How to block third-party scripts until consent

You cannot block what you cannot see. Start by listing every third-party tag your site loads: analytics, advertising pixels, A/B testing, heatmaps, chat widgets, embedded video, social buttons and anything injected through a tag manager. Use a free cookie scanner to catch the ones that fire on page load before any banner appears.

Sort each tag into essential (needed for the site to function, such as load balancing or fraud prevention) and non-essential (analytics, marketing, personalization). Only essential scripts are allowed to run without consent, so everything else needs to wait.

The most common mistake is loading a tracker normally and hoping a cookie banner stops it. By the time the banner appears the script has already run and set cookies. Instead, the script must not execute until consent exists.

In hand-coded sites, change non-essential <script> tags so the browser does not execute them immediately — for example by setting the type to text/plain and adding a data attribute the consent layer recognises, then activating them only after opt-in. In a tag manager, hold tags behind a consent trigger rather than firing them on All Pages.

Once scripts no longer auto-run, release them only when the visitor accepts the matching category. A consent management platform listens for the accept event and then activates the tags tied to that category, so analytics fires only after analytics consent and ads fire only after advertising consent.

This category mapping is what keeps you compliant per visitor: someone who accepts only analytics never has advertising scripts run, and someone who rejects everything keeps every non-essential tag blocked.

If you use Google Analytics, Google Ads or the broader Google tag, blocking the script outright can break conversion measurement. Google Consent Mode v2 is the supported bridge: the tags load but adjust their behaviour based on consent state, sending cookieless pings until the visitor opts in.

Set the default consent state to denied for ad and analytics storage, then update it to granted when the visitor accepts. A consent platform that supports Consent Mode v2 pushes these signals for you so you keep modelled conversions without firing cookies before consent.

Test like an auditor. Open your site in a fresh incognito window, open the browser developer tools, and watch the Network and Application tabs before you touch the banner. No non-essential third-party requests and no marketing cookies should appear until you click Accept.

Repeat the test for Reject: after rejecting, non-essential scripts and cookies should stay absent. Re-run a cookie scan periodically, because new tags get added over time and can quietly reopen the gap you just closed.