Open the network tab on most websites with a cookie banner and watch what happens before you click anything. The analytics script is already loaded. The pixel already fired. The cookie already exists. The banner is scenery. We have watched this play out on live sites we were hired to replace: the consent manager loads after the trackers it supposedly governs.
Consent that arrives after the tracking is not consent. It is an apology.
Gate structurally, not cosmetically
On our sites, every tracker is a component that returns null until its consent category has been granted. Not hidden, not paused: never rendered. No script tag enters the document, the browser makes no request, and no cookie gets set.
That is the whole trick, and it is why it works. There is no code path that can load a non-essential tracker before opt-in, because the render tree itself is the enforcement. There is nothing to block, because nothing mounts.
The categories are simple: necessary is always on, while analytics and marketing stay off until a visitor says otherwise. Declining, ignoring, or closing the banner all leave them off. That is what opt-in means.
The trackers themselves also stay inert until they are configured, so the system is compliant from the first deploy: with no analytics keys present, nothing can load even after consent. The banner works before a single tag exists.
What honest consent looks like
- Accept and Reject carry equal visual weight. Declining must be exactly as easy as accepting, with no dark patterns.
- Every decision is recorded with a version and a timestamp.
- A Cookie settings link in the footer reopens the manager at any time.
- A one-click Do Not Sell or Share link applies the marketing opt-out and shows you that it applied.
Even the fine print gets engineering attention. Analytics only qualifies as not selling data when ad personalization stays off, so our default configuration keeps it off, and the policy says exactly that instead of hand-waving.
Global Privacy Control, honored automatically
Global Privacy Control is a browser signal that says do not sell or share my data. Most sites ignore it. Ours treat it as binding: when GPC is detected, marketing consent is forced off regardless of stored preferences, the toggle is disabled, and the banner says so plainly. The visitor does not have to hunt for a setting or click anything. Their browser already spoke for them, and we listened.
Opt-in jurisdictions get structural handling too. On America Premier, visitors from 33 opt-in jurisdictions, including the EU, EEA, UK, Switzerland, and Brazil, get every non-essential category defaulted off until they consent. On Salyers Construction, analytics runs through Google Consent Mode with the defaults injected before anything interactive loads, so even the very first hit honors a decline.
Withdrawal actually withdraws
Most consent managers treat opt-out as a promise about the future. Ours also cleans up the past: turning a category off actively expires the analytics and pixel cookies that were already set, across both the host and the registrable domain. Opt-out removes identifiers, it does not just block the next page load.
The most sensitive capability, identity resolution, is double-gated: it requires marketing consent and a US-location check that fails closed. If the geolocation signal is missing, the answer is no. And a visitor with GPC enabled can never be resolved at all.
The proof is a network tab
We do not consider a consent system installed until it passes the same audit every time, run in a fresh private window:
- Before any choice: zero requests to Google's tag domain or Facebook's connect domain, and no analytics or pixel cookies.
- After Accept all: the tags load and the cookies appear.
- After Reject, or after toggling a category off and reloading: the requests stop.
- In a browser with GPC enabled: marketing is forced off and the banner notice explains why.
The privacy policy then describes exactly what the code does, because we write the two together. Ours run to 23 sections, including a plain-language disclosure of identity resolution that says what the technology can infer and the conditions under which it is allowed to run. A policy that contradicts the site's real behavior is a factual error, and we treat it as one.
Why theater wins by default
Theater is cheap. Paste a consent script over your existing tags and the lawyers see a banner, even though the trackers fired first. Structural gating costs engineering attention once, when the site is built.
There is a performance dividend too. A pre-consent page ships zero tracker bytes, so the consent architecture is part of why our sites paint fast: the first impression never waits on a tag manager.
And once it is built, there is nothing to police and nothing to remember. The site is compliant because of how it renders, not because of a promise taped over the top. That is the version we ship.
