Skip to main content

Cookies firing before consent

If you've checked your website with a tool like a scan or browser DevTools and noticed analytics or marketing cookies setting before the visitor accepts, you've found the most common compliance issue. This page covers how to fix it.

Why it happens

Most marketing and analytics scripts (Google Analytics, Facebook Pixel, hotjar, custom pixels) are designed to run as soon as they load. Unless something stops them, they set their cookies right away.

One Privacy's job is to tell those scripts when it's OK to run. If the scripts are loading before One Privacy has had a chance to communicate consent, you'll see them firing prematurely.

Fix 1: Make sure One Privacy loads first

Your One Privacy snippet should be in the <head> of your page, as high up as possible. If your tag manager or analytics tag loads before One Privacy, One Privacy can't set the right defaults in time.

Check the order of scripts in your page source. The One Privacy snippet should appear before:

Google Tag Manager.

Direct gtag.js or analytics.js installs.

Facebook Pixel.

Any third-party tracker.

Google Analytics and Google Ads respect Google Consent Mode v2, and One Privacy emits the right signals automatically. With Consent Mode in place, Google tags load but stay in a "waiting" state until consent is given.

For this to work:

The One Privacy snippet must load before your Google tags.

Your Google tags must have the standard Consent Settings (the default in GTM works).

Verify in DevTools that the first gtag('consent', 'default', ...) call is One Privacy's. See Google Consent Mode (developer reference).

For tags that don't support Google Consent Mode (older pixels, custom scripts), you need to load them only after consent is given.

In Google Tag Manager, use the One Privacy custom event as a trigger so tags only fire after the visitor accepts.

If your developer manages scripts by hand, gate them on the One Privacy JavaScript API:

gate-script.js
window.addEventListener('one-privacy-consent-updated', () => {
const accepted = window.onePrivacyCookieGroups || '';
if (accepted.includes('C0003')) {
// Performance allowed: load analytics
loadAnalytics();
}
});

Fix 4: Move tags out of your theme files

If your developer hard-coded a tag (Facebook Pixel, hotjar) directly into the website's HTML or theme file, it will always fire on page load.

Move those tags into Google Tag Manager (or another tag manager) so they can be triggered conditionally on consent.

How to verify the fix

Open your website in a fresh incognito session.

Open Chrome DevTools → Network tab.

Refresh the page. Filter for the tracker's domain (for example, google-analytics.com, facebook.com, hotjar.com).

Before clicking Accept, no requests to those domains should fire (or they should fire in their consentless mode for Google).

Click Accept. The tracker requests should appear.

What's next

Google Consent Mode.

Installing with Google Tag Manager.

Verifying the banner is live.

Contact support.