (or another tag manager) fires tags on page-load rather than on OneTrust's consent events, the banner and the tags are running on separate tracks.
5. Hardcoded pixels in legacy templates
Older page templates and microsites often carry pixels pasted in years ago, before the CMP rollout — they never went through the banner at all.

Why independent verification matters

In our 2026 scan of 1,478 small-business websites, 58% fired at least one tracker before the visitor consented — and nearly every affected site already had some consent setup in place. That's not an argument against using OneTrust; it's the argument for verifying that any consent setup, from any vendor, is actually enforcing. A banner that displays and a banner that blocks look identical to the naked eye. The network tells the truth.

How RegSentry independently verifies enforcement

A real headless browser, not a checklist
RegSentry loads your public pages the way a first-time visitor's browser would — with no stored cookies and no prior consent.
It never touches the banner
The scan deliberately makes no consent interaction. Whatever contacts a third-party server in that window did so before consent — which is exactly what wiretapping and privacy claims turn on.
Every tracker's first contact, timestamped
The scan records the precise moment each session-replay, analytics, chat, and ad-pixel script first calls home, so you get evidence — script, page, and timing — not a guess.
Independent by design
RegSentry has no stake in your OneTrust configuration. It doesn't know or care which scripts are supposed to be gated — it just reports what actually fired. That independence is the point of a verification layer.
Then it keeps watching
Monitoring re-scans on a schedule and emails you when a NEW tracker shows up firing before consent — so the tag someone adds next month doesn't quietly undo today's clean result.

How to verify your OneTrust setup in 30 seconds

  1. Enter your domain below. No signup, no code to install, nothing changes on your site.
  2. RegSentry loads your site in a real browser and never touches the OneTrust banner — it just watches the network, the way a plaintiff firm's scanner would.
  3. Anything that fired before consent shows up in the report — which script, which page, when — plus the specific fix for each tool (gate it through OneTrust, correct its category, or wire the tag-manager trigger to consent).

Prefer to eyeball it first? Open your site in a fresh incognito window with DevTools → Network open, reload, and don't click the banner — requests to tracking domains before you consent are the leak. The scan just does that check thoroughly, on every page that matters, with evidence.

See whether your OneTrust banner is actually blocking — free, no signup.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Related

RegSentry vs OneTrust — full comparison The state of website tracking 2026 Free cookie consent checker All consent platforms
Run a free scan Monitor my site ($99/mo)