If your Consent Mode website set cookies before user consents, this violates the GDPR and the ePrivacy Directive. This problem frequently occurs when scripts are loaded before the consent check. Additionally, an incorrect tag firing order in Google Tag Manager can also be the cause. Consequently, you risk legal warnings and fines.

Why Your Website Sets Cookies Before the User Consents

The most common reason is an incorrect loading order. When Google Tag Manager is initialized before the consent banner, tags can already set cookies. As a result, your website sets cookies before the user has even had the chance to accept or decline. Moreover, some themes or plugins load their own tracking scripts directly in the header. Therefore, these are not captured by Consent Mode. Further guidance can be found in our FAQ on tracking without consent.

How to Prevent Cookies Before Consent

First, you must ensure that the consent default is set before all other scripts. Subsequently, the GTM should only load after that. Furthermore, all tags in the GTM must be configured with a consent condition. As a result, they only fire after consent is granted. Google describes this process in detail in the Google Tag Platform consent documentation.

Our Recommendation

We recommend thoroughly reviewing the loading order of your scripts. First, the consent default should be set before the GTM loads. Then, you must migrate all directly embedded tracking scripts into the Tag Manager. Additionally, regular cookie audits using tools like Cookiebot Scanner are advisable to ensure no cookies are set before consent.

Conclusion

In summary, cookies before consent represent a serious GDPR risk. However, this problem is solvable with the right configuration. Contact us for a professional cookie audit.