GDPR Pre-Consent Trackers: What They Are and Why They’ll Get You Fined

What “pre-consent” actually means technically

GDPR doesn’t use the phrase “pre-consent tracker.” What it says, in Article 6, is that processing personal data requires a lawful basis. For marketing and analytics cookies, that basis is consent under Article 7. Consent must be freely given, specific, informed, and unambiguous — and it must come before the processing starts.

A pre-consent tracker is any tag, pixel, or script that processes personal data before that affirmative consent signal exists in your system.

“Processes” includes: setting a cookie, reading device identifiers, sending an HTTP request containing a user’s IP address or browser fingerprint to a third-party server. All of these are processing. All of them require prior consent if they’re not strictly necessary for delivering the service the user requested.

The timing test is binary: did personal data leave your site — or get written to the user’s browser — before the user clicked Accept? If yes, you have a pre-consent tracker.

The four most common pre-consent trackers

Google Analytics 4 (GA4)

GA4’s measurement.js sets _ga and _gid cookies and fires a page_viewevent on script load. In most GTM configurations, this happens during container initialisation — before the consent UI has received any user input.

GA4 Consent Mode can suppress cookie writes. But it still sends cookieless pings by default — requests that include your page URL, the user’s IP address, and User Agent string. Those are personal data under GDPR Article 4(1). Suppressing cookies doesn’t suppress the transmission. Full compliance requires ads_data_redaction and url_passthrough explicitly set, plus a confirmed consent signal before the first hit fires.

Meta Pixel

The Pixel sets _fbp (a browser fingerprint tied to your domain) and fires a PageView event the moment fbevents.jsloads. Advanced Matching, if enabled, scrapes form fields and sends hashed email and phone data in the same event. This happens on load — not on click.

GTM-loaded ad tags

Programmatic ad tags — DoubleClick, Criteo, Trade Desk — are frequently added to GTM containers with “All Pages” triggers and no consent condition. Each fires on container load. Each writes third-party cookies or sends device identifiers to ad networks.

Session recording tools (Hotjar, FullStory, Microsoft Clarity)

Session recorders capture keystrokes, mouse movements, and page content from the moment they load. They transmit this data to third-party servers before any consent decision is logged. The payload can include form input, visible email addresses, and full navigation patterns.

Why “the banner was showing” isn’t a defence

“Our CMP loads on every page. The banner is visible before anyone clicks anything. So we’re covered.”

This is the argument agencies make most often in compliance reviews. It is wrong.

The GDPR standard isn’t visibility. It’s a documented affirmative action. Recital 32 is explicit: pre-ticked boxes, silence, and inactivity do not constitute consent. A user staring at a banner they haven’t interacted with has not consented to anything.

The Belgian DPA made this precise point in its 2022 enforcement action against IAB Europe: consent “obtained” through a banner that loaded at the same time as trackers — where trackers fired before any user interaction, regardless of banner visibility — was invalid because no affirmative signal preceded the data transmission.

The legal sequence that satisfies GDPR:

1. Page loads
2. Consent UI renders
3. User takes affirmative action (clicks Accept)
4. Consent signal is written and confirmed
5. Non-essential trackers load and fire

Most implementations run steps 1 and 5 in parallel.

What enforcement looks like

Regulators don’t wait for a data breach to investigate cookie compliance. DPA complaints can be filed by any individual who notices a tracker firing in their browser. Browser extensions like Privacy Badger, uBlock Origin, and the Meta Pixel Helper make this trivially visible to technically literate users — and technically literate users file complaints.

The enforcement pattern is consistent across the EU:

• France (CNIL): Issued formal notices to Google and Meta in 2022 for pre-consent cookie writes, resulting in fines of €150M (Google) and €60M (Meta). Simultaneously issued notices to publishers using those tags in non-compliant configurations.
• Belgium (APD): Fined organisations for _fbp and _ga writes appearing before consent, explicitly rejecting the argument that a visible banner equates to consent.
• Germany (DSK): Published guidance stating that GA4 with default configuration does not satisfy GDPR — specifically because measurement pings transmit IP-derived data without prior consent.
• Italy (Garante): Issued a formal order against a major news site in 2023 for pre-consent advertising trackers; required remediation within 90 days.

How to verify your own implementation

Open a private browser window with no prior cookies. Load your site. Open DevTools → Network and filter by google-analytics.com, connect.facebook.net, doubleclick.net, and any session recorder domain. Watch what fires before you touch the banner.

What you’ll typically find: the GA4 hit fires in the first 200ms of page load. The Pixel fires at 400ms. The banner renders at 600ms. The user hasn’t touched anything.

This tells you whether you have a problem. It doesn’t tell you what payload was transmitted, which cookies were written, or whether yesterday’s deployment made things worse. For a timestamped, documented network capture — the kind you can show a client or a regulator — you need a full scan.