Traduction en préparation
Cet article est pour l'instant disponible en anglais. La version française paraîtra dans une prochaine vague.
Pre-consent tracking GDPR fines: what DPAs are issuing in 2024 and 2025
Google Analytics, Meta Pixel, and TikTok pixel firing before a visitor accepts cookies is the single most-fined GDPR violation pattern in the EU. Here are the recent decisions with amounts, what regulators specifically cite, and the one-minute DevTools check that confirms whether your store is exposed.
Pre-consent tracking happens when a tracker (Google Analytics, Meta Pixel, TikTok pixel, LinkedIn Insight Tag, similar) loads and fires a request before the visitor has accepted cookies. It is the single most-fined GDPR violation pattern across the EU in 2022 to 2025. The mechanics are simple. The legal exposure is real.
There is a recurring shape to recent decisions across France, Italy, Spain, and the Netherlands. The complaint is filed. The DPA opens the website in a fresh browser session. The network tab shows a request to google-analytics.com or facebook.com firing before the cookie banner is interacted with. The decision lands a few months later.
Recent DPA decisions on pre-consent tracking
ApplicationFrance, CNIL, 6 January 2022: 60 million euros against Google LLC and 60 million euros against Facebook Ireland for the design of the cookie refusal flow on google.fr and facebook.com. Decision references SAN-2021-023 and SAN-2021-024.
ApplicationFrance, CNIL, 2023 onwards: ongoing series of formal notices against publishers using Google Analytics without supplementary measures, following the 10 February 2022 decision against an unnamed website operator.
ApplicationItaly, Garante, 9 June 2022, Ordinanza n. 224: order against Caffeina S.r.l. for transferring Google Analytics data to the United States without adequate safeguards.
ApplicationNetherlands, Autoriteit Persoonsgegevens, 2024: 600,000 euros against a major Dutch news publisher for tracking visitors before consent.
What do regulators specifically cite?
Every decision points to the same combination. Article 5(3) of the ePrivacy Directive 2002/58/EC requires consent before storing or accessing information on the user's device. Article 6 of GDPR requires a lawful basis before processing personal data. A pre-consent tracker fails both at once.
Most stores have a cookie banner. That is not the question. The question is whether the script tag for the tracker is gated by the banner's accept event, or whether it loads regardless.
How does pre-consent firing happen on Shopify and WooCommerce?
Shopify's native Customer Privacy API offers a way to gate scripts on consent state. Most installed analytics apps do not use it. They inject the pixel through theme.liquid or through a Google Tag Manager container that runs unconditionally.
WooCommerce stores often install a CMP plugin (Cookiebot, Iubenda, Complianz, CookieYes) and then independently add the GA4 snippet via a separate plugin or directly in functions.php. The CMP is unaware of that second snippet and cannot gate it.
The result is the same in both cases. A fresh visitor lands on the homepage, the banner appears, and the tracker has already sent a request before the visitor moved the mouse.
Comment nous testonsComplianceGuardHQ does not assume your storefront fires trackers before consent. We test it. A free scan loads your homepage in a fresh browser session from an EU IP, records every outbound network request before any banner interaction, and reports which trackers fire too early with the exact request URL as evidence.
How do I test my storefront for pre-consent tracking?
Open your storefront in a fresh private window. Open DevTools, Network tab, filter by google-analytics, facebook, tiktok, doubleclick, linkedin, hotjar, segment. Reload. Read the list before you click the banner. Anything in that list is a candidate for the kind of finding the CNIL has been issuing notices for.
Run a free ComplianceGuardHQ scan if you want the same check from an EU residential IP, across 15 EU languages, with citation and evidence ready for handover to legal.
Questions fréquentes
What is pre-consent tracking?
Pre-consent tracking is when a tracker (Google Analytics, Meta Pixel, similar) sends a network request to a third-party endpoint before the visitor has accepted cookies through the consent banner. It breaches ePrivacy Article 5(3) and GDPR Article 6.
What is the typical fine for pre-consent tracking?
Published decisions range from 5,000 euros for small publishers to 60 million euros each against Google and Facebook in CNIL decisions SAN-2021-023 and SAN-2021-024. Median fines for mid-market merchants sit in the 30,000 to 250,000 euro range.
Did the EU-US Data Privacy Framework solve the GA4 problem?
Partially. The adequacy decision adopted on 10 July 2023 provides a lawful transfer mechanism to DPF-certified US recipients. It does not fix a pre-consent install: if the script fires before consent, neither GDPR Article 6 nor ePrivacy Article 5(3) is satisfied regardless of the transfer leg.
Which trackers most commonly fire before consent?
On a default Shopify install with the Customer Privacy API toggle off, Meta Pixel and Google Analytics 4 fire on the first pageview. On WooCommerce stores with a CMP and a separately-installed GA4 plugin, the GA4 plugin is the most common culprit.
How do I check if my storefront fires trackers before consent?
Open the storefront in a private window. Open DevTools, Network tab, filter by tracker domain. Reload and read the request list before any banner interaction. Anything in the list is firing pre-consent.
Lancer la vérification sur votre boutique
ComplianceGuardHQ exécute des contrôles automatisés sur 8 textes européens contre votre boutique en environ 60 secondes. Scan de référence gratuit, sans installation.
Lancer un scan gratuitComplianceGuardHQ exécute un scan technique automatisé. Les constats citent le texte des directives et la précédence d'application. Ils ne constituent pas un conseil juridique. Pour une interprétation contraignante dans votre juridiction, consultez un avocat qualifié ou un délégué à la protection des données.