The Top 10 Pre-Consent Cookie Violations (And How to Fix Them)

After scanning thousands of websites, we've identified the most common pre-consent violations that put site owners at risk of GDPR fines. Here are the top 10 offenders—and exactly how to fix each one.

1. Google Analytics Loading Before Consent

The Violation: The _ga and _gid cookies from Google Analytics are set immediately when the page loads, before any consent interaction.

Why It's Risky: Google Analytics is one of the first things regulators check. It's well-known, easy to detect, and clearly falls into the "analytics" category requiring consent.

How to Fix It:

In Google Tag Manager:

1. Create a custom trigger based on your CMP's consent event
2. Update your GA4 tag to only fire on this trigger
3. Remove any "All Pages" or "Page View" triggers from GA tags
4. Test in Preview mode before publishing

For hardcoded GA scripts:

1. Remove the GA script from your HTML
2. Move it to GTM with proper consent conditions
3. Or use your CMP's script blocking feature

Verification: After fixing, scan your site. GA cookies should not appear until after consent is given.

2. Facebook Pixel Firing on Page Load

The Violation: The Facebook Pixel (_fbp cookie) initializes and sends data to Facebook before users consent.

Why It's Risky: Facebook Pixel is a marketing cookie that enables ad targeting. It's one of the highest-risk cookie categories under GDPR.

How to Fix It:

In Google Tag Manager:

1. Update your Facebook Pixel tag trigger to require marketing consent
2. Ensure the fbq('init', ...) call only runs after consent
3. Check for multiple instances of the pixel (sometimes added by plugins and hardcoded)

Check for duplicate implementations:

• Search your codebase for fbq(
• Check Facebook-related plugins
• Look in theme header/footer files

Verification: Scan your site and confirm _fbp cookie and connect.facebook.net requests don't appear pre-consent.

3. Hotjar Session Recording Starting Immediately

The Violation: Hotjar's _hj* cookies are set and session recording begins before consent.

Why It's Risky: Session replay tools record user interactions, including potentially sensitive form inputs. This is analytics data that requires explicit consent.

How to Fix It:

Using GTM:

1. Add your Hotjar tag to GTM (if not already)
2. Set the trigger to require analytics consent
3. Use Hotjar's built-in consent integration if available

Using Hotjar's consent mode:

// Only initialize Hotjar after consent
if (userHasConsentedToAnalytics) {
  hj('consent', 'granted')
} else {
  hj('consent', 'revoked')
}

Verification: The _hjSessionUser_* and related cookies should only appear after analytics consent.

4. Google Ads Conversion Tracking Pre-Consent

The Violation: Google Ads cookies (_gcl_au, _gcl_aw) and conversion tags fire before consent.

Why It's Risky: Conversion tracking is marketing/advertising, clearly requiring consent. Google Ads violations are frequently cited in enforcement actions.

How to Fix It:

1. Configure Google Consent Mode v2 properly:

gtag('consent', 'default', {
  ad_storage: 'denied',
  ad_user_data: 'denied',
  ad_personalization: 'denied',
  analytics_storage: 'denied',
})

2. Update consent on user action:

// When user consents to marketing
gtag('consent', 'update', {
  ad_storage: 'granted',
  ad_user_data: 'granted',
  ad_personalization: 'granted',
})

3. Ensure conversion tags have marketing consent triggers in GTM

Verification: Google Ads cookies should not appear until marketing consent is granted.

5. LinkedIn Insight Tag Loading Early

The Violation: LinkedIn's Insight Tag sets tracking cookies and sends data before consent.

Why It's Risky: B2B marketers love LinkedIn tracking, but it's a marketing cookie like any other. The cookie li_fat_id enables cross-site tracking.

How to Fix It:

1. Move the LinkedIn Insight Tag to GTM
2. Set a marketing consent trigger
3. Remove any hardcoded LinkedIn scripts from your site

If using LinkedIn's official integration:

• Configure your CMP to block LinkedIn scripts until consent
• Use URL pattern blocking if your CMP supports it

Verification: Check that no requests to linkedin.com or licdn.com occur before consent.

6. Chat Widgets Tracking Before Consent

The Violation: Customer chat tools like Intercom, Drift, or Zendesk set tracking cookies immediately.

