Third-Party Script Compliance
What This Means
Third-party scripts (analytics, advertising, social plugins) often set cookies and collect user data. Loading these scripts before obtaining consent violates privacy regulations like GDPR.
Common non-compliant scripts:
- Google Analytics
- Meta Pixel (Facebook)
- Google Ads remarketing
- TikTok Pixel
- Hotjar/FullStory
- Social share buttons
- Chat widgets with tracking
- Advertising pixels
How to Diagnose
1. Network Tab Analysis
- Open a private browser window
- Open DevTools > Network tab
- Visit your site (DON'T interact with consent banner)
- Look for these domains loading:
- google-analytics.com
- googletagmanager.com (if firing tags pre-consent)
- connect.facebook.net
- analytics.tiktok.com
- hotjar.com
- Any advertising/tracking domains
2. Cookie Inspection Pre-Consent
- DevTools > Application > Cookies
- Before interacting with consent banner, check for:
_ga,_gid(Google Analytics)_fbp,_fbc(Meta)IDE,DSID(Google Ads)- Any third-party cookies
3. GTM Preview Analysis
- Open GTM Preview Mode
- Check Tags Fired before consent trigger
- Non-essential tags should show as "Not Fired" initially
General Fixes
1. Implement Consent Mode in GTM
Step 1: Add consent initialization
Add to your page before GTM loads:
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('consent', 'default', {
'analytics_storage': 'denied',
'ad_storage': 'denied',
'wait_for_update': 500 // Wait for CMP
});
</script>
Step 2: Configure tag consent settings
In GTM:
- Go to each tag
- Click "Advanced Settings" > "Consent Settings"
- Add required consent types (analytics_storage, ad_storage)
2. Use CMP with GTM Integration
Most CMPs integrate with GTM:
- Cookiebot + GTM
- OneTrust + GTM
- Osano + GTM
The CMP handles:
- Displaying consent banner
- Storing user preferences
- Firing GTM consent update events
3. Script Type Modification
For manually added scripts:
Before (non-compliant):
<script src="https://tracking-script.js"></script>
After (compliant):
<script type="text/plain" data-cookieconsent="statistics">
// Script content here
</script>
The CMP changes type to text/javascript after consent.
4. Defer Script Loading
function loadTrackingAfterConsent() {
// Only call after consent granted
var script = document.createElement('script');
script.src = 'https://tracking-script.js';
document.head.appendChild(script);
}
Script Categorization
Categorize scripts for granular consent:
| Category | Examples | Default |
|---|---|---|
| Essential | Authentication, cart, security | Allowed |
| Functional | Chat, preferences, language | Ask consent |
| Analytics | GA4, Hotjar, Amplitude | Ask consent |
| Marketing | Meta Pixel, Google Ads, TikTok | Ask consent |
Testing Compliance
Full Consent Flow Test
- Clear all cookies
- Visit site in incognito
- Check Network/Cookies - should be minimal
- Decline consent
- Navigate site - tracking should not fire
- Clear cookies
- Revisit and accept consent
- Verify tracking now works
Regression Testing
After CMS or site updates:
- Re-test consent flow
- Check for new scripts added
- Verify consent still blocks properly
Platform-Specific Guides
| Platform | Guide |
|---|---|
| Shopify | Shopify Privacy |
| WordPress | WordPress GDPR Plugins |
| Webflow | Webflow Consent |