This week, I worked with a digital agency that couldn’t understand how their site had LinkedIn cookies and 20+ tracking beacons loading before user consent. They checked in Chrome and Firefox developer tools and saw nothing.
Yet our privacy scan told a different story.
To confirm, we reviewed a HAR file - and there it was: a direct call to LinkedIn’s tracking endpoint (px.ads.linkedin.com) and third-party cookies (bcookie, li_gc, lidc) set before the user had any chance to give consent.
This is a common and dangerous misunderstanding. Modern tracking scripts often load invisibly, and they do it in ways that bypass what most developers see in the console.
Why Tracking Is Often Invisible
Tools like Google Tag Manager inject scripts dynamically after the page loads. These scripts may:
- Be loaded asynchronously
- Insert beacons via image or script tags
- Set cookies via HTTP headers, not JavaScript
Unless you're actively recording all network activity from the start of the page load, these actions will not appear in the console. Developer tools were never designed to detect stealth tracking or enforce privacy compliance.
So while the console may look clean, the browser is often quietly communicating with third-party services in the background.
The Legal Foundation: ePrivacy Directive 5(3)
Under Article 5(3) of the ePrivacy Directive, any technology that stores or accesses information on a user’s device - cookies, scripts, pixels, localStorage, beacons - requires prior, informed consent unless it is strictly necessary for the service the user requested.
This principle is not limited to the EU. It is also reflected in:
- The UK’s Privacy and Electronic Communications Regulations (PECR)
- Norway’s EKOM Act
- And transposed national laws across all EU member states
This means the legal requirement applies broadly and consistently: No tracking - regardless of whether it sets a cookie or other tracking technologies - can happen before consent.
The Role of Google Tag Manager in Consent Circumvention
One of the primary enablers of non-compliant tracking today is Google Tag Manager. It allows third-party scripts to be injected on the client side, often without visibility or proper sequencing relative to consent.
GTM is routinely used to load tools from Google, Meta, LinkedIn, Hotjar, TikTok, and other services before consent is gathered, resulting in immediate data collection: IP addresses, page visits, device info, and more.
This data is shared with ad networks and SaaS platforms before users have even seen a cookie banner - let alone clicked "Accept."
It’s become a silent infrastructure for surveillance, and in many cases, agencies and developers don’t even realize it’s happening on the sites they build.
What Agencies and Developers Must Do
- Stop relying solely on developer tools to verify privacy compliance. Use HAR file analysis and purpose-built Privacy Scanners to see the full picture.
- Block all trackers by default, and only load them after valid, informed consent is recorded.
- Use a first-party compliant CMP that ensures no data leakage to third parties prior to consent. (AesirX CMP for WordPress was designed especially for this purpose).
- Audit your GTM container - you may be surprised what’s being loaded without your knowledge.
- Understand your legal obligations under ePrivacy Directive and GDPR. Privacy is not a UX option; it's a legal and ethical requirement.
- Consider Monitoring your websites and ecommerce solutions to ensure that no new scripts or tracking technologies are added by mistake before consent is given.
The Bigger Issue
Until we as an industry take this seriously, the web will remain an environment where users are profiled and tracked without awareness or choice. This isn't just about cookies - it's about trust, freedom, and control over personal data.
And it’s time we built differently.
Ronni K. Gothard Christiansen
Technical Compliance Specialist & CEO, AesirX.io
If you need help with a full technical privacy review please contact me directly or book it here: https://aesirx.io/services/privacy-review
Appendix: ePrivacy Directive Article 5(3) in National Law
Article 5(3) of the ePrivacy Directive (ePD) requires prior consent for storing or accessing any information on a user’s device — not just cookies. This principle has been transposed into national law in every EU/EEA country, and remains in force in the UK and Norway through equivalent legislation.
Here are examples of how ePD 5(3) and similar legal frameworks is reflected across key jurisdictions:
|
Country |
National Law / Regulation |
Key Consent Principle |
| Denmark | Cookiebekendtgørelsen (BEK nr. 1148 af 09/12/2011) | Consent required before storing/accessing data |
| Germany | TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz) | Consent for all non-essential device access |
| France | CNIL Guidelines on Cookies and Trackers (2020) | Explicit consent before any tracking |
| Netherlands | Telecommunications Act (Telecommunicatiewet) | Prior consent for cookies and similar tech |
| Italy | Italian Privacy Code (as amended by GDPR) | Consent required unless strictly necessary |
| Spain | Law 34/2002 on Information Society Services (LSSI-CE) | Consent before setting cookies or scripts |
| Norway | EKOM Act § 2-7b | Consent before using cookies or similar storage |
| United Kingdom | PECR (Privacy and Electronic Communications Regulations) | Consent before placing cookies or trackers |
| Sweden | Electronic Communications Act (2003:389) | User must consent before storing/accessing info |
| Finland | Act on Electronic Communications Services | Consent required before any non-essential access |
Note: Every EU Member State is obligated to transpose ePD into national law. The enforcement details vary slightly, but the core requirement of prior consent for tracking remains universal.
