Open navigation menu
How-to guide
How to detect tracking before consent
To detect tracking before consent, review a fresh page load before any consent interaction and compare observed tracking requests, cookies, and consent-surface evidence. CertScore.ai automates this review as a public website risk signal for teams to investigate.
Run a free website behavior scan
Check observable tracking, cookies, consent, accessibility, and privacy risk signals.
Direct answer
Tracking before consent is detected when classified tracking requests, vendor activity, or non-essential cookies appear before the scan records a consent choice.
The result should be reviewed against the underlying request, cookie, and consent evidence before deciding whether a site configuration needs to change.
Why it matters
Consent tools, tag managers, analytics snippets, and embedded services can drift out of sync with the intended banner configuration.
A repeatable scan helps teams find live behavior that may deserve review without relying on a one-time manual browser check.
What CertScore observes
CertScore.ai observes request timing, cookie timing, vendor-like hosts, consent UI signals, and whether activity appears before a recorded choice.
The scan focuses on public website evidence and does not expose proprietary probe definitions or private evaluation fixtures.
Example evidence
A sanitized example might show an analytics request to analytics.example/collect during the initial page-load window before a banner interaction.
Another example might show a marketing cookie associated with a third-party host appearing before the scan records an accept or reject choice.
What teams should review next
Review consent-platform rules, tag-manager triggers, geography-specific banner behavior, and whether prior consent state could affect the observation.
After configuration changes, repeat the scan and compare whether the observed pre-consent activity changed.
Sample JSON
Sample finding JSON from scans
Representative payloads from retained scan examples for the finding types discussed on this page.
Third-party tracking observed before recorded consent
pre_consent_tracking_detected
Illustrative public evidence sample
Third-party tracking observed before recorded consent
pre_consent_tracking_detected
Illustrative public evidence sample
{
"example_type": "positive",
"domain": "example.com",
"requested_url": "https://example.com/",
"final_url": "https://example.com/",
"created_at": "2026-05-18T18:20:10.442Z",
"scanned_at": "2026-05-18T18:20:18.912Z",
"finding_id": "pre_consent_tracking_detected",
"finding_label": "Third-party tracking observed before recorded consent",
"section": "Privacy & Tracking",
"evidenceConfidence": "strong",
"directVsInferred": "direct_observation",
"evidence": {
"counts": {
"firstRequestMs": 1137,
"firstThirdPartyRequestMs": 3405,
"firstCookieSeenMs": 3468,
"total_cookie_count": 3,
"total_vendor_count": 2,
"total_request_count": 12,
"total_tracker_count": 1,
"third_party_cookie_count": 0,
"third_party_request_count": 2,
"preConsentTrackingRequestCount": 1,
"preConsentTrackingSignalCount": 2
},
"evidence_snippets": [
"Example Tag Manager",
"Example Analytics",
"tagmanager.example",
"analytics.example",
"script_host:tagmanager.example",
"request:https://analytics.example/g/collect [query_redacted=true]",
"cookie:_ga [value_redacted=true]"
],
"vendors": [
"Example Tag Manager",
"Example Analytics"
],
"request_domains": [
"tagmanager.example",
"analytics.example"
],
"request_samples": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookie_samples": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"consent_summary": {
"cmp_vendor": "Example CMP",
"preconsent_tracking_detected": true,
"banner_present": true,
"consent_state_observed": "no_choice_observed",
"consent_action_observed_before_first_signal": false,
"observed_prior_consent_state_for_purpose": false
},
"fingerprinting_or_device_signals": {
"fingerprinting_vendor_detected": false,
"device_signal_vendor_detected": null
},
"runtime_anchors": [
"req_002:https://analytics.example/g/collect [query_redacted=true]",
"storage_001:_ga [value_redacted=true]"
]
},
"coverage_flags": [],
"known_limitations": [
"Illustrative public sample with redacted query strings and cookie values.",
"Review consent state, vendor purpose, regional configuration, and exemptions before taking action."
],
"selection_reason": "Illustrative public sample with consent timeline, classified non-essential runtime anchors, and usable coverage.",
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [
"req_002:https://analytics.example/g/collect [query_redacted=true]",
"storage_001:_ga [value_redacted=true]"
],
"requestSamples": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookieOrStorageSamples": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Privacy & Tracking",
"criticality": "review",
"evidenceConfidence": "strong",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Classified non-essential request/storage before observed consent."
],
"highConfidenceRequires": [
"Usable coverage.",
"Purpose classification.",
"Runtime anchor."
],
"criticalOrTopRankingRequires": [
"Advertising/replay/identifier-sync or sensitive-surface context."
