HomeFix guides → Analytics gated behind consent

gdpr

How to fix: Analytics gated behind consent

GDPR Art. 7

Why this matters

Google Analytics, Facebook Pixel, and similar trackers process personal data (IP, device fingerprint) the moment they load. They must not load until consent is given — a CMP that fires them after opt-in is the standard pattern.

Background

Analytics scripts (GA4, Mixpanel, Hotjar, FB Pixel) set non-essential cookies. Under ePrivacy, those require prior opt-in consent. A 'Reject All' button must be as prominent as 'Accept All' (CNIL, ICO guidance). Loading analytics before consent is a regulator-actionable breach.

References

GDPR Art. 7 + ePrivacy Directive — consent for non-essential cookies

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
No server config — JS load logic.
apache
Same.
cloudflare
Same.
wordpress
Use a consent platform (Cookiebot, CookieYes, OneTrust). Configure 'block before consent' mode + run a cookie scan to confirm GA/FB/etc. don't fire pre-consent.
flask
Don't render <script src="google-analytics.com/..."> until consent. Use a tag manager OR a small <script> that reads a consent cookie before injecting the analytics script.
express
Same pattern.
rails
Same.

Verify it's working

DevTools → Application → Cookies. On first page load (before clicking accept), no _ga / _gid / fbp cookies should be present.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →