Across virtually every sector, websites load third-party tracking scripts before the consent banner appears. This is not a fringe issue or an edge case. It is one of the most common GDPR violations in existence – and enforcement authorities have made it a central focus of their 2025 and 2026 enforcement programs.
This is not a small compliance gap. It’s a systemic failure.
What Enforcement Actions Tell Us
Regulators have been explicit. The EDPB’s 2024 and 2025 coordinated enforcement exercises on consent management documented widespread non-compliance with pre-consent blocking requirements. National DPAs – including the CNIL, the Dutch AP, the ICO and the Belgian DPA – have all published findings showing that a significant majority of websites they audited failed to block non-essential tracking before consent was granted.
The CNIL’s 2023 sweep of 150 websites found that the majority failed to honor the “Reject All” option correctly, and many continued loading tracking scripts regardless of user choice. The AP has taken enforcement action against multiple Dutch organizations for exactly this violation. The pattern is consistent across jurisdictions: pre-consent tracking is the rule, not the exception.
The most common pre-consent scripts appear repeatedly in enforcement cases and technical audits:
- Google Analytics: consistently the most widespread violation
- Facebook Pixel and Meta tools: common in e-commerce and media
- YouTube embeds: frequently loaded with tracking enabled by default
- Google Fonts: often overlooked but can create third-party data flows
These are household names in web tracking. Organizations know how widely deployed they are. Yet they load them before anyone clicks “Accept.”
The Pattern Across Industries
Pre-consent tracking is not distributed evenly. Enforcement patterns and sector-specific audits reveal consistent differences across industries.
E-commerce and media websites show the worst compliance. Their revenue models depend on conversion tracking, retargeting pixels and behavioral analytics. The business incentive to load tracking scripts immediately is strong – which is precisely why regulators have focused enforcement on these sectors.
Healthcare websites present a particularly serious concern. Health-related browsing qualifies as sensitive personal data under GDPR, CPRA and multiple US state privacy laws. Loading Facebook Pixel or Google Analytics before consent on a healthcare website creates legal exposure in multiple jurisdictions simultaneously.
Government websites tend to perform better than commercial sectors, but enforcement authorities have documented significant non-compliance in public sector organizations as well. Citizens accessing government services have a reasonable expectation of stronger privacy protection, not weaker.
Why Tracking Before Consent Happens: The Technical Reality
Pre-consent tracking rarely happens by accident. It usually happens because of one of three failures:
Race conditions in tag management. Websites use tools like Google Tag Manager to manage scripts. But if the consent management system doesn’t load early enough, GTM can fire tracking tags before consent is checked. The CMP and the tag manager get into a race and the tracking scripts often win.
Misconfigured CMPs. Some websites implement consent management platforms but fail to configure them correctly. They might set the default state to “all consent granted” instead of “all consent denied.” Or they might forget to disable specific tracking tags in the GTM interface. The consent banner appears, but the scripts are already running.
Embedded third-party scripts loaded directly. Many websites load tracking scripts directly in the HTML
instead of through a tag manager. Google Fonts, YouTube embeds, and analytics libraries are often embedded this way. The HTML loads, the script loads and consent has not been checked.Each of these issues is fixable. None of them require architectural changes. They require attention.
Why This Matters Legally
The European Data Protection Board (EDPB) has been explicit on this point. In their guidelines on consent, the EDPB stated that consent must be obtained before data processing begins. Loading a tracking script is data processing. It begins the moment the script executes and sends data to third-party servers. If that happens before consent, it is illegal under GDPR.
California’s privacy regulators have reached similar conclusions. Under the California Privacy Protection Agency’s enforcement actions in 2025 and early 2026, companies that loaded tracking pixels before recognizing opt-out signals faced significant fines. The CPPA treats pre-consent tracking as an intentional violation, not an oversight.
Moreover, many of the affected states now recognize Universal Opt-Out Mechanisms (UOOM). Under regulations in California, Connecticut, Oregon, Colorado, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire, and Texas, websites must respect browser signals that indicate the visitor has opted out. But if a tracking script loads before the CMP checks for that signal, the website never gets the chance to honor it.
Pre-consent tracking also creates liability under state privacy laws. Virginia’s VCDPA, Colorado’s CPA and Utah’s UCPA all require consent before collecting personal information for targeted advertising. Loading a retargeting pixel before consent violates these laws.
What Compliant Implementation Looks Like
Websites that handle this correctly follow a clear sequence:
- The CMP loads and runs immediately, before other scripts.
- The CMP checks for prior consent or UOOM signals.
- If no consent is found, the CMP sets variables that tag managers and CMSs can check.
- Tracking tags remain blocked until consent is granted or a visitor explicitly accepts.
- Only after consent is confirmed do third-party tracking scripts fire.
This sequence is not new. Vendors like Segment, Google Tag Manager and every dedicated CMP have published guides on how to implement this correctly. The issue is not that websites do not know how. It is that some choose not to.
One more point: Google Fonts and similar non-tracking resources are often exempted from this process. A resource that simply serves a font file, with no data collection, falls outside the definition of tracking. However, websites should still load these resources in a way that respects visitor choices. If a website can legitimately avoid loading Google Fonts until after consent, it should.
How to Detect This on Your Own
If you manage a website, you can audit your own pre-consent tracking by opening the Network tab in your browser’s developer tools, reloading the page, and watching which third-party requests fire before the consent banner appears. Look for domains associated with Google Analytics, Facebook, LinkedIn, TikTok, and other ad networks. If you see requests to these domains before the consent banner is interactive, you have a pre-consent tracking problem.
But manual auditing is slow and error-prone, especially across dozens of pages and after each update. Nixon Pro scans for pre-consent tracking automatically. You input a website URL, and the tool simulates a visitor with no prior consent, records which scripts fire and flags any trackers that load before the CMP confirms consent. This gives you a clear report on where your website stands.
The Bottom Line
Pre-consent tracking is not a marginal compliance issue. Regulatory enforcement actions across Europe and the US consistently show it as one of the most widespread failures of privacy-by-design. The fix is within reach for every website owner. The question is whether they will prioritize privacy or continue to prioritize immediate data collection.
For regulators and compliance professionals, enforcement actions have confirmed what technical audits consistently show: pre-consent tracking is common, often deliberate, and increasingly costly. For website owners, the message is simpler: audit your site, fix the race conditions and configure your CMP to block everything non-essential until consent is granted.
The visitors to your website deserve nothing less.
The EDPB Guidelines 05/2020 on consent and CNIL’s enforcement guidance are the primary regulatory references for pre-consent tracking requirements.
Related reading: How to remove third-party trackers from your website | Cookie banner audit: does your banner actually work? | Website privacy audit checklist