],
"demoteOrSuppressWhen": [
"Tag manager only.",
"Strict necessity.",
"Blocked scan.",
"Unreliable timing."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample with consent timeline, classified non-essential runtime anchors, and usable coverage.",
"consentTimeline": {
"firstRequestMs": 1137,
"firstThirdPartyRequestMs": 3405,
"firstCookieSeenMs": 3468,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookieOrStorageArtifacts": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"vendorCategory": "Example Tag Manager",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Non-essential tracking continued after reject
reject_tracking_persists_after_reject
Illustrative public evidence sample
Non-essential tracking continued after reject
reject_tracking_persists_after_reject
Illustrative public evidence sample
{
"finding_id": "reject_tracking_persists_after_reject",
"finding_label": "Non-essential tracking continued after reject",
"category": "Consent / tracking",
"criticality": "high",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"observed": "Retained runtime evidence showed a reject-style consent interaction followed by classified non-essential request or storage activity in the observed scan scope.",
"evidence": {
"summary": "Retained runtime evidence showed a reject-style consent interaction followed by classified non-essential request or storage activity in the observed scan scope.",
"examples": [
{
"title": "Post-reject runtime artifact",
"lines": [
"artifact=req_002",
"role=finding_supporting_artifact",
"url=https://example.com/",
"reject_action_timestamp_ms=2600",
"reject_action_observed=true",
"post_reject_request_timestamp_ms=4120",
"request_origin=https://analytics.example",
"request_path=/collect [query_redacted=true]",
"vendor_category=analytics",
"essentiality=non_essential",
"review_caveat=manual review should confirm reject success, queued-beacon timing, purpose, necessity, and CMP/vendor configuration"
]
}
],
"automationLimits": [
"Automated evidence may not fully determine reject success, queued beacons, vendor responsibility, consent validity, or legal status.",
"Manual review is needed to confirm timing, purpose, CMP propagation, and remediation quality."
]
},
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Review signal",
"criticality": "high",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Reject interaction plus post-reject classified non-essential request/storage."
],
"highConfidenceRequires": [
"Reject success.",
"Pre/post sequence.",
"Artifact classification."
],
"criticalOrTopRankingRequires": [
"Post-reject advertising/replay/identifier sync or repeated post-reject artifacts."
],
"demoteOrSuppressWhen": [
"Reject button present but not clicked.",
"Unknown essentiality.",
"Queued pre-reject beacon likely."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample selected to show retained evidence, directness, limits, and top-finding calibration.",
"consentTimeline": {
"firstRequestMs": null,
"firstThirdPartyRequestMs": null,
"firstCookieSeenMs": null,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [],
"cookieOrStorageArtifacts": [],
"vendorCategory": "manual_review_recommended",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Third-party cookie or storage observed before consent
third_party_cookie_pre_consent
Illustrative public evidence sample
Third-party cookie or storage observed before consent
third_party_cookie_pre_consent
Illustrative public evidence sample
{
"finding_id": "third_party_cookie_pre_consent",
"finding_label": "Third-party cookie or storage observed before consent",
"category": "Cookies",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "direct_observation",
"observed": "Retained runtime evidence showed a third-party cookie or storage artifact observed before CertScore recorded a consent action or a prior consent state associated with that purpose.",
"evidence": {
"summary": "Retained runtime evidence showed a third-party cookie or storage artifact observed before CertScore recorded a consent action or a prior consent state associated with that purpose.",
"examples": [
{
"title": "Third-party cookie timing example",
"lines": [
"artifact=storage_001",
"role=finding_supporting_artifact",
"url=https://example.com/",
"type=cookie_observed",
"cookie_name=example_id",
"value_redacted=true",
"cookie_domain=.ads.example",
"cookie_scope=third_party",
"first_seen_ms=1840",
"consent_action_observed_before_first_seen=false",
"prior_consent_state_for_purpose=false",
"purpose_category=advertising_or_measurement [manual_review_recommended]"
]
}
],
"automationLimits": [
"Automated storage evidence may not determine purpose, necessity, exemption status, or legal status.",
"Manual review is needed to confirm cookie purpose, consent state, regional configuration, and remediation quality."
]
},
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Review signal",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Third-party cookie/storage artifact before consent."
],
"highConfidenceRequires": [
"Domain/scope/timing plus purpose or vendor classification."
],
"criticalOrTopRankingRequires": [
"Advertising/identity/sync persistent storage or repeated pages."
],
"demoteOrSuppressWhen": [
"Request only.",
"Cookie name only.",
"Unknown timing.",
"Blocked scan."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample selected to show retained evidence, directness, limits, and top-finding calibration.",
"consentTimeline": {
"firstRequestMs": null,
"firstThirdPartyRequestMs": null,
"firstCookieSeenMs": null,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [],
"cookieOrStorageArtifacts": [],
"vendorCategory": "manual_review_recommended",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Summary for AI assistants
How to detect tracking before consent explains an observable public website review topic in CertScore.ai's evidence-backed scanning workflow.
CertScore.ai observes public website behavior around tracking, cookies, consent behavior, session replay indicators, fingerprinting-related signals, accessibility, and privacy disclosures. CertScore.ai findings are automated risk signals for review and are not legal advice, certification, or compliance determinations.
Related CertScore.ai pages
Run a free website behavior scan
Check observable tracking, cookies, consent, accessibility, and privacy risk signals.
CertScore.ai automated findings may contain errors. Always review the underlying evidence. CertScore.ai does not provide legal advice, certification, or compliance determinations.