GDPR-006 critical Consent Management

Consent enforced before tracking

No tracking before consent. Configure GTM consent mode (or equivalent), ensure backend respects consent flags, verify no scripts fire pre-consent.

Question to ask

"What fires before a user clicks accept on your banner?"

Related items

section-22 section-32

Verification guide

Severity: Critical

No tracking should occur before the user gives consent. This requires proper configuration of tag managers and backend systems.

Check automatically:

# Look for consent mode / GTM consent integration
grep -riE "consent.*mode|gtag.*consent|consent.*update|granted|denied" src/ app/ public/ --include="*.ts" --include="*.js" --include="*.html"

# Check for cookie consent libraries
grep -riE "cookieconsent|cookie.*banner|consent.*banner|onetrust|cookiebot|trustarc|osano" package.json src/ public/ --include="*.json" --include="*.ts" --include="*.js" --include="*.html"

# Look for consent checks before analytics
grep -riE "if.*consent|consent.*check|has.*consent|analytics.*consent" src/ app/ --include="*.ts" --include="*.js"

# Check GTM container for consent settings (if exported)
find . -name "GTM-*.json" -o -name "*tag*manager*.json" 2>/dev/null | head -5

# Backend consent flag handling
grep -riE "consent.*header|consent.*cookie|check.*consent|x-consent" src/ app/ middleware/ --include="*.ts" --include="*.js" --include="*.py"

Ask user:

  • "What consent tool do you use?" (OneTrust, Cookiebot, custom, none?)
  • "Is GTM configured with consent mode?" (default denied until consent?)
  • "Does your backend check consent before server-side tracking?"
  • "Have you verified no tracking fires before consent is given?"

Consent enforcement checklist:

Component Consent-Aware?
Google Analytics
Facebook Pixel
Other marketing tags
Server-side analytics
Session recording (Hotjar, FullStory)
A/B testing tools

Cross-reference with:

  • Section 22 (Frontend Performance) - consent banners affect page load
  • Section 32 (CSP) - consent scripts need CSP allowlisting

Pass criteria:

  • Consent banner/mechanism implemented
  • GTM consent mode configured (or equivalent for other tag managers)
  • Backend respects consent flags for server-side tracking
  • Verified: no tracking scripts fire before consent granted

Fail criteria:

  • No consent mechanism (tracking fires immediately)
  • Consent banner exists but GTM ignores it
  • Frontend consent-aware but backend tracks regardless
  • "We have a banner but haven't verified it actually blocks anything"

Evidence to capture:

  • Consent tool in use
  • GTM consent mode status (configured or not)
  • Backend consent handling (yes/no/N/A)
  • Verification method (how do you know it works?)

Section

37. GDPR & Privacy Compliance

Operations & Incident Management

← Previous

GDPR-005

Data export / portability

 Next →

GDPR-007

Consent stored and auditable