Cookies firing before consent
If you've checked your website with a tool like a scan or browser DevTools and noticed analytics or marketing cookies setting before the visitor accepts, you've found the most common compliance issue. This page covers how to fix it.
Why it happens
Most marketing and analytics scripts (Google Analytics, Facebook Pixel, hotjar, custom pixels) are designed to run as soon as they load. Unless something stops them, they set their cookies right away.
One Privacy's job is to tell those scripts when it's OK to run. If the scripts are loading before One Privacy has had a chance to communicate consent, you'll see them firing prematurely.
Fix 1: Make sure One Privacy loads first
Your One Privacy snippet should be in the <head> of your page, as high up as possible. If your tag manager or analytics tag loads before One Privacy, One Privacy can't set the right defaults in time.
Check the order of scripts in your page source. The One Privacy snippet should appear before:
Google Tag Manager.
Direct gtag.js or analytics.js installs.
Facebook Pixel.
Any third-party tracker.
Fix 2: Use Google Consent Mode for Google tags
Google Analytics and Google Ads respect Google Consent Mode v2, and One Privacy emits the right signals automatically. With Consent Mode in place, Google tags load but stay in a "waiting" state until consent is given.
For this to work:
The One Privacy snippet must load before your Google tags.
Your Google tags must have the standard Consent Settings (the default in GTM works).
Verify in DevTools that the first gtag('consent', 'default', ...) call is One Privacy's. See Google Consent Mode (developer reference).
Fix 3: Gate non-Google tags behind consent
For tags that don't support Google Consent Mode (older pixels, custom scripts), you need to load them only after consent is given.
In Google Tag Manager, use the One Privacy custom event as a trigger so tags only fire after the visitor accepts.
If your developer manages scripts by hand, gate them on the One Privacy JavaScript API:
window.addEventListener('one-privacy-consent-updated', () => {
const accepted = window.onePrivacyCookieGroups || '';
if (accepted.includes('C0003')) {
// Performance allowed: load analytics
loadAnalytics();
}
});
Fix 4: Move tags out of your theme files
If your developer hard-coded a tag (Facebook Pixel, hotjar) directly into the website's HTML or theme file, it will always fire on page load.
Move those tags into Google Tag Manager (or another tag manager) so they can be triggered conditionally on consent.
How to verify the fix
Open your website in a fresh incognito session.
Open Chrome DevTools → Network tab.
Refresh the page. Filter for the tracker's domain (for example, google-analytics.com, facebook.com, hotjar.com).
Before clicking Accept, no requests to those domains should fire (or they should fire in their consentless mode for Google).
Click Accept. The tracker requests should appear.