Polaris Audit

Case #001 · 20 Apr 2026 · 6 min read

Does Your Cookie Banner Actually Block GA4?

Probably not. Here’s how to find out in 10 seconds.

TL;DR

  • Most cookie banners display and fire GA4 at the same moment — visible banner ≠ consent registered
  • Three failure modes: no consent trigger in GTM, Consent Mode misconfigured, race condition on CMP init
  • The only proof that matters: zero requests to google-analytics.com before the user clicks Accept
  • Verify manually in DevTools in ~3 minutes, or run a free automated scan in 10 seconds

Verdict

If you set up your cookie banner more than six months ago and haven’t audited it since, there is a higher-than-even chance GA4 is firing before consent. The DevTools test is at the bottom. The next three sections explain what you’re looking for and why it matters.

The banner is visible. GA4 fired 80ms ago.

Your CMP renders the cookie banner. The user sees it. The user hasn’t clicked anything. And GA4 has already sent a collectrequest to Google’s servers.

The browser parses the page, loads GTM, and GTM fires any tag set to the All Pages trigger on DOMContentLoaded — before your CMP JavaScript has finished initialising and before any consent decision has been registered.

The banner is a UI element. GA4 firing is a network event. They run on separate clocks, and GTM doesn’t wait.

Three ways GA4 beats your banner

1. The GTM tag has no consent trigger

The most common cause. Someone added GA4 via GTM, set it to fire on All Pages, and never added a Consent Check or custom consent trigger. GTM fires it unconditionally. The CMP is completely bypassed.

Fix: the GA4 tag needs a trigger that checks analytics_storage = grantedbefore firing, or must be paired with Google’s Consent Mode so it waits for the signal.

2. Consent Mode is configured — but misconfigured

DPAs in Germany, France, and the Netherlands have taken the position that even cookieless signals require consent if they can identify a user. The reason: when analytics_storage is set to denied, GA4 does not stop sending requests. It sends cookieless pings containing session data, page URLs, and user agent strings — enough to be potentially identifying — to google-analytics.com before any consent is given.

Whether that constitutes a violation in your jurisdiction is debated. If your CMP sets default consent to denied and calls it compliant, verify that with your legal counsel.

3. The race condition

Even a technically correct setup can fail at runtime. Your CMP loads from a third-party CDN. It takes 200–400ms to initialise. GTM fires GA4 in the meantime.

This isn’t a configuration error — it’s a timing error. The intent is right. The execution is non-compliant. DPA enforcement actions don’t distinguish between the two.

Your site is leaking data before consent.

Free headless-browser scan. Catches GA4, Meta Pixel, TikTok and more firing before the click. Results in 10 seconds.

Run a free scan

What “actually blocking” looks like

Open Chrome DevTools. Go to the Network tab. Filter by google-analytics.com.

Hard-reload the page with the cache disabled. Watch the network requests as the page loads, before you interact with the consent banner.

If any requests to google-analytics.com or analytics.google.comappear before you’ve clicked Accept — GA4 is firing before consent.

After clicking Accept, requests should appear. That’s the correct behaviour.

That’s the only test that matters. Not the CMP settings panel. Not Google Tag Assistant. Not a visual inspection of your banner. The network trace.

Why this keeps happening

The CMP vendor configures the banner and hands it off. The developer wires up GTM and hands it off. Neither checks what the other did. Marketing adds a new GA4 event six months later. Nobody revisits the consent trigger.

The banner keeps looking right. The compliance keeps getting worse.

GDPR doesn’t have an “it looked fine from the outside” exemption. The regulators who handed Google Ireland a €150 million penalty and fined multiple EU publishers over cookie violations weren’t looking at the banner design. They were looking at the network trace — the same one you can pull up in DevTools right now.

If you’re managing this for a client, that exposure is yours to explain.

Run the check in 10 seconds

The manual method above takes 3–5 minutes per URL, requires DevTools proficiency, and produces no documentation you can hand to a client.

The free scan runs a headless browser against any URL, intercepts every network request from page load through consent interaction, and tells you exactly which trackers fired before consent — with timestamps, request URLs, and GDPR exposure classification.

No signup. No install.

Run a free scan
← All posts