Elgarde
Violations

Advertising tracker fires before consent

critical Cookie Consent

Regulation

ePrivacy Directive — Cookie Consent

How common

Very common. Advertising scripts (Google Ads, Meta Pixel, programmatic ad SDKs) are among the most frequent pre-consent violations found in EU website scans.

What this means

An advertising tracking script loaded and sent data to a third-party server before the visitor interacted with the cookie consent banner. This means the visitor’s browsing behavior was shared with an ad network without their knowledge or permission.

Why this is critical

Advertising trackers are designed to profile users across websites. Pre-consent loading means:

  • Personal data (IP address, browsing behavior, device fingerprint) is transmitted to a third party before consent
  • The visitor has no opportunity to object before the data leaves their device
  • The ad network may use this data for cross-site profiling, audience building, and retargeting

This is a direct violation of ePrivacy Directive Art. 5(3), which requires consent before storing or accessing information on a user’s terminal equipment. Advertising trackers have no exemption — they serve neither “transmission” nor “strictly necessary service” purposes.

Common examples

  • Google Ads / Google Marketing Platform tags firing in the <head> before CMP initialization
  • Meta Pixel (Facebook) loaded via a hardcoded <script> tag
  • Programmatic ad SDKs (Criteo, The Trade Desk, etc.) embedded in the page template
  • Ad verification scripts (DoubleVerify, IAS) that fire unconditionally

Enforcement precedents

  • Dutch DPA (AP): fined a retailer EUR 600,000 for third-party advertising trackers loading before consent (2024)
  • CNIL (France): fined Google EUR 150 million for cookie consent violations related to advertising (2022)

How to fix

  1. Gate all advertising scripts behind CMP consent: configure your consent management platform to block advertising-category scripts until the visitor clicks “Accept”
  2. Use tag manager consent mode: Google Tag Manager and similar tools support consent-aware triggering
  3. Audit third-party scripts: many ad scripts auto-load sub-resources; ensure the entire chain is gated
  4. Test with cookies rejected: load your site with all cookies rejected and verify no ad-network requests fire

Check your website for this violation

Free scan — no registration required. Results in 30 seconds.

Scan now
← All violations ePrivacy Directive — Cookie Consent →