Cookies Before Consent – How to Fix the Issue

Cookies Before Consent – How to Fix the Issue

If Google has notified you that "Cookies are being set before consent" on your website, it means Google's cookies (and potentially other third-party cookies) are being placed in the visitor's browser at page load – before the user has had an opportunity to accept or deny cookies via your cookie banner. This violates both GDPR and Google's EU User Consent Policy.

Why is this a problem?

Under GDPR and the ePrivacy Directive, active consent is required before non-essential cookies are placed. Google requires that no cookies are set until the user actively confirms consent – this applies regardless of whether the ads are personalized or not. Google needs cookies for both personalized and non-personalized ads, but they may only be set after consent.

If cookies are set before consent, user data is processed without a legal basis, which can lead to:

• Restrictions in your Google Ads account (remarketing, conversion measurement, audience targeting)
• Potential GDPR fines from data protection authorities
• Lost access to Enhanced Conversions and smart bidding strategies

Common causes of cookies being set before consent

1. Google Tag Manager loads without Consent Mode

If Google Tag Manager (GTM) loads on the page without Consent Mode configured, tags will fire immediately on page load. GA4, the Google Ads tag and other Google tags set cookies automatically unless prevented.

Solution: Implement Google Consent Mode v2 with default values set to 'denied'. This means Google's tags load but do not set cookies until consent is updated to 'granted'.

2. CMP is not blocking correctly

Many CMP solutions (Consent Management Platforms) offer automatic script blocking – but the default configuration is not always correct. If the CMP does not recognize all Google scripts, or if blocking is not activated in time, cookies can be set during the milliseconds before the CMP loads.

Solution: Check your CMP's blocking settings. Ensure all Google cookies (_ga, _gcl_au, _gid, _gac, IDE, DSID, test_cookie) are classified as "marketing" or "statistics" and require consent. Alternatively – use Consent Mode instead of script blocking.

3. Hardcoded scripts in the page source

If Google Analytics, Google Ads conversion code or other tracking scripts are placed directly in the HTML code (outside GTM), they can run and set cookies before the CMP has time to load. This is particularly common on websites migrated from older platforms.

Solution: Move all tracking scripts to GTM and manage them via Consent Mode. Remove all hardcoded Google scripts from your page source code.

4. Third-party plugins and integrations

WordPress plugins, chat widgets, analytics tools and other third-party services can set cookies without going through your CMP. Even though these are not Google cookies, they can trigger Google's warning if identified as part of a broader consent violation.

Solution: Conduct a complete cookie audit of your website. Identify all cookies being set and ensure each non-essential cookie is blocked before consent is given.

How to test if cookies are set before consent

1. Open an incognito window in Chrome.
2. Open Developer Tools (F12) and go to the Application tab → Cookies.
3. Navigate to your website – do not interact with the cookie banner.
4. Check which cookies have been set. You should not see any Google cookies (_ga, _gcl_au, _gid etc.) before consent is given.
5. Accept cookies in the banner and verify that Google cookies now appear.

You can also use tools like Cookiebot Scanner, BuiltWith or OneTrust Cookie Scanner for a more complete analysis.

Recommended solution: Consent Mode + CMP

The best solution is to combine Google Consent Mode v2 with a CMP:

1. Consent Mode is set to 'denied' as default on page load.
2. Google's tags load but set no cookies and collect no personally identifiable data.
3. When the user gives consent, Consent Mode is updated to 'granted'.
4. Only then do cookies start being set and full data collection begins.

The advantage of Consent Mode over pure script blocking is that Google can still collect anonymized, aggregated data even without consent – giving you better modeled conversions and better data to optimize against.

Need help?

Identifying and resolving all cookies being set before consent can be technically complex, especially on websites with many integrations and plugins. At Growth Hackers, we conduct complete cookie audits and implement Consent Mode with your CMP to ensure your website is compliant.

Book a free cookie audit, or read more about our measurement and analytics services.

Frequently Asked Questions

Is it enough to block Google cookies, or do all cookies need to be blocked?

Google's policy focuses on Google's own cookies, but GDPR requires consent for all non-essential cookies. We recommend handling all cookies correctly – this protects you both from Google's restrictions and from GDPR fines.

What is the difference between blocking scripts and using Consent Mode?

Script blocking prevents the tag from running at all. With Consent Mode, the tag runs but in a restricted mode that does not set cookies or collect personal data. The advantage of Consent Mode is that Google can model conversions and fill data gaps, providing better data in your reports.

How quickly does Google detect that I have fixed the issue?

Google reviews websites regularly, but it can take days to weeks before your changes are registered. You can speed up the process by requesting a new review via Google support or via euucp-escalations@google.com.