How to Block Cookies Before Consent in Consently

Block cookies, scripts, and iframes before consent in Consently: install the script first, let auto-blocking hold trackers, then verify it with DevTools.


by Riad Us Salehin • 5 July 2026


To block cookies before consent, install a consent script that loads first. It holds every non-essential cookie, script, and iframe until the visitor chooses, then releases only what they allow. Consently does this automatically from your cookie scan, on every plan, and blocks scripts and embeds, not just cookies.

This guide covers site-level blocking on your own domain, not a browser extension that hides banners for visitors. Below: the setup steps, when to tag a script manually, and how to verify blocking actually works.

What Does "Blocking Cookies Before Consent" Actually Mean?

Blocking cookies before consent means holding every non-essential cookie, script, and iframe until the visitor makes an explicit choice. Only strictly necessary cookies, the ones a site needs to function, may load before that choice. Every other category releases only once the visitor allows it.

A banner that merely appears is not the same thing as blocking. If Google Analytics, the Meta Pixel, or an ad script already ran by page load, the site violated ePrivacy Article 5(3). This holds no matter what the visitor clicks next.

Here's how to set that up in Consently.

What You Need to Get Started in Consently

You need a Consently account with your site added, the one-line script ready to install, and access to your site's <head> or tag manager. Prior blocking runs on every plan, so nothing here needs an upgrade.

Plan required: Cookie auto-blocking, script blocking, iframe blocking, and Google Consent Mode v2 are included on Basic, Premium, and Enterprise. Plans differ only on domain count and monthly pageviews; see how Consently's plans are priced by domains and pageviews.

Features you'll use:

  • Consently's cookie auto-blocking, which holds non-essential scripts from your scan
  • The automatic full-site scan, which finds every cookie, tracker, script, and iframe before blocking can act on it
  • Script blocking and iframe blocking, which extend the same hold to embeds and third-party code, not just cookies
  • Google Consent Mode v2, which signals consent state to Google Analytics and Google Ads automatically

Starting point: Open your site's dashboard in Consently and grab the embed script from the Embed Script modal. There is no dedicated blocking template. Auto-blocking runs from your scan results, so no separate template exists for this setup.

Not using Consently yet? Start a Consently trial that runs 14 days with no credit card, then follow the steps below on your own site.

How to Block Cookies Before Consent in Consently: Step-by-Step

Setting up prior blocking in Consently takes five steps. Install the script first, scan the site, let auto-blocking hold what it recognizes, tag anything it misses, then confirm consent releases the right categories.

Step 1: Install the Consently Script First, Before Any Tracker

Paste the Consently script at the very top of your site's <head>, above Google Tag Manager and every other tracking tag. Consently must load and start holding scripts before anything else has a chance to fire.

If a tracking tag sits above Consently in the <head>, that tag can execute in the gap before blocking starts. Script load order is the single most overlooked cause of blocking that looks configured but does not actually work.

If you install through Google Tag Manager, use the Custom HTML tag and sequence it to fire before every other tag. For the full GTM click path, see how to set up cookie consent in GTM.

💡 Tip: Consently must be the first thing that loads. A tag sitting above it in the <head> can fire before blocking starts, even if the banner appears correctly a moment later.

[Screenshot: the Consently embed script pasted at the top of the site's <head>, above GTM and tracking tags]

Alt: Code editor showing the Consently script tag as the first line inside the head element, positioned above a Google Tag Manager script tag.

Step 2: Scan Your Site So Consently Knows What to Block

Run the automatic full-site scan from the Cookie Manager. Consently discovers every cookie, tracker, script, and iframe on your site and sorts each one into a category: essential, analytics, advertising, and so on.

This scan result is the inventory auto-blocking acts on in Step 3. Add unlinked or funnel-only URLs to the manual URL scan list first. A page the scan never visits cannot be categorized.

Done: the Cookie Manager shows scan results grouped by category. Cookies, scripts, and iframes each appear under their category.

[Screenshot: Consently Cookie Manager scan results showing detected cookies, scripts, and iframes grouped by category]

Alt: Consently Cookie Manager dashboard displaying scan results in category columns labeled Essential, Analytics, and Advertising, each listing detected cookies and scripts.

Step 3: Let Auto-Blocking Hold Non-Essential Cookies, Scripts, and Iframes

With the scan complete, Consently automatically blocks every recognized non-essential cookie, script, and iframe until the visitor consents. Strictly necessary cookies keep loading, since the site needs them to function.

