A guide for actual compliance in consent management
TL;DR
Most cookie consent tools were never designed to enforce the ePrivacy Directive (Article 5(3)) or modern privacy laws beyond the EU. They often load tracking technology before consent, misclassify “technical necessity” purposes, geo‑gate banners with pre-consent IP lookups in ways that ignore laws outside Europe and rely on non‑compliant third‑party infrastructure (like GTM/Consent Mode).
Below are the five most common failure patterns we see - and how to fix them with a first‑party, consent‑before‑tracking approach.
Reason 1: It treats privacy as “just cookies” (ignoring device access)
Most CMPs focus on dropping/reading cookies after the page has already executed third‑party scripts.
But ePrivacy Directive Article 5(3) covers any storage or access to information on the user’s device - that includes beacons, pixels, SDKs, localStorage, fingerprinting and telemetry.
If your tool doesn’t strictly gate all non‑essential device access until the user says yes, it’s not compliant.
Symptoms
- Banners look right, but tags fire in the background.
- “Cookie categories” exist, yet scripts for pixels/SDKs run before choices are saved.
- A tag manager is considered “essential,” so nothing is actually blocked.
What good looks like
- Block all non‑essential scripts, pixels, and telemetry by default (not just cookies).
- Ask for informed, explicit consent before any device access.
- Load the consent layer from first‑party infrastructure.
Reason 2: It loads tracking or telemetry before consent (including CMP pixels)
Some consent tools embed their own pixels, SDKs, or call home for usage‑based billing and dashboards.
If those calls include IP address, identifiers, or other device signals before a user agrees, that’s pre‑consent tracking - no matter what the UI says.
Symptoms
- Network logs show requests to CMP or analytics domains on first paint.
- “Metering”/“usage”/“pageview” requests fire even when users reject.
- The CMP’s dashboard shows traffic counts without consent.
What good looks like
- Make no third-party calls before consent (including invoicing/telemetry).
- Limit logging to strictly necessary first-party data for service delivery.
- Store consent choices locally/first-party until a lawful basis exists to transmit.
Reason 3: It geo-gates consent with Geo-IP lookups (and ignores non-EU laws)
Geo-IP gating - “show the banner only in Europe” - assumes only EU rules matter and quietly processes IP addresses to decide who sees controls. That IP lookup itself is pre-consent data processing, non-compliant and often inaccurate or blocked. With 140+ jurisdictions having privacy laws that require consent, notice, or opt-out, hiding your banner outside the EU risks unlawful tracking and erodes trust.
Symptoms
- Banner appears in the EU, disappears elsewhere.
- U.S./UK/ROW traffic gets tracked without any notice or control.
- IP-based location checks run pre-consent and may be logged or shared with third parties.
What good looks like
- Adopt one consent model that respects regional rules globally.
- Avoid pre-consent IP lookups for gating access.
- Do not rely on imprecise IP detection to decide whether users deserve consent.
IP addresses are personal data under GDPR - see Art. 4(1); CJEU Breyer C-582/14 confirms even dynamic IPs can identify a person in context.
Reason 4: It relies on remote GTM and/or Consent Mode 2.0
Loading a tag manager from a third‑party domain (e.g., googletagmanager.com) or deferring to “Consent Mode 2.0” does not prevent pre‑consent access.
The moment GTM is fetched, your user’s device and referrer/IP are already exposed; many sites still initialize tags and transmit signals in “denied” states. That violates consent-before-access.
Symptoms
- GTM is injected in the and executes before the banner.
- Third‑party domains initialize regardless of the user’s choice.
- “Assume consent” defaults or data pings occur in denied/unknown states.
What good looks like
- Do not load remote GTM or any third‑party tag frameworks before consent.
- Gate all marketing/analytics until the user opts in.
- Use a first‑party consent shield that blocks at the system level.
Reason 5: It outsources lawfulness to ad frameworks instead of enforcing blocking
Pointing to industry frameworks like IAB TCF consent strings or GPP vendor signals isn’t compliance if scripts still execute and device access occurs before a choice. Consent must be prior, informed, freely given, and technically enforced - consent strings are metadata, not a gate; UI without real blocking is theater.
Symptoms
- A valid-looking IAB TCF consent string or GPP signal exists, yet trackers initialize pre-choice
- “Essential” is overused to whitelist ad/measurement tags that aren’t truly necessary
- Banner toggles flip, but a CDN/tag manager still lets rogue pixels fire
What good looks like
- Enforce hard blocklists/allowlists from first paint so nothing non-essential runs pre-consent.
- Activate purposes granularly only after a recorded, valid consent signal.
- Maintain audit-ready logs proving when consent was obtained and exactly which vendors/tags activated.
“If your banner says ‘no,’ but your network tab still shows third-party requests, that’s pre-consent access. Full stop.”
Consent-first load order (no device access pre-choice).
So - what does compliant look like in practice?
→ Pre-consent handling: Obtain consent before any non-essential device access (scripts, pixels, telemetry, storage, SDKs).
→ First-party by design: Load the consent UI and enforcement from your own domain or dedicated first-party infrastructure.
→ System-level blocking: Enforce hard blocks until opt-in; do not assume or simulate consent.
→ Granular purposes & transparency: Provide clear descriptions, offer specific switches, and enable friction-free revocation.
→ Global readiness: Honor regional rules (EU GDPR/ePrivacy, UK PECR, US state laws - e.g., CCPA/CPRA, Vietnam/India PDPL, Norway Ekom Act) and signals like Global Privacy Control (GPC).
→ Proof: Maintain audit-ready logs of choices, purposes, versions, and activations.
Notice: If you want to check if you have a problem on your website or e-commerce solution you can test your site in our free privacy scanner.
Action checklist
- ✅ Scan your site for pre‑consent access (scripts, pixels, telemetry, SDKs).
- ✅ Eliminate remote GTM/Consent Mode pre-consent; gate all tags post‑opt‑in.
- ✅ Remove CMP telemetry (usage‑based calls) until after consent - or move to first‑party.
- ✅ Stop geo‑gating: implement a global policy that respects regional rules and GPC.
- ✅ Adopt a first‑party CMP; enable system-level blocking; keep audit logs.
- ✅ Document purposes & third parties in plain language; enable granular toggles and instant revocation.
- ✅ Schedule ongoing monitoring (daily/weekly) to catch regressions and rogue tags.
“Don’t bankroll fake consent. If ‘no’ doesn’t stop access, you’re paying for non-compliance.”
Ronni K. Gothard Christiansen,
Technical Privacy Engineer & CEO @ AesirX.io
About AesirX
AesirX builds first‑party consent and analytics solutions that enforce privacy at the system level - so you can stay compliant, earn user trust, and still get the insights you need.
