blueredix logo
SCAN On-demand vulnerability scans from €149
high gdpr-tracker-script-pre-consent

Tracker script loaded before consent

A third-party tracking script downloads and runs on the very first page load, before the visitor has given consent. Under GDPR and TDDDG that is unlawful processing, even if the script "doesn't do anything yet".

What this means in plain English

Your page contains a <script> tag, or an inline snippet that creates one at runtime, pointing at a known tracker host. The script is fetched and executed during initial page load, before the visitor has seen any consent banner, let alone clicked anything in it.

Common offenders include googletagmanager.com, google-analytics.com, connect.facebook.net, static.hotjar.com, script.crazyegg.com, cdn.mouseflow.com, cdn.heapanalytics.com, and cdn.matomo.cloud (when not self-hosted). All of these “phone home” the moment they load. They send the visitor’s IP address, user agent, page URL, and a unique identifier to the tracker vendor.

Why it matters

A few facts about the legal weight of this finding.

  1. The IP address is personal data. The European Court of Justice confirmed this in Breyer (C-582/14, 2016). Sending an IP to a third country (US for Google, Meta, Hotjar) without consent triggers GDPR Article 6 plus the Schrems II provisions on international transfers.

  2. Consent must come first. TDDDG §25 and ePrivacy Article 5(3) require consent before any storage or access on the visitor’s device. A script that fetches a remote resource and reads or writes browser storage on first load is exactly the action they prohibit.

  3. “It only loads, it doesn’t track yet” is not a defence. German authorities and courts have consistently held that loading the script is itself the data transfer. The Munich I court (Az. 3 O 17493/20, January 2022) ordered €100 in damages plus an injunction for a single Google Fonts request. Our Google Fonts article covers the same logic in detail.

  4. “Anonymous Analytics” still requires consent. Google Analytics 4’s “anonymous” mode still loads the GTM/GA script, still sets cookies unless explicitly disabled, and still sends the IP to Google before any truncation happens. The script load itself requires consent.

How to fix it

Two complementary approaches, depending on how the script gets onto your page.

If the script is in your page template (a hard-coded <script> tag), move it into your consent platform’s “after consent” hook. Most platforms ship a wrapper that lets you tag a script with the relevant vendor name. The platform then replaces it with a placeholder until consent is given.

If the script is loaded via Google Tag Manager, change every analytics or marketing tag’s trigger in GTM from “All Pages” to a custom event the consent platform fires after consent. Cookiebot fires cookie_consent_update; Borlabs fires borlabs-cookie-config-loaded; Real Cookie Banner uses RCB-CookieAcceptedCategory. Document the GTM setup so it survives platform migrations.

After the fix, verify in a fresh incognito window. Open developer tools, go to the Network tab, decline cookies, reload the page, and filter for the tracker host. There must be zero requests until you click “Accept”.

Further reading