Name: ConsentScope
Author: ConsentScope

Cookiebot is one of the most popular consent management platforms on the market. It promises automatic cookie blocking, periodic scanning and a user-friendly banner. Yet we see the same complaint over and over: "Cookiebot is installed, but cookies still fire before I click Accept." If that sounds familiar, this guide is for you. We will walk through the root causes, how to debug them and what to change to get compliant.

Why Cookiebot sometimes fails to block cookies

Cookiebot uses two blocking strategies: automatic cookie blocking (via its script) and manual category assignment. Both can fail for different reasons. Understanding which mode you are in is the first step.

Blocking mode	How it works	Common failure point
Automatic	Cookiebot script intercepts and holds third-party requests until consent is given	Script loads too late or is deferred
Manual (data-cookieconsent)	You add data-cookieconsent attributes to each script tag	Missing attributes, inline scripts, hardcoded pixels
Google Tag Manager	Cookiebot pushes consent state to dataLayer; GTM triggers fire conditionally	GTM container loads before Cookiebot initializes

Symptom 1: Cookies appear immediately on page load

You open an incognito window, load your site and see Google Analytics, Facebook Pixel or Hotjar cookies in DevTools before touching the banner. This usually means the blocking script is either missing, misplaced or overridden by another script.

Check the script placement

Cookiebot's blocking script must be the first script in the head. If your GTM container, analytics snippet or a plugin loads before it, those scripts get a head start. Open your page source (Ctrl+U) and verify that the Cookiebot loader appears before anything else that sets cookies.

Check for async and defer attributes

Adding async or defer to the Cookiebot script sounds like a performance win, but it lets the browser continue parsing (and executing) other scripts while Cookiebot loads. Remove async/defer from the Cookiebot loader unless Usercentrics specifically recommends it for your setup.

Symptom 2: Only some scripts are blocked

Partial blocking is frustrating. You might see Google Analytics held back, but Meta Pixel or a TikTok script slipping through. This happens when those scripts are loaded in a way Cookiebot cannot intercept.

Inline scripts: Scripts embedded directly in HTML (not loaded from a file) are invisible to Cookiebot's URL-based blocking. You must wrap them manually with type="text/plain" data-cookieconsent="marketing".
Hardcoded image pixels: A 1x1 tracking image ("pixel") loaded via an <img> tag is not a script. Cookiebot does not block images by default. Convert pixels to script-based tags or use a tag manager.
Server-side injections: Some CDNs or edge functions inject cookies before the HTML even reaches the browser. Cookiebot cannot see those.

Symptom 3: GTM fires tags before Cookiebot consent

Google Tag Manager is a common source of "leaky" cookies. Even if Cookiebot is installed, your GTM triggers might be set to "All Pages" instead of "Consent Granted".

In GTM, create a new trigger type: Custom Event.
Set the event name to cookie_consent_marketing (or whatever event name Cookiebot pushes).
Change your marketing tags (Meta, Google Ads, TikTok) to fire on this trigger instead of "All Pages".
For analytics tags, use cookie_consent_statistics or equivalent.
Publish the container and test in Preview mode.

Step-by-step debug checklist

Use this checklist every time you suspect Cookiebot is not working:

Open Chrome in Guest mode (no extensions, no previous cookies).
Open DevTools > Application > Cookies before loading the page.
Load the page. Do any non-essential cookies appear? Screenshot the list.
Check the Console for Cookiebot errors (red messages).
Go to Network tab, filter "Script" and confirm Cookiebot loads first.
Check the Elements tab for any script with async or defer before Cookiebot.
Look for inline scripts that set cookies directly.
Verify your GTM triggers are consent-aware.
Clear cache and retest after every fix.

The nuclear option: manual script tagging

If automatic blocking continues to fail and you need compliance today, switch to manual mode. Find every script that drops cookies and add the correct attribute:

<script type="text/plain" data-cookieconsent="preferences"> for preference cookies.
<script type="text/plain" data-cookieconsent="statistics"> for analytics.
<script type="text/plain" data-cookieconsent="marketing"> for advertising.

This is labor-intensive, but it is also the most reliable method. Once tagged, Cookiebot will hold the script until the user gives consent in that category.

Verify Cookiebot in 10 seconds

Install ConsentScope and browse your site. You will see instantly which cookies fire before consent and whether Cookiebot is actually blocking them.

Audit My Site Now

FAQ

Does Cookiebot block cookies automatically out of the box?

Only if you enable automatic cookie blocking and place the script correctly. The free plan offers limited scanning frequency, so new cookies may go undetected until the next scan.

Why does Cookiebot work on desktop but not mobile?

Mobile pages often load different templates, AMP versions or progressive web apps. Each of these may have separate script loading order. Test both versions independently.

Can I use Cookiebot with server-side Google Tag Manager?

Yes, but the consent signal must be passed from the client to the server. If the client-side container loads before consent, server-side GTM does not fix the violation.

Cookiebot Not Blocking Cookies? Here's How to Debug and Fix It