TheBoogieManQ: Question regarding GDPR compliance – external resources despite cookie opt-out
I was testing it on your website and noticed something concerning from a GDPR perspective:
After explicitly declining cookies via the cookie banner on your website, several external resources are still being loaded, including domains such as:
fonts.googleapis.com
www.googletagmanager.com
static-tracking.klaviyo.com
script.tapfiliate.com
beacon-v2.helpscout.net
These external calls may result in the transfer of personal data (e.g. IP addresses) to third parties without user consent, which would be a violation of GDPR, specifically the "prior consent" principle (confirmed by the CJEU in the Planet49 ruling).
Why these resources are loaded even after users opt out of cookies?
Do you provide a cookie banner solution that is fully compliant with EU-GDPR regulations (i.e. no external tracking or data transfer before consent)?
I really appreciate you flagging this! This has been resolved, but had nothing to do with our CMP, and everything to do with my own error.
I had disabled certain consent settings in GTM for a video guide on setting up Google Consent Mode and our upcoming per-region consent settings. Usually this would be done on a testing site, but I wanted to feature our website.
Re: remaining external calls relating to Google
While GTM may collect some data about tag firing. This data does not include user IP addresses or any measurement identifiers associated with a particular individual.(https://support.google.com/tagmanager/answer/9323295?hl=en)
GA and AW are configured with advanced consent mode, no personal information is stored without explicit user consent.
following this one too
Part 1.
I tested their site last week and they reported possible non-compliance in points 2 and 3.
I tested it now, everything seems to be fine:
Check report: getterms.io
Check date: 26.05.2025
Total requested: 20 pages
Total processed: 20 pages
1 - Safety of personal data collection forms (GDPR)
The scanner did not find known issues
Part 2
2 - Prior consent to other than strictly necessary cookies (ePrivacy)
The scanner did not find known issues
3 - Prior consent to personal data (GDPR)
The scanner did not find known issues
4 - Personal data is transmitted to 'adequate countries' (GDPR)
The scanner did not find known issues
5 - Other risks of personal data breaches (GDPR)
The scanner did not find known issues
Okay, I tested it again and it looks much better now. If you don't accept cookies, they are actually rejected. Google Fonts are still included, but you can work around that by simply not using them. So it now looks like a solid solution, which I will now take a closer look at. Thanks again for the response.