Violations
Advertising tracker persists after rejection
high Cookie Consent
Regulation
ePrivacy Directive — Cookie ConsentHow common
Common. Many CMP implementations fail to fully block advertising scripts after the user clicks 'Reject all,' especially when scripts are hardcoded rather than managed through a tag manager.
What this means
An advertising tracking script continued to send data to a third-party server after the visitor explicitly rejected cookies. The visitor said “no,” but the tracker kept running.
Why this is a serious violation
Post-rejection tracking is arguably worse than pre-consent tracking because:
- The visitor has actively expressed their refusal — continuing to track them disregards an explicit choice
- GDPR Art. 7(1) requires that consent withdrawal be as easy as giving consent; ignoring rejection undermines this principle
- Regulators view post-rejection tracking as a sign of negligent or intentional non-compliance, not mere technical oversight
How to fix
- Verify CMP integration: ensure your consent management platform actually blocks scripts after rejection, not just hides the banner
- Check for hardcoded scripts: scripts embedded directly in HTML templates bypass CMP controls
- Audit iframe embeds: advertising iframes may load their own tracking independently of the parent page’s CMP
- Test the rejection flow: use browser developer tools to verify that no advertising-domain requests fire after clicking “Reject all”
Check your website for this violation
Free scan — no registration required. Results in 30 seconds.
Scan now