Updated on Aug 27th, 2025

Scotty Hagen.

Guest Author:
Scotty Hagen

Time and time again, I stumble into the same scenario when meeting with a client: most think they’ve got consent figured out. They put up a banner, check the box, and move on. The reality? The GDPR might feel like a relatively new enforcement rule, but regulators are already handing out massive fines—and a banner alone isn’t enough to keep companies safe.

We see it all the time. A banner might look fine on the surface, but behind the scenes, analytics tools, A/B tests, personalization platforms, chat widgets, and even fonts are already firing. That’s where the real risk lives.

Cookie consent banner example

Example of a cookie consent banner — necessary, but not always enough for compliance.

And this isn’t just about avoiding fines (though regulators are handing out billion-euro penalties these days). It’s about building trust, protecting data quality, and making sure your teams can use customer data confidently without worrying about what’s leaking out the back door.

After years of working with enterprise clients, I’ve seen the same five consent pitfalls over and over again. Let’s break them down and talk about how to fix them. 

Mistake #1: Treating the Consent Banner as the End Goal

What Happens

A lot of organizations treat the consent banner as the ultimate solution. Put it on the site, let users accept or reject, and assume you’re covered. The problem is that while the banner might capture a preference, that preference isn’t always enforced across the rest of the stack.

Why It’s a Problem

Tags, pixels, and scripts can still fire before the user’s decision is even recorded. If you don't take the next step of setting up proper controls, they’ll continue to run even if the user opts out. Regulators aren’t just looking for the presence of a banner, but they expect proof that the consent signal actively governs all data collection.

For example, we worked with a retail brand that had a shiny new banner on every page. Everything looked great. But when we dug in, their analytics tag and Facebook Pixel were firing as soon as the page loaded—whether the visitor said yes or no. From the outside it looked compliant, but underneath, enforcement wasn’t happening. That’s exactly the kind of gap regulators look for.

Person thinking 'We have a banner, so we're good.'

A common misconception: “We have a banner, so we’re good.”

How to Fix It

  • Tie your Consent Management Platform (CMP) logic directly into your Tag Management System (TMS) so tags only fire when the correct permissions are in place.
  • Apply this enforcement to all downstream systems, not just those in the TMS.
  • Audit both the banner’s display and its actual enforcement.
  • Use real-user consent validation monitoring such as Sentinel Insights or ObservePoint to verify that tools start or stop exactly as the user’s preferences dictate.

Mistake #2: Hardcoded Scripts Bypassing Your CMP or TMS

What Happens

For performance or convenience, some vendors or developers add scripts directly into a site’s HTML instead of routing them through a Tag Management System (TMS). These hardcoded scripts load as soon as the page loads, before any consent preferences are captured or enforced by the Consent Management Platform (CMP).

Why It’s a Problem

Hardcoded scripts bypass all the governance you’ve set up. They can collect and transmit personal data such as IP addresses, device information, and location without the user’s permission. Because these scripts don’t run through the same approval workflows as TMS-managed tags, they are often missed during audits.

This is why they’re such a challenge. It’s easy for code to slip through when different teams are moving fast, and without the right checks in place, those scripts end up firing no matter what the user decides.

For example, I’ve seen travel companies embed chat widgets directly in their site code to shave a second off load time. On the surface, it worked fine. But behind the scenes, that widget was tracking users and transmitting IP addresses as soon as they landed on the page. No opt-out. No control. Just instant violations.

Common CMP mistake illustration

A frequent error: bypassing your CMP or TMS and hardcoding scripts directly in the site.

How to Fix It

  • Inventory all outbound requests, not just those deployed through your TMS.
  • Move hardcoded scripts into the TMS whenever possible so they can be governed by the same consent logic.
  • Establish processes to review any new vendor code before it is added directly to your site.
  • Use real-user monitoring to detect new or unexpected requests firing in live environments regardless of where the script resides.

Mistake #3: Overlooking Non-Cookie Data Collection

What Happens

Most organizations zero in on cookies and tracking pixels. While these are important, they are far from the only technologies collecting personal data. Fonts, embedded videos, chat tools, A/B testing platforms, and content delivery networks (CDNs) often begin transmitting information as soon as the page loads.

