Automatic Script Blocking: How Pre-Consent Blocking Works
Automatic script blocking (also called pre-consent blocking or auto-blocking) prevents non-essential scripts from executing until the user has granted consent. This is a legal requirement under Article 5(3) of the ePrivacy Directive: no cookies or tracking technologies may be placed on a user's device without prior informed consent, unless they are strictly necessary for the service the user has requested.
Without automatic blocking, a website that loads Google Analytics, Facebook Pixel, or any third-party marketing script will set cookies and collect data before the user has had a chance to make a consent choice. This is a compliance violation regardless of whether a consent banner is displayed.
Why Manual Script Tagging Is Not Enough
The traditional approach to consent-based script loading requires developers to manually tag every script on the site. Each script must be modified to prevent it from loading by default, then conditionally activated when the user consents to the relevant category. This typically involves changing type="text/javascript" to type="text/plain" and adding a data attribute indicating the consent category.
This approach has serious problems:
- Every new script added to the site must be manually tagged. If a marketing team adds a new tracking pixel through a tag manager, it fires without consent unless someone remembers to configure the blocking rule.
- Third-party scripts often load additional scripts dynamically. Blocking the parent script does not necessarily block the child scripts it would have loaded.
- Inline scripts embedded in the page HTML cannot easily be intercepted.
- The approach is fragile. A single missed script means non-compliant data collection.
How Automatic Blocking Works
A consent management platform with automatic blocking takes a different approach. Instead of requiring developers to tag individual scripts, the CMP intercepts all script loading at the browser level and blocks anything that is not strictly necessary.
The process works as follows:
- The CMP loads as the first script in the page's
<head>section, before any other scripts. - It intercepts the browser's script loading mechanisms, including
document.createElement('script'), inline script execution, and dynamically injected scripts. - Each script is checked against a classification database. Scripts from known analytics, advertising, and social media domains are identified and categorised.
- Scripts classified as non-essential are held in a queue. They do not execute, do not set cookies, and do not make network requests.
- When the user grants consent for a specific category, the queued scripts in that category are released and allowed to execute normally.
- If the user rejects a category, the scripts in that category remain blocked for the duration of the session.
What Gets Blocked
Automatic blocking typically classifies scripts into four categories aligned with the standard cookie consent categories:
| Category | Examples | Blocked Before Consent |
|---|---|---|
| Strictly Necessary | Payment processors, authentication, session management, the CMP itself | No (always allowed) |
| Analytics | Google Analytics, Hotjar, Matomo, Plausible | Yes |
| Marketing | Google Ads, Facebook Pixel, LinkedIn Insight, TikTok Pixel | Yes |
| Preferences | Language preferences, UI customisation, A/B testing tools | Yes |
The Timing Problem
For automatic blocking to work correctly, the CMP must be the very first script that loads on the page. If any non-essential script loads before the CMP, it will execute without consent. This is why the CMP script tag must not use defer or async attributes, and must appear before any other script in the <head> section.
This is the same architecture used by every compliant CMP: Cookiebot, OneTrust, CookieYes, and Passiro all require synchronous loading as the first script in the document head.
Interaction with Google Consent Mode
Automatic script blocking works alongside Google Consent Mode v2. While Consent Mode adjusts how Google's own tags behave when consent is denied (switching to cookieless measurement), automatic blocking prevents all non-essential scripts from executing at all.
The two mechanisms are complementary: Consent Mode handles Google tags gracefully (allowing modelled conversions), while auto-blocking handles everything else (third-party pixels, social widgets, ad scripts from non-Google vendors).
Automatic Blocking and Passiro
Passiro includes automatic script blocking in its free consent widget. When the Passiro script loads, it identifies and blocks non-essential scripts before they can execute. No manual script tagging is required. The classification database covers thousands of known tracking, analytics, and advertising domains.
Combined with IAB TCF v2.3 and Google Consent Mode v2, automatic blocking ensures that no data is collected before consent is granted, meeting the requirements of ePrivacy Article 5(3) and GDPR Article 6.
¿Cumple tu sitio web con la normativa de cookies?
Escanea tu sitio web gratis y encuentra todas las cookies en minutos.
Escanea tus cookies gratis