Consent Banner Check: How to Succeed at Testing & Debugging
Management Summary
Why test consent banners?
A consent banner (cookie banner) obtains user consent for data collection and is mandatory under GDPR. It is crucial that no analysis or marketing cookies fire without consent. If this principle is ignored, legal consequences may follow—fines of up to 4% of annual turnover are possible.
Typical issues encountered in practice:
- Tracking despite opt-out: Tags (e.g., Google Analytics 4) load even though no consent was given or it was actively declined. This is often caused by incorrect tagging or a script that is not integrated into the CMP.
- Blocked tags despite opt-in: Desired tools do not fire after consent. Most common reasons: incorrect trigger settings in Tag Manager or conflicts in the consent settings.
- CMP does not load correctly: The consent banner does not appear at all or appears too late, which may result in cookies already being set. This can be caused by script order or faulty CMP configurations.
- Incorrect category assignment: Services are assigned to the wrong category (e.g., an analysis tool incorrectly placed under “Essential” instead of “Statistics”). As a result, it fires “unintentionally” before consent.
- Opt-out does not delete cookies: If consent is given first and later declined, previously set cookies often remain. While tracking stops, the cookies remain in the browser and continue to be sent between client and server. (This behavior is normal, as CMPs do not automatically remove cookies—more in this article.)
To avoid such errors, thorough testing is necessary. The next section shows tools and steps to systematically check consent banners.
Tools and methods for error analysis
1. Browser Developer Tools (Network & Cookies):
Browser developer tools are indispensable. Open your website in Incognito mode (or delete all cookies beforehand) and access the Developer Tools (usually with F12 or right-click > Inspect). Switch to the Network tab to monitor all requests and the Application/Storage tab for cookies.
-
01
Before Consent
Without consent, no tracking cookies such as _ga, _gid (Google Analytics) should appear. Browse through a few pages, click links—no cookies should be set before clicking “Accept”. Similarly, no requests to tracking servers (Google Analytics, Facebook Pixel, etc.) should be visible in the Network tab before consent.
-
02
After Consent
Give consent (e.g., “Accept all”) and check again: corresponding requests should now appear (e.g., calls to collect?v=… for GA4). The associated cookies should be set in the Application tab. If nothing loads despite the opt-in, there is an issue with the triggers or CMP settings.
-
03
After Opt-out
The case where consent is first given and then declined again is also interesting. As mentioned, CMPs do not automatically delete previously set cookies. The cookies (e.g., GA cookies) remain stored in the browser but are no longer sent to third-party providers after the opt-out. In this scenario, an experienced debugger checks whether these cookies should be removed upon revocation. If necessary, an additional GTM rule can be implemented to actively delete such cookies during opt-out.
Tip: If cookies appear despite a lack of consent during the incognito test, there is likely a script present that is not CMP-compatible. The most common culprit: a directly integrated Analytics.js that “bypasses” the CMP. In such a case, you should definitely load Analytics via the Tag Manager or via consent integration instead of inline in the page source code.
2. Google Tag Manager – Preview/Tag Assistant:
For everyone using Google Tag Manager, the Debug Mode (Tag Assistant) is worth its weight in gold. Start “Preview” in GTM, which loads your website in a debug window. There you can see exactly which tags fired or were blocked. The Consent tab in the preview is particularly relevant: it shows the consent status in real time—i.e., whether an event was executed with consent granted or denied. This allows you to quickly identify if, for example, a GA4 tag was suppressed due to a lack of consent.
If you notice in Tag Assistant that an expected tag did not fire, click on the tag in the list. There you will see either a note regarding consent-related blocking or a trigger condition that was not met. In this case, check:
-
01
Consent settings in the tag
GTM offers a consent overlay for most tags (recognizable by the shield icon in the tag editor). Google tags have built-in consent checks and automatically adjust their behavior as soon as analytics_storage or ad_storage is set to denied. Therefore, for Google Analytics, Ads & Co., “Additional Consent Checks” should be set to “Not required”—control is handled by Consent Mode.
-
02
Consent triggers for other tags
For non-Google tags (e.g., third-party tools), you must specify in GTM that they may only fire when consent is given. To do this, you can either use the consent overlay mentioned above (e.g., activate “Requires consent: analytics_storage”) or use special triggers triggered by the CMP (such as a “consent_given” event as soon as users agree).
-
03
Observe Consent Sequence
In GTM debug, you usually see two consent events: Consent Default and shortly after Consent Update. “Default” is the initial state—usually denied for all categories as long as no user decision is available. During the “Update” event, the CMP transmits the user’s actual selection. Important: GTM waits by default for up to 500 ms (wait_for_update parameter) for this update before firing tags. If your CMP loads more slowly, some tags might fire prematurely in the Default (denied) state. In such a case, increase the wait_for_update value or check if the Consent Initialization Trigger is being used correctly.
3. Data Layer & Console:
Many CMPs—especially Usercentrics—work hand in hand with the Data Layer. For example, Usercentrics sets events or variables when loading that GTM can read. Open the global dataLayer object in the console (F12). Immediately after the page loads, an entry {“event”:”consent”,”default”: {…}} should be found there, with analytics_storage and others set to “denied”. After consent, a consent update event follows with the values set to “granted”. These entries confirm that Consent Mode is active and the CMP is passing the signals to GTM. If such events are missing, the CMP may not be correctly integrated.