Why It's Risky: While chat seems helpful rather than invasive, these tools often track user behavior across sessions and may share data with third parties.

How to Fix It:

Option A: Delay loading until consent

• Move chat widget scripts to GTM with functional consent trigger
• Or use your CMP's script blocking

Option B: Use privacy-friendly mode

• Many chat tools offer "anonymous mode" that works without cookies
• Intercom, for example, can run without persistent tracking

Option C: Replace with consent-aware alternatives

• Some chat tools are designed with GDPR in mind
• Evaluate whether your current tool supports consent properly

Verification: Check for chat-related cookies (often containing vendor names or session IDs).

7. YouTube Embeds Setting Cookies

The Violation: Standard YouTube embeds set cookies from youtube.com including advertising-related cookies.

Why It's Risky: YouTube embeds pull in Google's advertising ecosystem. Even if you're just showing a product video, Google's tracking activates.

How to Fix It:

Use YouTube's privacy-enhanced mode:

<!-- Instead of youtube.com, use youtube-nocookie.com -->
<iframe src="https://www.youtube-nocookie.com/embed/VIDEO_ID" ...></iframe>

Or load videos only after consent:

1. Show a placeholder image initially
2. On click (or after consent), replace with actual embed
3. Many CMP tools offer YouTube blocking with "click to load" placeholders

Verification: Check that no youtube.com or googlevideo.com cookies appear before consent.

8. HubSpot Tracking Code Running Immediately

The Violation: HubSpot's tracking code sets the __hssc, __hssrc, and __hstc cookies on page load.

Why It's Risky: HubSpot tracking falls into analytics/marketing categories. The cookies track visitor behavior and link it to CRM records.

How to Fix It:

Using HubSpot's cookie consent banner:

• Enable HubSpot's built-in consent features
• Configure cookie categories in HubSpot settings
• Note: This only works if you use HubSpot as your CMP

Using your own CMP:

1. Block HubSpot's tracking script until consent
2. Use GTM to conditionally load HubSpot
3. Call HubSpot's tracking methods only after consent

// Only track after consent
if (analyticsConsentGranted) {
  _hsq.push(['trackPageView'])
}

Verification: HubSpot cookies should only appear after relevant consent.

9. TikTok Pixel Pre-Consent Firing

The Violation: TikTok's advertising pixel sets cookies and sends data before consent.

Why It's Risky: TikTok Pixel is a marketing tool for ad optimization. Like Facebook Pixel, it requires explicit consent.

How to Fix It:

1. Move TikTok Pixel to GTM with marketing consent trigger
2. Remove any hardcoded TikTok scripts
3. Check TikTok-related WordPress plugins or integrations

If using TikTok's official setup:

• Most CMP tools now recognize TikTok scripts
• Configure URL-based blocking for analytics.tiktok.com

Verification: TikTok-related requests and cookies should not appear pre-consent.

10. Unknown/Unclassified Cookies

The Violation: Cookies from unidentified sources set before consent.

Why It's Risky: Unknown cookies often come from forgotten integrations, outdated plugins, or third-party services you didn't know set cookies. Under GDPR, you're responsible for all cookies on your domain.

How to Fix It:

1. Identify the source: Search your codebase for the cookie name or domain
2. Check plugins: Review all CMS plugins and their cookie behaviors
3. Audit third-party scripts: Trace each external script loaded by your site
4. Remove if unnecessary: If you can't identify a cookie's purpose, consider whether you need it
5. Classify and control: Once identified, add to your CMP configuration

For persistent unknown cookies:

• Use browser DevTools to trace the request setting the cookie
• Check the "Initiator" column in the Network tab
• Follow the chain back to the original script

Verification: All cookies should be classified. Unknown cookies should be identified or removed.

Quick Reference: Violation Severity

How to Scan for These Violations

Manual checking is tedious and error-prone. Automated scanning catches all of these violations instantly.

Scan your website now →

Get your Gretel Score and see exactly which of these violations exist on your site. Each violation is identified with:

• The specific cookie or script
• The vendor/source
• The category (marketing, analytics, etc.)
• Actionable remediation steps

Don't guess at compliance. Know for certain.

The Crumb Trail is Gretelfy's blog about cookie compliance, privacy regulations, and building trust with your website visitors. Subscribe for weekly insights.