Analytics tracker fires before consent

What this means

An analytics tracking script (such as Google Analytics, Matomo cloud, Hotjar, or similar) loaded and began collecting data before the visitor interacted with the cookie consent banner.

Why this is a violation

Analytics trackers store information (cookies, identifiers) on the user’s device and transmit browsing data to a third-party server. Under ePrivacy Directive Art. 5(3), this requires prior consent.

The “analytics exemption” myth

Some website operators believe analytics are exempt from consent. This is a misreading of the law:

• NL Telecommunicatiewet art. 11.7a(3)(b) permits analytics only when they are “strictly necessary for the requested service” and cause “little or no privacy impact.” The Dutch DPA (AP) has held that Google Analytics in default configuration does not meet this test because data is transmitted to the US and re-used by Google.
• CNIL (France) permits audience measurement without consent only for tools that meet strict conditions (no cross-site tracking, data stays in the EU, first-party only).
• Google Analytics 4 in default configuration, Hotjar, Mixpanel, and similar tools do not qualify for any exemption.

What does qualify for exemption?

Self-hosted, first-party analytics with no cross-site tracking and minimal data collection may qualify in some jurisdictions. Examples: Matomo self-hosted (with IP anonymization), Plausible, Fathom. Even then, the specific configuration must meet the jurisdiction’s requirements.

How to fix

1. Gate analytics behind CMP consent: do not load Google Analytics, Hotjar, Mixpanel, or similar tools until the visitor consents
2. Consider consent-free alternatives: self-hosted Matomo or privacy-focused analytics (Plausible, Fathom) may qualify for exemption in some jurisdictions if properly configured
3. Use Google Consent Mode v2: configure GA4 to respect consent signals and not store cookies before consent
4. Remove legacy analytics.js / gtag.js: ensure no old snippets remain in templates