Confirm the scan categorized everything correctly. A cookie or script sitting in the wrong category releases at the wrong time, so check the category list before moving on. Blocked iframes, a YouTube embed or a Google Map, show an editable placeholder instead of loading silently, covered in more depth further down this guide.

This automatic path is what most sites need. Step 4 covers the exception.

Step 4: Tag Any Script Auto-Blocking Did Not Catch

For a custom or uncommon script the scan does not auto-recognize, add it manually in the Cookie Manager. Use its script URL pattern and assign the right category. The script then stays held until that category is consented to, the same as any auto-detected script.

Manual tagging is standard across consent platforms, though the exact mechanism differs by vendor. Some tools have you edit the script tag itself, setting its type to text/plain and adding a category attribute so it stays inert until consent. Consently instead matches the script by its URL pattern in the Cookie Manager's add-cookie flow. You do not have to touch the tag's code. A common example is an analytics or advertising script served from an unrecognized domain.

[Screenshot: the add-cookie script URL pattern field in Consently's Cookie Manager, where an uncaught script is tagged to a category]

Alt: Consently Cookie Manager add-cookie form showing a script URL pattern field and a category dropdown for manually tagging an unrecognized script.

Step 5: Confirm Consent Releases Only What the Visitor Allows

When a visitor accepts a category, Consently releases only that category's scripts and cookies. Reject keeps everything in that category blocked, and withdrawing consent later re-blocks it.

Declining cookies should change nothing on the page. The default before any choice is that no consent was given. Declining and ignoring the banner should be equivalent, as one Reddit thread on implementing this correctly put it. Explicit-consent-only means nothing non-essential runs on load or on "ignore," which is how Consently is built by default. The next section shows how to confirm this holds on your own site.

Auto-Blocking vs Manually Tagging Every Script: Which Do You Need?

Most sites should rely on automatic auto-blocking, which handles common third-party scripts directly from the scan. You only need manual tagging when a custom or unrecognized script slips past that scan.

Automatic auto-blockingManual script tagging
What it coversKnown scripts, cookies, and iframes the scan recognizesCustom or unrecognized scripts the scan missed
Effort requiredNone after the scan runsAdd the script's URL pattern and category by hand
When to use itThe default for nearly every siteOnly for the scripts auto-blocking does not catch

Run the scan first and let auto-blocking do the work. Check back after major site changes. A new widget or ad tag can slip in unrecognized until the next scan or a manual tag catches it.

Blocking Google Tags and the Meta Pixel With Consent Mode and GTM

For Google Analytics, Google Ads, and the Meta Pixel, Consently blocks the underlying scripts before consent. It also signals Google Consent Mode v2 automatically, with no manual gtag('consent') code required. If you run tags through Google Tag Manager, sequence Consently to fire first or use consent-gated triggers.

Consent Mode v2 sets and updates four signals as consent changes:

  • ad_storage controls whether advertising cookies may be stored.
  • analytics_storage controls whether analytics cookies may be stored.
  • ad_user_data controls whether user data is sent to Google for ads.
  • ad_personalization controls whether data feeds personalized advertising.

Without this signaling, a common failure shows up on Reddit's GTM and GDPR communities. A site owner sets up cookie consent, then discovers Google Tag Manager keeps tracking visitors who declined. The standard manual fix is a custom GTM trigger: a Trigger Type of Custom Event tied to the consent tool's accepted event. That trigger then replaces the default one on every tag, GA4 and the Meta Pixel included. Consently's automatic Consent Mode v2 setup replaces that manual trigger work for Google's own tags.

The GTM sibling guide linked in Step 1 covers the full click-by-click walkthrough. To hold the Meta Pixel and Google Analytics specifically, the pixel-specific and GA-specific guides cover the tag-level setup in more depth.

How to Test That Cookies Are Really Blocked Before Consent

Testing prior blocking takes a private browser window, DevTools, and a few minutes. Run this test after every setup change. A misconfigured script or a new tracker can silently break blocking again.

To verify blocking on your own site:

  1. Open your site in a private or incognito window.
  2. Do not touch the banner yet.
  3. Open DevTools and go to Application, then Cookies.
  4. Check for third-party cookies such as _ga (Google Analytics) or _fbp (Meta Pixel) set before any choice.
  5. If either appears before you clicked anything, blocking is not working.
  6. Accept one category, analytics for example.
  7. Confirm only that category's cookies now appear in the list.

The screenshot below shows what a clean result looks like.

[Screenshot: browser DevTools Application > Cookies in an incognito window, banner untouched, showing only strictly-necessary cookies present]

Alt: Chrome DevTools Cookies panel in an incognito window, listing only essential session cookies with no analytics or advertising cookies present.

