Is it legal for websites to track you before you click accept on the cookie banner?

No. Under UK law, specifically PECR (Privacy and Electronic Communications Regulations), websites must obtain explicit consent before setting non-essential cookies or running tracking scripts. If Google Analytics, Facebook Pixel, or other tracking tools fire before the cookie consent banner appears, the website is breaking the law. This is the most common violation found in small business website audits.

How can I check if my website tracks visitors before cookie consent?

Right-click on your website and select 'View Page Source.' Press Ctrl+F and search for 'gtag', 'gtm', 'fbq', or 'analytics' and note the line number. Then search for 'consent' or 'cookie' and note that line number. If the tracking script appears on a lower line number than the consent script, your visitors are being tracked before they consent. This is a PECR violation and takes about 30 seconds to check.

Does pre-consent tracking affect my analytics and ad targeting data?

Yes. If your tracking scripts fire before consent, your analytics data includes visitors who never agreed to be tracked. This pollutes your traffic numbers, conversion rates, and ad targeting. In one audit, a business had a Facebook Pixel firing a Purchase event on every page load with a value of £0.00, meaning Facebook thought every visitor was a buyer. Their entire ad spend was being wasted because Facebook couldn't distinguish real customers from casual visitors.

GDPR & Privacy

What Happens Before You Click Accept

I check what scripts load before the cookie consent banner appears. On every site I audit, tracking starts before you get a choice. Here’s what I keep finding.

Nicholas Hartnell · 18 March 2026 · 6 min read

I audit websites for a living. One of the first things I check is what happens before the cookie consent banner appears. The answer, on almost every site I look at, is the same: they’re already tracking you.

How it works

When you visit a website, the page loads from top to bottom. The code at the top runs first. On most sites I audit, the tracking scripts — Google Analytics, Facebook Pixel, Google Ads — are near the top of the page. The cookie consent banner loads further down.

By the time you see “Accept cookies?” on screen, the cookies are already set. Your visit has already been recorded. The question is being asked after the answer has already been decided for you.

What I actually see

I recently audited a local business website. Their Facebook Pixel was firing a Purchase event on every single page load. Not when someone bought something. On every page. Including the homepage. It was sending Facebook a purchase value of £0.00 every time someone visited.

That means Facebook thought every visitor was a buyer. When they ran ads, Facebook couldn’t tell the difference between someone who bought and someone who bounced after three seconds. Their entire ad targeting was broken and they had no idea. They were wasting money every single day.

And all of it was happening before the cookie banner appeared.

On another site, I found Google Tag Manager loading on line 32 of the page source. The cookie consent library didn’t load until line 54. That’s not a grey area. Under UK law, specifically PECR, you need consent before you start tracking. Not after. Not at the same time. Before.

The one that really got me

I audited a school website. Google Analytics was tracking every visitor before the cookie banner appeared. The visitors include children. The school’s own cookie policy listed the tracking cookies and their durations — a 2-year analytics cookie being set on every child who visited the site, before anyone had the chance to say yes or no.

The third-party portals the school used for student records had proper security. Full headers, firewalls, the lot. But the school’s own website, the front door that parents and kids visit every day, had nothing. No security headers, no proper consent, tracking from the first millisecond.

How to check your own site

This takes about 30 seconds.

Go to your website
Right-click anywhere and select “View Page Source”
Press Ctrl+F and search for gtag or gtm or fbq or analytics
Note the line number
Now search for consent or cookie
Note that line number

If the tracking script is on a lower line number than the consent script, your visitors are being tracked before they consent. That’s a PECR violation and it’s the most common issue I find.

Why it matters

The ICO hasn’t been fining small businesses for cookie consent issues. Yet. But the direction of travel is clear. And beyond compliance, if your tracking fires before consent, your analytics data is wrong. Your ad targeting is wrong. You’re making business decisions based on broken data.

A proper consent setup costs nothing. It just needs to be done right.

Get a free, independent website audit

We check your cookie consent, tracking scripts, security headers, and GDPR compliance. No obligation, no invoice. The report is yours to keep.

Request your free audit

← Back to StagHill Software