ModeConsentRun a Free SentinelScan
CMP Tag Leakage

CMP installed but tags still firing?

Troubleshooting for OneTrust, Cookiebot, CookieYes, TrustArc, Didomi, Osano, Usercentrics, and custom CMP setups where tags still run before consent or after reject.

Implementation context

Start from observable behavior, then repair the consent contract.

A CMP can collect a valid preference while the browser still runs tags that do not respect that preference.

The failure usually sits between CMP categories, callbacks, consent cookies, GTM triggers, auto-blocking, hard-coded scripts, embedded apps, and regional templates.

ModeConsent tests the runtime behavior and builds the map that shows which tags are governed, which vendors are bypassing the CMP, and where the repair belongs.

What breaks

The failure pattern usually starts before the dashboard can see it.

01

Callbacks lose the race

All Pages, DOM Ready, pageview events, and vendor loaders can run before the CMP creates usable consent state.

02

Categories are not wired to execution

Performance, analytics, targeting, and functional categories must control GTM triggers, Consent Mode updates, and script loaders.

03

Auto-blocking does not cover everything

Custom HTML, app embeds, tag templates, and scripts inserted after page load can bypass CMP scanning.

04

Regional templates drift

A correct EU template can coexist with weaker behavior on US, subdomain, language, or fallback routes.

How ModeConsent fixes it

Repair the consent system where visitors and tags actually interact.

  1. 01

    Compare preference state to tag behavior

    Capture CMP state, GTM events, Consent Mode signals, storage writes, and requests under each visitor choice.

  2. 02

    Map categories to vendors

    Tie each analytics, advertising, chat, heatmap, conversion, and session replay tag to a CMP category and control.

  3. 03

    Repair race conditions

    Move defaults, callbacks, triggers, and blocking rules earlier than the tags they govern.

  4. 04

    Retest high-value flows

    Validate product, checkout, lead form, campaign, and landing-page templates after repair.

Why this is urgent

Platform and regulator requirements now point at implementation evidence.

Google Ads Consent Mode updates

Google states that EEA advertisers must collect consent and share consent signals with Google to keep using applicable tags for measurement, ad personalization, and remarketing.

SourceGoogle EU User Consent Policy help

Google says advertisers with EEA traffic need to pass end-user consent choices to Google, and that adopting a CMP does not automatically guarantee compliance because implementation matters.

SourceICO cookie compliance enforcement

The ICO continues to test cookie compliance, including whether advertising cookies are stored before choice, whether reject is as easy as accept, and whether cookies are placed without consent.

Source
Related work

Adjacent pages in the consent stack.

Services

/services/cmp-implementation-audit/

A CMP implementation audit for teams that need to prove their banner, categories, blocking rules, GTM logic, and browser storage behavior work together.

View pagePlatforms

/platforms/cmps/

View pageServices

/services/gtm-consent-checks/

Audit and repair for Google Tag Manager consent checks, triggers, exceptions, templates, and tag sequencing across analytics, ads, and vendor tags.

View page

/free-scan/

View page
Request audit

Need evidence for the live consent stack?
Start with browser behavior.

Request Compliance Audit