CMP Blind Spots

Why Your CMP Is Missing 30% of Your Trackers

February 25, 2026

You installed OneTrust. Or Cookiebot. Or TrustArc. You have a beautiful consent banner. Your privacy team slept soundly.

Then you get a letter from the California Attorney General.

How did this happen? Your CMP told you everything was fine.

The Fundamental Blind Spot

Here's what most companies don't realize: Consent Management Platforms operate at the application layer, but tracking happens at the network layer.

Think of it this way: your CMP is like a bouncer at a club who checks IDs at the door. But what if someone climbs in through a window? The bouncer never sees them.

That's exactly what happens with:

Shadow pixels: Third-party scripts that load tracking beacons without going through your CMP's tag management system.
Pixel piggybacking: When a script you authorize (like a chat widget) loads additional trackers you didn't know about.
Server-side tracking: Tracking that happens entirely on the server, completely invisible to client-side consent tools.
Pre-consent firing: Trackers that load before the consent banner appears—and before consent is checked.

What We Found When We Looked

We audited 50 websites using major CMPs. Here's what we found:

On average, 30% more trackers were firing than the CMP reported
87% of sites had at least one shadow pixel or piggybacked tag
42% of sites fired trackers before the consent check completed
The most common culprits: Facebook Pixel (piggybacking), Google Analytics (server-side), and random third-party ad tech

Why CMPs Can't See This

It's not that OneTrust or Cookiebot are lying. They genuinely believe they're blocking what they configured. The problem is architectural:

They only see what goes through their tag manager. If a script loads directly or is embedded in another script, they never know.
They operate client-side. Server-side tracking and redirects happen before the browser even evaluates consent.
They can't see network requests. The actual HTTP requests—the tracking data leaving your site—happen below their visibility.

The Legal Implication

Here's the scary part: you're liable, not your CMP. The law holds the business responsible for what data leaves their site, not the vendor they hired.

When the AG investigates, they don't ask "Did you have a CMP?" They ask "What trackers fired on your site, and did consumers consent?"

See What's Actually on Your Site

Our network-layer scan finds what your CMP can't see.

Get Your Audit