There is a specific silence in a call when I share my screen, load the client's site in a fresh browser, click "Reject all" on their consent banner, and we watch the network tab light up with analytics and marketing requests anyway.
Nobody lied to them. The banner plugin does block things: the things it was told about. The gap is everything else, and in the setups I audit, there is almost always an everything else.
Why your banner blocks less than you think
A consent management platform is not a firewall. It cannot see "all tracking" and switch it off. It controls exactly two kinds of things: tags it was explicitly integrated with, and (if configured) tags in your tag manager that were wired to consent state. Everything outside those two sets never asked the banner's permission and never will.
The banner vendor's marketing says "compliance in one script tag." What it means is "a consent signal in one script tag; wiring your site to obey the signal is your job." That second sentence is the product you actually needed, and it is not in the box.
The five places tags leak past consent
These five cover nearly every leak I find:
- Hardcoded tags outside the tag manager. The Facebook pixel a developer pasted into the theme in 2022, the chat widget, the A/B testing snippet. The CMP has never heard of them, so they fire on page one, consent or none.
- Tags that are in the tag manager but not wired to consent. The container respects consent only for tags someone actually configured to require it. New tags added in a hurry default to firing. One unticked box, and that tag lives outside the law of the banner.
- Race conditions. The page loads, tags fire in the first few hundred milliseconds, the banner renders afterwards and asks a question the tags already answered themselves. Everything looks compliant to the eye, because the banner is right there, asking politely after the fact.
- Third-party scripts that bring friends. You consented one vendor; its script injects two more. Embedded video players, review widgets, and ad tags are the usual carriers. Your consent tool never saw the passengers.
- Consent Mode confusion. Google's Consent Mode in its "advanced" configuration sends cookieless pings to Google even when consent is denied; that is documented, intended behavior for modeling. Whether you are comfortable with it is a real decision, but I keep meeting teams who believe "we have Consent Mode" means "nothing is sent without consent." That is not what it means, and finding out during an audit is the good version of finding out.
How to test it yourself in fifteen minutes
You need a browser, DevTools, and honesty. No tools to buy.
- Open a private window (no logins, no cached consent). Open DevTools, Network tab, and set it to preserve log.
- Load your homepage and do not touch the banner. Watch the requests: filter for names like google-analytics, googletagmanager, facebook, doubleclick, tiktok, hotjar, clarity. Anything firing now is firing before consent.
- Fresh private window. This time reject everything. Browse three pages, add something to cart. Same filters. Everything you see now is firing against an explicit no; this list is your exposure.
- One more window. Accept everything, and keep this list as your baseline for what should fire only after a yes.
Fifteen minutes, and you now know more about your real consent behavior than your banner's dashboard will ever tell you, because the dashboard reports what the banner did, not what your site did.
One honest caveat: the network tab tells you what fires, and mapping that to what is lawful for your situation is legal territory. I map the technical truth; the obligations are your lawyer's half. The combination works; either half alone mostly does not.
What to do about what you find
The fixes are unglamorous: route everything through the tag manager, wire every tag to consent state deliberately, hunt down the hardcoded stragglers, retest the race, and delete the zombie tags nobody can explain (there are always zombie tags nobody can explain).
Then keep it that way, which is the harder part; every new campaign pixel is a fresh chance to leak. Write the rule down: no tag ships without a consent mapping.
If your list from the test above is long, or the person who would fix it left two years ago, this is literally the job of my Compliancy audit: €500 flat, one to two days, every tag inspected live under all three consent states, and a fix list ordered by real-world risk rather than by theoretical maximum fines. Bring your own lawyer for the legal half; you will both get an accurate map to work from. And if the deeper problem is that consent losses are gutting your data, the server-side conversation is honest about what recovery is and is not allowed to mean.