If you see _ga or _fbp load before you interact with the banner, that is a live ePrivacy Article 5(3) violation. This is exactly the gap Step 1's script load order closes. A consent script that loads after a tracker cannot stop that tracker's first request.

Consently Features That Make Prior Blocking Airtight

Three Consently capabilities close the gaps that plain cookie blocking leaves open. They are editable placeholders for blocked embeds, automatic Consent Mode v2, and country-based script loading.

Editable Placeholders for Blocked Embeds

When Consently blocks a YouTube video, a Google Map, or a social embed, it shows an editable placeholder instead of a blank space. The page does not look broken while the visitor decides, and the visitor can still choose to load the embed from that placeholder. This is a differentiator over blocking that only handles cookies, since Consently blocks the embed itself, not just the cookie it would have set.

Automatic Google Consent Mode v2

Consently sets and updates Consent Mode v2 signals automatically on install, without manual gtag('consent') code. This replaces the manual GTM custom-trigger work for Google's own tags specifically. Non-Google tags still route through GTM sequencing or their own consent-gated triggers.

Country-Based Script Loading

Consently can load or hold scripts based on the visitor's country. EU visitors get strict prior blocking while other regions can follow their own applicable rules. Country-level granularity is still maturing, so verify the exact geotargeting behavior for your use case in the dashboard.

Everything above already runs on every plan. For the full feature list beyond blocking, see everything Consently does.

What Prior Blocking Cannot Do on Its Own

Prior blocking stops non-essential trackers from firing before consent. It is not a full compliance program by itself, and it is not guaranteed for every third-party widget. Three limits matter in practice.

  • Blocking is the technical layer. A site still needs a compliant banner, published policies, and consent records to back it up. The full path from a working banner to a complete compliance program is covered in how to comply with cookie laws. The specific legal requirements a banner must meet are covered in GDPR cookie consent requirements.
  • A small number of custom or injected third-party widgets can still partially execute even with auto-blocking active. When that happens, the fix is the manual script tag from Step 4 or the iframe placeholder from the airtight-features section above.
  • Consently does not detect a visitor's browser-level Global Privacy Control or other universal opt-out signal. Blocking here runs on the visitor's actual banner choice, not on a browser-sent signal.

Consently is tooling that enforces the technical side of prior blocking. It does not itself constitute legal compliance, and no CMP can guarantee that on its own.

FAQs

How do I block cookies before consent is given?

Install a consent script that loads before every other tracker, then run a scan so the platform knows what to block. Let auto-blocking hold every non-essential cookie until the visitor chooses. In Consently, this is Steps 1 through 3 above.

Does Consently block scripts and third-party embeds, or only cookies?

Consently blocks cookies, third-party scripts, and iframes or embeds, with an editable placeholder shown where an embed is held back. Blocking is not limited to cookies alone.

Why do my trackers still fire after I added a cookie banner?

A banner is only the visible interface. Trackers fire regardless of the banner if the tracking script loads first, or if the platform is not actually configured to block. The fix is loading Consently first in <head> and confirming auto-blocking is active.

Do I have to tag every script manually in Consently?

No. Auto-blocking handles common third-party scripts directly from your scan. You only tag a script manually when it is custom or uncommon enough that the scan does not recognize it.

How do I stop the Meta Pixel or Google Analytics from firing before consent?

Consently holds the Meta Pixel and Google Analytics scripts until consent and signals Google Consent Mode v2 automatically for Google's tags. See how to block the Meta Pixel before consent and how to get consent for Google Analytics for the tag-specific setup.

How do I know the blocking is actually working?

Open your site in an incognito window and do not touch the banner. Check DevTools under Application, then Cookies, for third-party cookies like _ga or _fbp before any choice. If you see them, blocking is not working yet.

Is cookie blocking before consent available on the Basic plan?

Yes. Cookie, script, and iframe blocking run on every plan, Basic included. Plans differ only on domain count and pageviews.

Does blocking cookies before consent break my website or checkout?

No, as long as checkout and session cookies are categorized as essential. Essential cookies keep loading regardless of consent, since the site needs them to function.

Is prior blocking legally required?

Yes. Under GDPR and ePrivacy Directive Article 5(3), non-essential cookies must be blocked until the visitor gives explicit consent. This is the site owner's legal obligation; Consently is the tooling that enforces it technically, not legal advice.

A banner that appears but does not block is decoration, not compliance. Consently blocks cookies, scripts, and iframes automatically from your scan on every plan, and the DevTools test above lets you verify it in minutes. Start your free 14-day Consently trial, no credit card required.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.