It’s Not Just a Bug. It’s the Business Model

The Real Problem Isn't Technical – It's Intentional

Last week, I wrote in defense of ePrivacy Directive Article 5(3) - the only EU legal provision that protects users before tracking begins. The response was clear: privacy professionals understand its value, but many businesses either don’t - or worse - actively ignore it.

This week, I want to go deeper. Because tracking before consent isn't just an oversight. It's a feature of the current digital advertising model. And the industry's favorite tools – including Google Tag Manager and Consent Mode 2.0 – are being used to simulate compliance, not enforce it.

What ePrivacy Directive 5(3) Actually Says

Before we go further, let’s be clear: Article 5(3) is not about cookies. It’s about any access to or storage of information on a user’s device, whether or not personal data is involved. This includes:

• Loading third-party scripts
• Embedding beacons or SDKs
• Collecting telemetry or device signals
• Executing fingerprinting code

Unless it's strictly necessary for the service requested (e.g., login, shopping cart), it requires prior informed consent. GDPR applies after. ePrivacy Directive 5(3) comes first.

What Happens on Most Websites Today?

Breaking it down, here’s what actually happens the moment a user lands on a typical website:

1. Google Tag Manager (GTM) loads immediately, often in the header.
2. GTM injects other scripts: Google Analytics, Facebook Pixel, LinkedIn Insight Tag, Hubspot, Hotjar, etc.
3. Some sites use Google Consent Mode 2.0 - which claims to defer data collection until consent is given.
4. But GTM has already loaded. Third-party domains have already been contacted. Scripts have run. Devices have been accessed.

Consent hasn't even been asked for yet.

This is not compliant with the ePrivacy Directive Article 5(3).

It’s tracking before consent. Plain and simple.

Consent Mode ≠ Consent

Let’s debunk the Consent Mode 2.0 myth.

“Consent Mode lets you run all your tags in a compliant way, while respecting user choice.”

That sounds nice. But here’s what actually happens:

• GTM loads as a first-party script (from www.googletagmanager.com).
• Tags like gtag.js, ads/ga-audiences, or collect?v=... are conditionally fired, but scripts and domains are still initialized.
• Even in “denied” mode, telemetry and anonymized signals can be collected – and linked later.
• Worse, many websites configure Consent Mode to 'assume consent' until it’s explicitly denied.

It’s not a bug. It’s a dark pattern wrapped in a compliance-friendly wrapper.

Enter: Cookie Consent as a Service (CCaaS) – The Theatre of Compliance

Now let’s address the other half of the illusion: Cookie Consent banners – often provided by Consent Management Platforms (CMPs) like OneTrust, Cookiebot, CookieInformation, TrustArc, and similar vendors.

These services position themselves as compliance tools. But in most implementations, they are part of the consent theatre. Here's why:

1. Scripts Already Load Before Consent Is Given

Most CMPs do not block GTM or other tracking scripts by default. Instead, they load with the site, and merely signal preferences after third-party access has already occurred. This violates ePrivacy Directive 5(3).

2. Visual Consent ≠ Technical Enforcement

The banner might ask for your permission to use analytics or marketing cookies. But unless script loading is gated, that data is already being collected, or the tracker has already "touched" your device - even if just to generate a fingerprint or store a default ID.

3. “Essential” Categories Are Misused

Most CMPs allow website owners to mark trackers as "essential" - avoiding consent entirely. This loophole is abused heavily. Tag managers, CDNs, and analytics frameworks are regularly misclassified to bypass user consent.

4. Most CMPs Are Not Transparent

CMPs rarely disclose what scripts are running at what point in the lifecycle. Users assume that saying “no” blocks tracking. But unless the site implements strict pre-consent gating, it doesn’t. And CMPs don’t verify or audit that logic - because it’s not in their business interest.

5. Consent Is Required for All Tracking Technologies – Not Just Cookies

Too many implementations treat cookie consent as synonymous with privacy compliance - but tracking is not limited to cookies. Beacons, fingerprinting scripts, local storage, telemetry APIs, and session replay tools can all access or store data on a device.

Under the ePrivacy Directive Article 5(3), all tracking technologies require prior informed consent unless they are strictly necessary. CMPs and Consent Mode flows that focus only on cookie categories ignore the broader scope of what the law actually covers.

“If your site blocks cookies but still allows fingerprinting scripts or session data access, you're not compliant - you're just cookie-washing surveillance.”

