Showing a cookie banner is not enough. Under the ePrivacy Directive and the GDPR, non-essential cookies must be blocked from loading until the visitor gives explicit consent. That means no analytics scripts, no advertising pixels, and no social media embeds firing on page load - regardless of what the banner says.
The French data protection authority (CNIL) made this point rather expensive for SHEIN in September 2025, issuing a 150 million euro fine after finding that advertising cookies were placed on visitors' devices the moment they landed on the site - before any interaction with the consent banner. The same month, Google was fined 325 million euros for manipulative cookie consent flows during account creation. These are not isolated cases. The CNIL sanctioned 21 entities for cookie violations in 2025 alone, with combined fines reaching nearly 487 million euros.
What the Law Actually Requires
Article 5(3) of the ePrivacy Directive requires prior, informed consent before any information is stored on or accessed from a user's device - unless strictly necessary to provide the requested service. The GDPR (Article 4(11)) then defines valid consent: freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count. Scrolling does not count.
This creates a two-step obligation: prevent all non-essential cookies from executing before consent, then obtain valid consent before unblocking them.
Which Cookies Must Be Blocked?
Not every cookie needs prior consent. Cookie categories matter here.
| Category | Examples | Consent Required? |
|---|---|---|
| Strictly necessary | PHPSESSID, csrf_token, load balancer cookies | No |
| Functional / Preference | pll_language, currency_pref | Yes (in most EU jurisdictions) |
| Analytics / Statistics | _ga, _gid, _hjSessionUser | Yes |
| Marketing / Advertising | _fbp, _gcl_au, IDE | Yes |
Strictly necessary cookies are the only exemption - session identifiers, CSRF tokens, load-balancing cookies. A language preference cookie fails the test because the user requested a web page, not a language-remembering service.
National implementations vary. Germany's TTDSG requires consent for all analytics without exception. France's CNIL permits a limited Matomo exemption for audience measurement if properly configured. The safest approach: block everything except strictly necessary cookies by default.
Three Technical Approaches to Cookie Blocking
There are three main methods to prevent non-essential cookies from loading before consent. Each has trade-offs in terms of effort, reliability, and maintenance burden.
1. Manual Script Markup
This method involves modifying each third-party script so the browser treats it as inert text. Change the type attribute from text/javascript to text/plain, then add a data attribute telling the CMP which consent category the script belongs to.
Before: <script type="text/javascript" src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX"></script>
After: <script type="text/plain" data-cookie-category="analytics" src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX"></script>
The browser ignores type="text/plain" scripts entirely. The CMP watches for consent events, then reactivates matching scripts by switching the type back and re-inserting them into the DOM.
For iframes (YouTube embeds, social widgets, maps), rename src to data-src. Without a valid src, the iframe loads nothing. On consent, the CMP copies data-src back to src.
Manual markup gives complete control but scales poorly. Every new script and embed must be individually tagged - miss one, and you have a compliance gap.
2. Google Tag Manager with Consent Mode
If scripts are deployed through Google Tag Manager (GTM), consent-based firing can be configured at the tag level. Set default consent states, create consent-aware triggers, and configure tags to respect those states.
The critical step is initialising Google Consent Mode v2 before GTM loads. This snippet must appear first in the <head>, before the GTM container script:
gtag("consent", "default", { ad_storage: "denied", analytics_storage: "denied", ad_user_data: "denied", ad_personalization: "denied" });
With all types defaulting to "denied", Google tags with built-in consent checks (GA4, Google Ads, Floodlight) automatically adjust. In Basic mode, tags do not fire until consent is granted. In Advanced mode, tags send cookieless pings and use modelled conversions to fill data gaps.
For non-Google tags (Meta Pixel, LinkedIn Insight, Hotjar), create a custom event trigger listening for a cookie_consent_update event that fires only when the relevant category is granted. Assign this trigger to each non-essential tag so it remains dormant until the CMP pushes the consent event to the data layer.
3. Automatic CMP-Based Blocking
Most modern CMPs offer automatic blocking. The CMP script loads first in <head>, scans the page for known third-party scripts, and intercepts them before execution. This is the fastest path to compliance for sites with many third-party integrations.
Automatic blocking relies on a classification database that the CMP builds during regular cookie scans. After scanning, the CMP generates a configuration file mapping each detected script to a consent category. On page load, the auto-blocker compares every element about to be injected into the DOM against this configuration and modifies non-essential elements so they cannot load.
The trade-off is control. Auto-blockers can sometimes block scripts that should run (false positives) or miss scripts that should be blocked (false negatives). A new marketing tag added between scans will not be in the configuration file, so it will fire unblocked until the next scan completes. Scheduled scans - weekly or monthly - reduce this window, but manual review remains necessary after adding any new integration.
Common Mistakes That Break Compliance
Even sites that attempt cookie blocking often get the details wrong. The ICO reviewed the top 1,000 UK websites in January 2025 and issued warnings to 134 of the first 200 examined. The Dutch DPA warned 50 organisations in April 2025, giving three-month remediation windows.
