We see cookie banners everywhere.
But I wanted to check something simple:
Do websites actually wait for user consent before loading analytics?
So I tested 20 sites (SaaS, e-commerce, agencies, blogs).
The result?
14 out of 20 loaded analytics before the user clicked “Accept”.
In most cases:
- The banner was visible
- No interaction had happened
- But GA/GTM requests were already firing
Visually compliant.
Technically… not really.
How I measured it
Instead of manually watching DevTools every time, I built a small tool to monitor:
- Cookies being set
-
localStorage/sessionStorageusage - Network requests to common tracking domains
- The exact timestamp of the consent click
Core logic:
If tracking_timestamp < consent_click_timestamp
→ tracking happened before consent
Simple in theory. Messy in real-world implementations.
The tricky parts
- SPAs injecting CMP late
- GTM containers firing too early
- Server-side tagging hiding third-party domains
- Heuristic detection vs explicit CMP integration
Most issues looked like misconfiguration — not intent.
Why this matters
As developers, we often:
- install GTM
- plug in analytics
- add a CMP
- assume everything is fine
But unless you verify timing, tracking may fire earlier than expected.
The browser doesn’t lie.
Network requests don’t lie.
Timestamps don’t lie.
If you want to test this yourself
I packaged the tool into a Chrome extension called ConsentScope.
You can check it here:
👉 https://www.consentscope.pro/
It’s not a legal tool — just a technical way to inspect what fires before and after consent.
Curious how others are validating consent timing in their projects.
Top comments (0)