Elgarde
cookies consent eprivacy technical

What actually counts as cookie rejection? A technical breakdown

Elgarde Team · · 3 min read

The promise of “Reject all”

When a visitor clicks “Reject all” on a cookie consent banner, the expectation is clear: no tracking cookies, no analytics scripts, no advertising pixels. Only strictly necessary cookies — those required for the website to function — should remain.

That’s the legal requirement under the ePrivacy Directive (2002/58/EC, amended by 2009/136/EC), as interpreted by EU data protection authorities. Consent must be freely given, specific, informed, and unambiguous. Rejection must be equally effective.

The reality is different. Our analysis of 500 EU e-commerce websites found that 73% fire at least one non-essential tracker after the user clicks “Reject all”.

What should happen

After rejection, a compliant website should:

  1. Set only strictly necessary cookies — session identifiers, load balancing tokens, CSRF protection tokens, and the consent preference cookie itself.
  2. Load no third-party analytics — Google Analytics, Meta Pixel, Hotjar, and similar tools must not execute.
  3. Fire no advertising tags — Google Ads conversion tracking, Meta CAPI events, TikTok Pixel, and any other conversion or retargeting infrastructure must be blocked.
  4. Skip non-essential third-party resources — embedded fonts from third-party CDNs, social media widgets, and chat tools that set tracking cookies should be deferred until consent is granted.

What actually happens

The most common violations we detect:

1. Google Analytics firing before or despite rejection

This is the single most common violation. GA4 (gtag.js or analytics.js) loads as part of the page’s base template, often in the <head> tag, before the consent management platform (CMP) has a chance to block it.

Why it happens: Many CMP integrations rely on a “blocking” mechanism that intercepts script tags. But if the GA4 script is loaded as a standard <script> tag with async, it can execute before the CMP’s blocking script initializes.

Severity: High. Google Analytics sets the _ga and _ga_* cookies, which are unique identifiers that persist for 2 years by default. These are unambiguously tracking cookies.

2. Meta Pixel surviving rejection

The Meta Pixel (fbevents.js) frequently fires a PageView event even after rejection. Some CMP configurations block the initial script load but fail to prevent the Pixel from firing via a server-side event or via a tag manager container that re-injects it.

3. CMP’s own cookies being non-compliant

Ironically, some consent management platforms themselves set non-essential cookies. The consent preference cookie is necessary. But additional cookies for CMP analytics, A/B testing of banner layouts, or cross-domain consent sharing are not.

4. Third-party fonts and CDNs leaking data

Google Fonts, loaded from fonts.googleapis.com, sends the user’s IP address, referrer, and User-Agent to Google’s servers. While this is technically a legitimate interest argument for font delivery, several DPAs (notably the Austrian DSB in January 2022) have ruled that loading Google Fonts from Google’s servers without consent violates GDPR.

How Elgarde detects this

Our scanner takes a different approach from most tools. Instead of analyzing source code or consent configuration files, we simulate a real user visit:

  1. Load the page in a real browser (Chromium via Playwright).
  2. Reject all cookies by interacting with the CMP banner.
  3. Wait for the page to fully load, including deferred scripts and lazy-loaded resources.
  4. Capture the full network traffic (HAR) and compare it against our tracker database.
  5. Check all cookies set after rejection and classify each as necessary or non-essential.

This approach catches violations that static analysis misses — because the violation happens at runtime, not in the source code.

What to do about it

If your website uses a CMP (OneTrust, Cookiebot, CookieYes, Osano, etc.):

  1. Test the rejection path — use your browser’s DevTools to monitor network requests and cookies after clicking “Reject all”. You should see no GA4, Meta, or other analytics requests.
  2. Move scripts behind consent gates — don’t load analytics scripts in <head>. Use your CMP’s consent-gated script loading mechanism, or defer scripts conditionally.
  3. Audit your tag manager — Google Tag Manager containers often contain tags that fire on “All Pages” regardless of consent state. Configure consent mode properly.
  4. Check third-party resources — self-host fonts, defer social widgets, and avoid CDNs that set cookies.

Check your website’s cookie consent compliance — free scan, no registration required.

Check your website's compliance

Free scan — no registration required. See your compliance grade in 30 seconds.

Scan now
← Back to all posts