Even without Data Layer events, you can check logs in the console. Some CMPs offer a Debug Mode (e.g., Usercentrics via the Debug Mode = true setting) that outputs warnings and errors. Look in the console for error messages pointing to the CMP—such as CMP script loading errors, missing IDs, or similar.
4. Network analysis of tracking calls:
For deeper insights, it is recommended to look at the parameters of the tracking requests. Sticking with the Google Analytics 4 example: open the request to collect (or filter for “collect?v=2”) in the Network tab. In the query string, you will find parameters like gcs or gcd. gcs was the legacy consent parameter (Consent Mode v1), gcd is new in Consent Mode v2 and encodes the status of all consent types. Within it, you can see a code for each category (Analytics, Ads, etc.) indicating whether consent was present at the time of the Default and Update events. For example, &gcd=…r…r…r… indicates “first declined, then accepted” (code r stands for denied then granted in the sequence). For practitioners, it is often enough to know: if gcd is present, consent data is being transmitted—a good sign. If it is completely missing, Google Consent Mode might not be running. This detailed analysis is more for technical professionals, but it provides certainty that the signals are arriving correctly.
5. Systematically run through test cases:
Finally, it helps to define structured test scenarios:
- “Opt-in” scenario: First visit—user accepts all cookies. Expectation: All intended tags fire (Analytics, Ads, etc.), cookies are set, no blockages visible in debug.
- “Opt-out” scenario: First visit—user declines. Expectation: No tracking calls, no non-essential cookies. (Check: Were really no cookies set? Perhaps small Analytics snippets or pixels were overlooked?)
- “Partial Consent” scenario (if applicable): User allows “Statistics” but not “Marketing”, for example. Expectation: Analytics loads (consent for statistics), marketing tags remain inactive. In Tag Assistant, corresponding tags should appear under “Tags Not Fired” with a note about missing consent.
- “Revocation” scenario: User initially gives consent, continues browsing, and then revokes it (e.g., via the preference center). Expectation: No further hits to tracking servers from the moment of revocation. Already set cookies are no longer used. Pay special attention here: How does your CMP handle this change? Does the opt-out persist on the next page load (cookie-stored decision) and are no tags fired regardless?
- Further tests: Different browsers and devices (due to possible differences in cookie handling), different geo-locations (banner might only be displayed in the EU).
Through such test cases, you consistently cover the most important W-questions: Who (which tool) fires when, where, and how, and what happens when users click X or Y?
Practical focus: Debugging Usercentrics & Co. correctly
Many companies rely on Usercentrics as their Consent Management Platform—so here is a specific look at it. Basically, the methods described above apply to all CMPs, but there are minor differences:
Usercentrics (CMP v3)
Integration is often via a GTM template. It is important to trigger the Usercentrics CMP tag as “Consent Initialization”—this way the banner loads immediately upon page load, before other tags are activated. In debug, you will then see the Consent Default and Update in the correct sequence. If Usercentrics does not load before the other tags, tracking tags could fire prematurely. In the GTM container settings, be sure to activate the consent overview and check whether the consent requirements are correctly set for all tags (shield icons). Usercentrics supports Google Consent Mode v2 out-of-the-box, provided it is activated in the admin. After implementation, check whether all Google requests in the Network tab include the gcd parameter—this is how you recognize that Usercentrics is passing the information.
OneTrust
This CMP tends to automatically block scripts (Script Blocking) until consent is given. In debug, this can mean that you don’t see any “Tags Not Fired” in GTM at all because OneTrust suppresses them completely (e.g., through its own script tag management). Here, test the opt-out case in particular: no cookies/requests before opt-in, and opt-in lifts the blockage. OneTrust often offers previews and scanners in the admin to see if all scripts have been captured. Ensure that no GA/GTAG snippets are integrated twice—otherwise, they might load despite OneTrust.
Cookiebot
Cookiebot can be integrated into GTM via a template and also works with Consent Mode. Special feature: If Cookiebot is implemented via a GTM tag, the default settings do not appear as a Data Layer event but are registered internally in GTM. Here, primarily use the Consent tab in the GTM preview or the Cookiebot admin tools (Cookiebot offers a Consent Mode checker). In GTM debug, you can see immediately in the consent overview whether ad_storage and analytics_storage are denied by default and switch to granted after consent.
Consentmanager
This European CMP (consentmanager.net) also integrates seamlessly with GTM. As of March 2024, Consentmanager has implemented a notice since Google Consent Mode is now mandatory. Google Consent Mode v2 must be switched on in the CMP settings. Debugging tip here: Consentmanager has a crawler in the admin area that shows whether Consent Mode was correctly recognized after scanning (including details on ad_storage, analytics_storage, etc.). Of course, you can also test manually as described above: Data Layer and Tag Assistant provide information.
Regardless of the tool: Make sure to test regularly—especially after CMP updates or changes to tags. Small errors easily creep in (e.g., a new marketing tool is added and accidentally implemented without a consent connection). Continuous monitoring, e.g., via Google Consent Mode Reports in GA4 or regular audits, helps to avoid nasty surprises.
Conclusion
Our team draws a clear conclusion from these debugging experiences: Consent banners require as much care as any other website feature. Only through regular testing and debugging can we ensure that data protection and data quality go hand in hand. In practice, it has been shown that even small adjustments—be it a correctly set trigger or an uncovered script error—can have a major impact: campaigns measure all conversions again, analytics data is correct, and the legal department sleeps more soundly. The bottom line is: thorough consent banner testing is not a nice-to-have, but an essential part of a clean web analytics and marketing strategy.