Why It’s a Problem

These tools can send personal data such as IP addresses, user agents, and device information without a single cookie being set, posing a significant risk of non-compliance with privacy laws like GDPR and Quebec Law 25. If the data is sent before consent is given, it is a violation—regardless of whether cookies are involved.

Here’s a real risk we see often: a media company embedded a YouTube video on its homepage. The visitor never hit play, but the video’s iframe still pinged Google’s servers and sent their IP address—long before the consent banner appeared.

Illustration showing cookie-related consent mistakes like fonts or embedded videos firing before consent

Overlooking non-cookie data collection—like fonts or embedded videos firing before consent.

How to Fix It

  • Audit all third-party resources, not just cookie-based trackers.
  • Delay loading of non-essential resources until consent is captured.
  • Use “click-to-load” options for video players, chat widgets, or social embeds so they only initiate once the user interacts.
  • Monitor real-world sessions to identify data transfers that occur outside of consent.

Mistake #4: Not Testing in Real-World Scenarios

What Happens

Consent flows are often tested in controlled environments using ideal conditions. Typically, one or two individuals assigned to test consent run the process on a desktop browser, accept or reject tracking, and assume everything is working as intended. What they miss is how consent enforcement behaves in real-world conditions across different devices, browsers, geographies, and privacy settings.

Why It’s a Problem

What passes in testing may fail in production. A tag that behaves correctly on Chrome in North America might act differently on Safari in Europe. Mobile devices, ad blockers, incognito modes and browser controls like GPC can all introduce unexpected behaviour. These variations can cause tags to fire before consent is captured or continue firing even when consent is denied.

World map highlighting global consent and privacy laws such as GDPR, CCPA, PIPEDA, LGPD, POPIA, etc.

Global consent and data privacy laws—from GDPR to LGPD—vary dramatically by region.

How to Fix It

  • Test consent flows across multiple devices, browsers, and operating systems.
  • Include geolocation-based testing to ensure compliance in all operating regions.
  • Use real-user monitoring tools to capture live session behaviour.
  • Make consent QA a standard part of release cycles, not a one-time task.

Mistake #5: Lack of Cross-Team Alignment

What Happens

Consent governance for tracking technologies often falls into a gray area between marketing, development, and legal teams. Each group assumes another is responsible for ensuring proper enforcement. Without a shared plan and clear ownership, gaps emerge in how consent is implemented and maintained.

Why It’s a Problem

When teams work in silos, consent rules get applied inconsistently across websites, apps, and campaigns. Marketing might launch a new tool without checking with development. Development might push changes that bypass the CMP. Legal might update a privacy policy that never gets reflected in actual data collection. The result is gaps, confusion, and compliance risk.

Now you can see why this becomes such a challenge. With so many different teams inside an organization—marketing, IT, legal, privacy, development—it’s easy for consent to fall through the cracks. Unless there’s clear cross-team alignment, each group assumes someone else is handling enforcement. That’s why strong governance and shared ownership are just as important as the technology itself.

How to Fix It

  • Establish a cross-functional privacy or compliance working group.
  • Create a centralized record of all vendors, data flows, and consent rules.
  • Ensure new campaigns, site changes, or vendor integrations go through a shared review process.
  • Provide basic consent compliance training for all teams involved in deploying tags or tools.

Closing Thoughts

Most organizations have at least one of these gaps, and many don’t realize it until it’s too late. The good news is that every one of them can be fixed with the right combination of visibility, process, and collaboration across teams.

Treating consent as a checkbox or leaving it to a banner will not cut it anymore. Privacy laws are evolving quickly, user expectations are rising, and the technology used to capture and enforce consent has to keep up. The organizations that get this right do more than avoid fines. They build stronger customer trust, improve data quality, and give their teams confidence to use data the right way.

If reading this has you wondering where your own gaps might be, that is a good thing. Start mapping your data flows, monitoring in real time, testing beyond the happy path, and aligning teams around a shared process. And if you need help building that framework, Northern can provide the guidance to give you peace of mind.

Get in touch with us →