Skip to main content
Back to Guides
Compliance6 min read

Adding a New Tracking Tool? A Consent Runbook Before You Go Live

A new analytics tool, pixel, or chat widget can drop cookies before anyone consents. This is the step-by-step process to add a tracker without breaking compliance.

The moment a new tag becomes a liability

Someone on the marketing team wants to add a new tool. Maybe it's a heatmap, a LinkedIn Insight Tag, a chat widget, or a fresh analytics platform. They paste a snippet into Google Tag Manager or drop it in the site header, it starts collecting data, and everyone moves on. What just happened, in compliance terms, is that a third party began setting cookies and opening connections on your visitors' devices, probably before anyone consented, and your cookie policy no longer describes what your site actually does.

This is the most common way a compliant site quietly becomes non-compliant. Not a redesign, not a migration, just a single tag added without a process. The fix isn't to slow marketing down. It's to have a short, repeatable runbook that anyone can follow when a new tool goes in.

Step 1: Decide the category before you install anything

Every non-essential tracker needs prior consent under Article 5(3) of the ePrivacy Directive and its national implementations. So the first question isn't technical, it's legal: what is this tool for? Analytics, advertising, personalization, functional? That answer determines which consent category it belongs to and whether it can fire before opt-in.

Almost nothing new qualifies as strictly necessary. A chat widget that only loads after a click might, but the analytics inside it doesn't. Be honest here. Mislabeling an advertising pixel as necessary to skip the consent gate is exactly the pattern regulators fine. When in doubt, treat it as consent-required.

Step 2: Install it blocked by default

Add the tag in a state where it cannot run until the visitor consents. There are two reliable ways to do this:

  • Consent-gated tag management. In Google Tag Manager, set the tag's consent settings so it only fires when the relevant consent type is granted, and pass Google Consent Mode signals. See our GTM consent setup guide.
  • Script blocking through your consent platform. Your CMP can hold the script until the matching category is accepted, then release it. This is the cleaner approach for scripts added directly to the page. See how to block scripts before consent.

The default state matters. A tag that fires and then gets "switched off" on rejection has already set its cookies. Block first, release on consent, never the reverse.

If it touches Google Ads or GA4, wire up Consent Mode v2

Since March 2024, Google requires Consent Mode v2 for conversion tracking, remarketing, and audiences in the EEA and UK. That means passing the ad_user_data and ad_personalization signals alongside the older analytics_storage and ad_storage. A new advertising tag that ignores Consent Mode won't just be a compliance gap, it will stop feeding Google's measurement and audience features for European users. Set the signals when you add the tag, not later.

Step 3: Scan the tool to see what it actually sets

Vendors under-disclose. The tool's documentation might list two cookies; in practice it sets five and opens connections to three domains you've never heard of. Run a scan on a page where the tool is active (in your accept-all test state) so you can see the real cookies, scripts, and network connections it introduces. This is the only way to categorize accurately, because you're categorizing what the tool does, not what its docs claim.

Pay attention to connections, not the cookies alone. Modern tracking often works through network requests and local storage rather than classic cookies, and a cookie-only scan misses those. If your scanner captures outbound connections, review them the same way you review cookies.

Step 4: Update your disclosures to match

Your cookie policy is a legal document that has to describe your real cookies. A new tool means new entries: the cookie names, their purpose, who receives the data, and retention. If the vendor is a new data recipient, that also touches your records of processing. Two updates to make now, while it's fresh:

Step 5: QA the consent gate before launch

Test the tool the way a regulator's automated crawler would. In a fresh browser session with dev tools open:

  1. Reject all. Confirm the new tool sets nothing, no cookies, no network calls to its domains. This is the test most sites fail.
  2. Accept the relevant category. Confirm the tool now loads and works as intended.
  3. Accept only unrelated categories. Confirm an analytics tool stays blocked when only, say, functional cookies are accepted.
  4. Withdraw consent. Confirm the tool stops and, where appropriate, its cookies are cleared.

If the tool fires on reject-all, it's blocked incorrectly. Fix it before the change ships, not after a complaint.

The GTM back door

The most common leak is a tag added directly in Google Tag Manager by someone who doesn't know about your consent setup. GTM can add trackers to your site without any code change, which means they bypass your normal review. Lock down GTM publish permissions, require Consent Mode settings on every new tag, and re-scan after any container publish. A tag manager is a hole in your consent perimeter unless it's governed like one.

New tracking tool checklist

  • Category decided before install

    Analytics, advertising, functional? Default to consent-required if unsure.

  • Installed blocked by default

    Held until the matching category is accepted, via CMP or GTM consent settings.

  • Consent Mode v2 wired for Google tags

    Pass ad_user_data and ad_personalization for EEA and UK traffic.

  • Scanned to reveal real cookies and connections

    Categorize what the tool actually sets, not what its docs claim.

  • Cookie policy and banner listings updated

    New cookie names, purposes, recipients, and retention added.

  • Vendor added to records of processing

    A new recipient can be a material change affecting existing consent.

  • Consent gate QA passed

    Reject-all sets nothing; accept loads it; withdrawal stops it.

Catch the tags you forgot to run through the runbook

No process catches everything, especially tags added straight into GTM. CookieBeam's scanner detects new cookies, scripts, and outbound connections across your site, and its drift detection flags trackers that start firing between scans, so a tool that skipped the runbook still gets caught. Pair the runbook with automatic monthly re-scans and you have both prevention and a safety net. For the enforcement side, see how to block scripts before consent.

How to Add a New Tracking Tool Without Breaking Consent (2026) | CookieBeam | CookieBeam