6. Many Cookie Consent Services Are Trackers Themselves

Ironically, many Consent Management Platforms (CMPs) and Cookie Consent as a Service (CCaaS) providers operate as third-party services - and embed their own pixel trackers or scripts into websites. This means:

• Their domains are contacted on first load (before any user action).
• They often drop their own cookies or collect telemetry (device type, locale, IP, etc.) to “optimize” or “audit” consent interactions.
• This constitutes third-party access to the user’s device without consent - exactly what they claim to protect against.

When your CMP vendor requires a call to their external domain and executes JavaScript before consent, they become part of the violation - not part of the solution.

“You can’t outsource consent to a service that tracks users before they give it.”

It’s All Connected: CMPs + Consent Mode = A Pretend Consent Loop

Here's how the architecture works in reality:

• GTM is preloaded, acting as the vehicle for third-party access.
• A CMP (CCaaS) visually asks the user for consent.
• Google Consent Mode receives the user's choice after the fact, and adjusts data labeling - but does not retroactively stop what has already happened.
• Meanwhile, first-party and third-party servers have already seen device requests, and in many cases, set up tracking identifiers, cookies, or other session elements.

This is not privacy by design. It's tracking by default, consent by UX overlay.

And because it's standardized across large platforms, it's scalable non-compliance. Millions of websites are complicit, and most users are unaware.

This Is By Design – Not Accident

Why is it so widespread?

Because this design keeps the data flowing.

• Advertisers want to capture behavior from the first second.
• Personalization engines want to log device signals and interaction history.
• CDPs and data brokers want identifiers, even if they start "pseudonymous."

In this ecosystem, real prior consent is a threat. It delays tracking, shrinks datasets, and cuts off third-party access.

That’s why most CMPs are built to preserve tracking, not prevent it.

Enforcement Failure: Why It Persists

We already have the law. But we don’t have the enforcement.

Most Data Protection Authorities (DPAs) lack the technical infrastructure to perform deep inspections of what scripts do at runtime. They see cookies, not what JavaScript does. They review the consent text, not whether access occurred before it was given.

Until we automate technical audits and enforce real-time violations, the current model will persist.

That’s why regulatory enforcement must evolve. And that’s where Privacy Monitoring solutions come in.

We Need First-Party Alternatives, Not Third-Party Excuses

At AesirX, we’ve built an entirely first-party consent, analytics, and tag management system – compliant by design with both GDPR and ePrivacy Directive 5(3):

• No third-party access until consent is granted.
• No pre-consent tracking or device access.
• Fully transparent, auditable, and open-source.
• Prevents GTM from loading until after Consent is given.

We don't need to "balance" user rights with tracking profits. We need to design systems that respect rights by default.

If We Don’t Enforce 5(3), Consent Dies in Practice

We’re not in a post-cookie world. We’re in a pre-consent tracking world. And unless we defend Article 5(3), we will lose the only legal shield that blocks tracking at the door.

GDPR starts after the data flows.

The ePrivacy Directive is the only thing that can stop it before it begins.

Repealing 5(3) won’t simplify compliance. It will legalize surveillance at the infrastructure level.

And that’s not innovation.

That’s surrender.

It’s Time to Stop Pretending

To those who call Article 5(3) outdated:

It’s not outdated. It’s inconvenient for those whose business depends on ignoring consent.

To those building digital products:

Build them privacy-first, not privacy-later. Your users deserve consent that’s real, not retroactive.

To regulators:

Don’t just review banners. Inspect the scripts.
Audit what happens before consent is ever given.
That’s where the real violations start.

And to the industry at large:

Cookie Consent banners won’t save you from non-compliance. If GTM or any third-party tracker loads before consent, you’re already in violation – no matter how pretty your UX is.

If tracking happens before I say yes, I was never given a choice at all.

Ronni K. Gothard Christiansen
Technical Compliance Engineer & CEO @ AesirX

---

Take the First Step Toward Real Compliance

If you’re using WordPress and want to ensure your site truly respects privacy – before consent is given – we’ve built a first-party Consent Management Platform that does exactly that.

It’s easy to install, doesn’t rely on third-party trackers, and helps you comply with both GDPR and ePrivacy Directive 5(3) from the first page load.

Try it free for 14 days and see the difference real consent makes: https://aesirx.io/solutions/consent-management-platform