- CMP script loads too late. If it is not the first script in
<head>, other scripts execute before the blocker initialises. Performance plugins that reorder scripts are a common culprit. - Consent Mode defaults to "granted". An estimated 67% of Consent Mode v2 implementations default parameters to "granted" before user interaction - the opposite of what the law requires.
- Banner without blocking. A banner that displays but does not technically prevent scripts from firing is cosmetic, not compliant. Regulators inspect network traffic, not just visual design.
- Withdrawal does not stop tracking. The SHEIN fine cited non-functional opt-out mechanisms. Clicking "Reject" must delete already-set cookies and prevent new ones from loading.
How to Verify Cookie Blocking Works
After implementing any blocking method, test in a private browsing window before interacting with the consent banner.
In Chrome DevTools, open the Application tab and expand Cookies. Before consent, the only cookies present should be strictly necessary ones and the CMP's own consent cookie. Any _ga, _fbp, or similar tracking cookies appearing at this stage indicate a blocking failure.
Check the Network tab too. Filter by third-party domains (google-analytics.com, connect.facebook.net) and reload. Requests to these domains before consent means scripts are firing too early.
Run a cookie scan after each change to third-party integrations. Automated scans catch regressions that manual testing misses - a developer adding a Meta Pixel snippet directly to a template, bypassing the tag manager, is a classic example.
Browser-Side Cookie Blocking vs. Website-Side Blocking
Visitors can also block cookies from their end using browser settings. Safari blocks all third-party cookies by default through Intelligent Tracking Prevention (ITP) and caps JavaScript-set first-party cookie expiry at seven days. Firefox's Total Cookie Protection partitions cookies per site, preventing cross-site tracking even when cookies are technically set. Chrome still allows third-party cookies by default in standard browsing mode, though it blocks them in Incognito and offers a user-choice prompt for privacy settings.
Browser-level blocking protects the individual user, but it does not satisfy the website operator's legal obligations. The ePrivacy Directive requires the operator to obtain consent before placing cookies - not merely to hope the browser will prevent them. A site that fires tracking scripts without consent is non-compliant even if 100% of its visitors use Safari.
What About Server-Side Tracking?
Server-side tracking shifts data collection from the browser to a first-party server endpoint, reducing reliance on client-side cookies. It bypasses some browser restrictions (like ITP's seven-day cap on JavaScript cookies) because the server sets cookies via HTTP headers with longer lifespans.
This does not eliminate the consent requirement. If the server-side setup collects personal data, identifies users, or shares data with third parties, it falls under the same GDPR and ePrivacy rules. The CNIL and other DPAs have been explicit: the legal obligation attaches to the act of storing or accessing information on the user's device, regardless of whether the mechanism is a client-side script or a server-set cookie.
Server-side tracking can improve data accuracy and reduce client-side bloat, but it is not a consent workaround.
Frequently Asked Questions
Do I need to block cookies if my website only targets US visitors?
It depends on which US state your visitors are in. The CCPA and CPRA use an opt-out model rather than opt-in, so prior blocking is not required in California. But if any EU or UK visitors reach your site, the ePrivacy Directive's prior consent rule applies. Geo-detection can help serve different consent models by region.
Can I use Google Analytics without blocking it first?
In most EU jurisdictions, no. Germany's TTDSG requires consent for all analytics. France's CNIL allows a narrow exemption for properly anonymised first-party analytics tools like Matomo, but Google Analytics does not qualify for exemption under CNIL guidance. The safest approach is to block GA4 until the visitor consents to analytics cookies.
What happens if a new script is added after my last cookie scan?
If the script is not in the CMP's configuration file, automatic blocking will not catch it. The script will fire freely until the next scan detects and categorises it. Run scans after every deployment that introduces new third-party code, and consider weekly scheduled scans to catch unexpected additions.
Does changing script type to text/plain affect page speed?
It improves initial page speed. Blocked scripts do not download or execute until consent is given, so the page loads fewer resources upfront. Visitors who reject non-essential cookies will experience a faster site throughout their session since those scripts never load at all.
Is a cookie banner enough to comply with GDPR?
No. A banner is the visible interface, but compliance requires technical enforcement behind it. Cookies must be actively blocked before consent, the banner must present clear and equal accept/reject options, consent must be logged as proof, and withdrawal must actually stop tracking. A banner without blocking is cosmetic, not compliant.
How do I block cookies set by embedded YouTube videos?
Replace the iframe's src attribute with a data attribute (such as data-src) and assign it a marketing or advertising consent category. The iframe will load empty until the visitor consents. Some CMPs handle this automatically. YouTube also offers a privacy-enhanced mode (youtube-nocookie.com) that reduces tracking but does not eliminate all cookies.
Can cookie blocking break my website's functionality?
It can if essential scripts are incorrectly categorised as non-essential. Test thoroughly after implementation. Common issues include chat widgets failing to load, embedded maps disappearing, and payment processors being blocked. Only strictly necessary scripts should remain unblocked - everything else requires consent.
Get Your Cookie Blocking Right
If you are unsure which cookies your site sets or whether they are properly blocked, start with a scan. Kukie.io detects every cookie and third-party tracker on your site, categorises them, and provides the script blocking tools to enforce consent before anything fires.
