Pre-consent tracking GDPR fines: what DPAs are issuing in 2024 and 2025
Google Analytics, Meta Pixel, and TikTok pixel firing before a visitor accepts cookies is the single most-fined GDPR violation pattern in the EU. Here are the recent decisions with amounts, what regulators specifically cite, and the one-minute DevTools check that confirms whether your store is exposed.
Pre-consent tracking happens when a tracker (Google Analytics, Meta Pixel, TikTok pixel, LinkedIn Insight Tag, similar) loads and fires a request before the visitor has accepted cookies. It is the single most-fined GDPR violation pattern across the EU in 2022 to 2025. The mechanics are simple. The legal exposure is real.
There is a recurring shape to recent decisions across France, Italy, Spain, and the Netherlands. The complaint is filed. The DPA opens the website in a fresh browser session. The network tab shows a request to google-analytics.com or facebook.com firing before the cookie banner is interacted with. The decision lands a few months later.
Recent DPA decisions on pre-consent tracking
EnforcementFrance, CNIL, 6 January 2022: 60 million euros against Google LLC and 60 million euros against Facebook Ireland for the design of the cookie refusal flow on google.fr and facebook.com. Decision references SAN-2021-023 and SAN-2021-024.
EnforcementFrance, CNIL, 2023 onwards: ongoing series of formal notices against publishers using Google Analytics without supplementary measures, following the 10 February 2022 decision against an unnamed website operator.
EnforcementItaly, Garante, 9 June 2022, Ordinanza n. 224: order against Caffeina S.r.l. for transferring Google Analytics data to the United States without adequate safeguards.
EnforcementNetherlands, Autoriteit Persoonsgegevens, 2024: 600,000 euros against a major Dutch news publisher for tracking visitors before consent.
What do regulators specifically cite?
Every decision points to the same combination. Article 5(3) of the ePrivacy Directive 2002/58/EC requires consent before storing or accessing information on the user's device. Article 6 of GDPR requires a lawful basis before processing personal data. A pre-consent tracker fails both at once.
Most stores have a cookie banner. That is not the question. The question is whether the script tag for the tracker is gated by the banner's accept event, or whether it loads regardless.
How does pre-consent firing happen on Shopify and WooCommerce?
Shopify's native Customer Privacy API offers a way to gate scripts on consent state. Most installed analytics apps do not use it. They inject the pixel through theme.liquid or through a Google Tag Manager container that runs unconditionally.
WooCommerce stores often install a CMP plugin (Cookiebot, Iubenda, Complianz, CookieYes) and then independently add the GA4 snippet via a separate plugin or directly in functions.php. The CMP is unaware of that second snippet and cannot gate it.
The result is the same in both cases. A fresh visitor lands on the homepage, the banner appears, and the tracker has already sent a request before the visitor moved the mouse.
How we test thisComplianceGuardHQ does not assume your storefront fires trackers before consent. We test it. A free scan loads your homepage in a fresh browser session from an EU IP, records every outbound network request before any banner interaction, and reports which trackers fire too early with the exact request URL as evidence.
How do I test my storefront for pre-consent tracking?
Open your storefront in a fresh private window. Open DevTools, Network tab, filter by google-analytics, facebook, tiktok, doubleclick, linkedin, hotjar, segment. Reload. Read the list before you click the banner. Anything in that list is a candidate for the kind of finding the CNIL has been issuing notices for.
Run a free ComplianceGuardHQ scan if you want the same check from an EU residential IP, across 15 EU languages, with citation and evidence ready for handover to legal.
Frequently asked questions
What is pre-consent tracking?
Pre-consent tracking is when a tracker (Google Analytics, Meta Pixel, similar) sends a network request to a third-party endpoint before the visitor has accepted cookies through the consent banner. It breaches ePrivacy Article 5(3) and GDPR Article 6.
What is the typical fine for pre-consent tracking?
Published decisions range from 5,000 euros for small publishers to 60 million euros each against Google and Facebook in CNIL decisions SAN-2021-023 and SAN-2021-024. Median fines for mid-market merchants sit in the 30,000 to 250,000 euro range.
Did the EU-US Data Privacy Framework solve the GA4 problem?
Partially. The adequacy decision adopted on 10 July 2023 provides a lawful transfer mechanism to DPF-certified US recipients. It does not fix a pre-consent install: if the script fires before consent, neither GDPR Article 6 nor ePrivacy Article 5(3) is satisfied regardless of the transfer leg.
Which trackers most commonly fire before consent?
On a default Shopify install with the Customer Privacy API toggle off, Meta Pixel and Google Analytics 4 fire on the first pageview. On WooCommerce stores with a CMP and a separately-installed GA4 plugin, the GA4 plugin is the most common culprit.
How do I check if my storefront fires trackers before consent?
Open the storefront in a private window. Open DevTools, Network tab, filter by tracker domain. Reload and read the request list before any banner interaction. Anything in the list is firing pre-consent.
Run the check on your store
ComplianceGuardHQ runs 37 automated checks across 8 EU frameworks against your live storefront in about 60 seconds. Free baseline scan, no install.
Run a Free ScanComplianceGuardHQ runs an automated technical scan. Findings cite the directive text and enforcement precedent. They are not legal advice. Consult a qualified lawyer or Data Protection Officer for binding interpretation in your jurisdiction.